This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ TECH FEATURE
TRYhe Diary
OF A PDFBOOK
A Tool for Facebook Memory Forensics
by Jeff Bryner Portland General Electric
/ EXPERT
T
his article was sent to us for inclusion in DFM. Written in as the total population of the USA!) It is therefore a mine of
an informal and irreverent style, it brings to life the daily fascinating information that forensic investigators are very
round of research and coding from which emerged a likely to fi nd useful.
tool to investigate Facebook sessions using a browser. We en- As a “public health warning” we should point out that
joyed reading it (after we fi nished deciphering what it meant), DFM has not tested or validated the tool or any of activities
and decided that it would adorn – and liven up! – our inau- described in this article, nor will we be setting up an accredita-
gural issue. So read on, and we hope you learn as much as tion capability any time soon. We will however be testing tools
we did! As the diary is full of technical references, we haven’t submitted to us in a From the Lab section that will appear in
even tried to explain them. You’re on your own this once, but future issues. Until then we welcome any feedback from you
remember: Google is your friend! on the effectiveness of pdfbook, and any suggested improve-
Facebook is the largest social networking site with – ments that you might like to share with the developer.
incredibly enough – over 300 million users (about the same / DFM Team
Day One Day Six
I am in Atlanta for a business trip and I fi nally give in and join facebook Uggh... regex is hard.
after prompting from my high school reunion’s organizing committee. fbookuserinfosre=re.compile(r”””userInfos.*(“name.*?)\}”””,r
It appears that if I friend enough of them I won’t have to go?! e.MULTILINE) is the best that I can do to whittle this down. A good
I already can see them, know where they live, who they married, reminder of the usefulness of non-greedy regex, i.e. the ones with
kids, etc. I even used facebook to meet up for dinner with my best ? before the ending string. In this case (“name.*?)\} is capturing
friend from high school here in Atlanta! OK, I am a facebook user. everything from “name until the fi rst } encountered.
This is important in memory where there are a million instances of
Day Two whatever ending character set you need. So ending quickly is less
Seems my article on pdgmail is in the running for best forensic blog likely to yield false positives.
entry of the year? Something tells me this a contest in the same
way the USA invites only US teams to its ‘world championships’ but Day Seven
it’s encouraging to be recognized! I should write another tool for I gotta remember to not do any of this from work so there’s no chance
something else. for copyright issues. Not hard since there’s selective access to
facebook @work but makes for diffi cult spontaneous brainstorming.
Day Three Funny also because if we had a facebook investigation I wonder what
Just back from defcon17 and for fun dumped out memory from my tool we’d use?
facebook session on fi refox using pd and did a strings -el on the
dump. I recognized some stuff in there... pdfbook was born. Day Eight
I give up. Munged the userInfos entry into a python dictionary for easy
Day Four access. Regexing the individual data points was too hard and it works.
Regex is harder than it should be. Thank <insert supreme being of I see my status update from previous memory dumps I’ve done:
your choice> for kodos: http://kodos.sourceforge.net/
Name: Jeff Bryner thumbURL: http://profi le.ak.fbcdn.net/
Day Five v228/472/64/q1421688057_3296.jpg status: 2 gamble @the airport
So it seems that facebook uses some strange combination of xml, or not, that is the question. statusTime: Sun Aug 2 17:35:34 2009
json and html. pdymail was much easier since it was all xml on
the back end. I guess I’ll start by picking out the obvious json-like The thumbnail URL can be retrieved using any web tool. No
structures for my status since I can see that. authentication is necessary. So if an investigator was trying to
They call it ‘userInfos’ and it has my name, fi rst name, a link to my associate a name or face with an entry, this would be one way. Of
thumbnail badge photo, the text of my status, time of the update. course the picture you get at the time you run your command may not
Ooh, the time is even in unix epoch. be the same as when the entry was created.
36 Digital / ForensicS
DF1_36-37_Tech Feature.indd 36 29/10/09 5:22:19 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com