/ TECH FEATURE
UIIntentionalStory_Message.{1,90}?UIIntentionalStory_Names
Day Nine
says that as long as the UIIntentionalStory_Message is at least 90
Looks like the stories on your wall are called ‘UIIntentionalStory’ in
characters away from the following UIIntentionalStory_Names then
facebook-speak. The only plain text info there seems to be the name
it’s a regex match. This is key to eliminating the false positives in
of the person posting a ‘story’:
memory strings.
UIIntentionalStory.setup($(“div_story_ 50930182619061234_1153161
Day Fourteen
70123”), {“title”:”Hide”,”unfollow”:{“users”:[{“id”:543391123,”nam
I’ve a feeling that not everyone looks forward to coding over labor
e”:”Joe Facebook”,”fi rstName”:”Joe”,”hideString”:”Hide Joe”}]}});
day weekend? Reminds me of that bit in Young Frankenstein: Abby
someone... Abby Normal.
There’s a userid that seems consistent throughout, but without
Hmm now that I’m fi nding all this stuff, a lot of it looks to be
having the tool contact facebook the best this will get is the name of
repeated data. Probably because memory is messy and redundant.
someone known to the subject of the memory dump. May be useful;
I’ll add some hashing of the bits that are found and store the results
regex is: fbookintentionalstoryre= re.compile(r”””(UIIntentionalSt
in python dictionaries to limit the duplicates. Not perfect since
ory.setup.*(\”name”\:”(.*)”.*”fi rstName”))”””).
there’ll be a stray character here and there in the fl otsam that is
An examiner could use this to at least prove that the subject has
memory... but better than needless duplicates.
some sort of relationship with someone posting a story. Though
the nature of relationships to fl otsam in memory is relative. If you
Day Fifteen
happen upon a politicians page for example you end up with posts
So a wall to wall message is a ‘storymessage’ with particulars of the
from their supporters in your memory which of course doesn’t mean
sending party and the recipient. The name of the sender is fi rst, then
you know the supporter or have a relationship with them.
the recipient both are prefi xed by their url. Mine for example is:
Day Ten
<a href=”http://www.facebook.com/profi le.
I spent a good while browsing every interface I could fi nd in facebook
php?id=1421688057&ref=nf” >Jeff Bryner</a>
to see what other memory structures may be left behind. What? Now
my status doesn’t even show up? There is a lot of html structures with
So would this be a way to fi gure out whose facebook traffi c you
div classes seeming to refer to facebook styles. I guess they use div
are seeing in the memory dump if the computer you are examining
css classes in a non-standard way to identify metadata for an entry?
is anonymous in nature? Probably a better way would be to use the
Stuff like class=”like_box has_likes like_not_exists” This is either
status update if it has a ‘remove’ link since you can only remove a
strange and/or brilliant but it leaves me with the task of parsing
status if you’re the person who initiated it. I’ll see if I can target that.
the html which I don’t like since it’s brittle, but what about memory
forensics isn’t?
Day Sixteen
Success! I can pick out a likely owner of the memory artifacts by the
Day Eleven
presence of a remove button in the html. The structure starts with:
Geez, pdgmail was two days tops. pdymail was three just to get the
xml output right. Facebook is for the birds. I take it back about the xml,
<aonclick=’Profi leStream.hideStory(“div_
there’s no xml that I can fi nd and to get useful information I may have to
story_4aa5d7bd29cfd0a12915885”, “1421688057”,
allow the tool to call back to facebook’s API?! That’s not very forensicy.
“5377451560287089488”, 72, “”)
and ends with
Day Twelve
<span class=”UIButton_Text”>Remove</span></a>
html hit list:
The good bit is the 2nd argument in the onclick hideStory function
<div class=”UIRecentActivity_Body”>
which holds the facebook userid. So now the program collects
<h3 class=”UIIntentionalStory_Message”>
facebook userids and at the end compares likely owners it found
<div class=”UIStoryAttachment_Copy”>
from these structures with the ‘remove’ button.
RecentActivity: Gives you entries the user sees when they log into
Day Seventeen
facebook or refresh their page. Stuff like:
Well, that’s it. A little clean up here and there, consistency in debug
Jeff became a fan of <a href=”http://www.facebook.com/pages/
output to stderr and I think version one is a wrap. Now I wonder what
Fishbone/6519219892?ref=mf” >Fishbone</a>.
my twitter account holds... /
There’s an ‘onclick’ tag embedded in the href entry, but it’s not
useful so I brute forced it out of the output. I guess if you were
hacking the API it may be useful?
UIIntentionalStory_Message: Gives you the messages people send Reference Information
to each other’s walls. They may be the facebook user, or someone’s The tool is available from http://www.jeffbryner.com/pdfbook
wall they visited. They also include the primary user’s status Example usage:
messages, aka the “What’s on your mind” status box. on a windows or linux box, use pd from www.trapkit.de, thus:
example pdfbook output: StoryMessage: Jeff Bryner</a> pd -p 1234> 1234.dump
webgoat..really webgoat is on my mind..glad you asked? where 1234 is the process ID of running instance of IE/fi refox/
UIStoryAttachment divs are the attachment to story messages that browser of your choice.
aren’t text like links, pictures, videos, etc. I can’t see a good way to You can also use any memory imaging software, i.e. mdd,
parse them automagically. Maybe that’s a version 2 feature. win32dd, etc. to grab the whole memory on the box rather
than just one process. You can also use common memory
Day Thirteen repositories like pagefi le.sys, hiberfi le.sys, etc. There’s a good
Tried it with IE on a sacrifi cial windows qemu session... of course memory imaging tool reference at http://www.forensicswiki.
they issue totally different HTML for IE than fi refox, no quotes in org/index.php?title=Tools:Memory_Imaging
the class names, uppercase instead of lower, etc. Brittle... did I Transfer the dumped memory to linux and do:
mention this would be brittle? OK, back to regex with some fl ags for strings -el 1234.dump> memorystrings.txt
case insensitivity, optional quotes, etc. Also I’m remembering from pdfbook -f memorystrings.txt
pdgmail that in addition to non-greedy regex, it’s important to set It’ll fi nd what it can out of the memory image and spit out its
an upper boundary. I like doing this with the .{1,X} regex construct. fi ndings to standard out. Happy hunting!
For example:
37
DF1_36-37_Tech Feature.indd 37 29/10/09 5:22:21 pm