Digital Forensics Can Use Facebook to Solve Cases

By Brett Harrison and Chad McDonnell

The theft of trade secrets in U.S. businesses is increasing rapidly and is expected to double within the next decade, according to a report in the Gonzaga Law Review. Another report, by the American Society for Industrial Security International, stated that 60 percent of the companies polled had experienced attempted theft of proprietary information.

The report also noted that these crimes—and other thefts of business-critical information, such as billing details, price lists, administrative data, source code, proprietary software, business plans and customer information—are most frequently committed by current or former employees or trusted partners, who take data to which they may have authorized access.

In many cases, these incidents and other suspicious behavior in an organization are the catalyst for a lengthy, expensive forensic investigation to find digital data that can identify what happened and who did it. Digital forensic investigators will seek evidence from a wide array of devices and data sources, including mobile devices.

However, important data has often been deleted, and investigators must piece together the remaining bits of information to build or solve a case. Given the complexity of data in today’s world of varying mobile devices, cloud and social media, many more nontraditional sources need to be examined and considered.

The basic challenge with mobile devices is that, unlike computers—which run on a handful of operating systems such as Windows, Mac and Linux—there are thousands of models with various operating systems and features. This makes it virtually impossible for the manufacturers of mobile device computer forensic software to produce recovery and collection software that can maintain robust capabilities across all these thousands of devices.

Adding complexity is the fact that the mobile devices are being used to access social media and cloud-based sources such as Facebook, Twitter, Snapchat and others. In many instances, the devices may also contain deleted content that no longer resides on the original site.

It all adds up to a need for talented computer forensic examiners to gain access to mobile device and cloud data and analyze it on a case-by-case basis.

Retrieving Deleted Data

About 25 percent of forensic cases we see include some form of cloud-based data. As an example, most cases involve 10 to 30 custodians, including a few with a cloud account (such as Box or Facebook) that includes co-mingled business and personal data that must be collected. Often, investigators are looking not only for active data from these sources, but deleted data as well.

When dealing with Facebook specifically, which is happening in an increasing number of investigations due to its overlap into business communications, the problem can be twofold: First, robust tools to capture and parse through Facebook data are lacking, and second, Facebook provides significant privacy protections for user data. Even with a civil subpoena, only a very limited amount of data will be shown to investigators during a typical Facebook investigation.

More challenges exist when the investigator needs to recover Facebook posts, pictures and messages that no longer reside on an active site—meaning the only potentially available option is to forensically examine the user’s devices (such as smartphones, tablets, laptop computers, etc.) and look for artifacts related to the content that formerly existed in the cloud.

In a test on the original iPad 1 model, our examiners were able to take a full forensic image of the device—as close to a hard drive image as is possible—which brings into view the free space on the device that the OS can’t see. This image included deleted content from within the Facebook app, including private messages, which were recoverable. Currently, third-party forensic tools do not allow a full physical image of newer iOS devices, which is more limiting.

However, in a test on a new iPad Mini with an updated version of the Facebook app , the investigators found that private Facebook messages, among other artifacts, are now stored in SQLite database files. Although messages that had been deleted were permanently removed from Facebook and irrecoverable, the entries that contained those messages remained in the database file, meaning that investigators could potentially recover messages from that file.