Social Network Forensics: Evidence Extraction Tool Capabilities JUNG SON MNZCS, Postgrad Dip. Computing (UNITEC, NZ), Dip. InfoTech (AUT, NZ), Cert. Computing (AUT, NZ) A thesis submitted to the graduate faculty of Design and Creative Technologies AUT University in partial fulfilment of the requirements for the degree of Masters of Forensic Information Technology School of Computing and Mathematical Sciences Auckland, New Zealand 2012 Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. .......................................... Signature ii Acknowledgements The thesis was completed at the Faculty of Design and Creative Technologies in the school of Computing and Mathematical Sciences at AUT University, New Zealand. This research task has been completed with the insight, support, practical assistance and guidance from many people: Firstly, I would like to thank my family. My master’s degree journey has been possible and even pleasurable due to the enthusiasm and goodwill of all my extended family. In particular, my wife Hi Sung has been unfailingly cheerful in organising her availability to suit my study commitments. My parents, Tiger and Jenny, and brother, Sam, have provided much-needed additional mental support, along with their interest and encouragement. I have been lucky with an exemplary supervision experience through out my master’s degree programme at AUT University. I would like to show my gratitude to my supervisor Dr Brian Cusack. Dr Cusack has guided me with precision, encouragement, humour and compassion. He provided me with a clear framework for the thesis construction, and supports me with tools and intellectual space to bring my ideas alive. I would also like to show my gratitude to the software vendors who provided free trial access to their software with extended period of time, including: John Bradley at SiQuest Corporation, Jad Saliba from JADsoftware. Their generous contributions have been invaluable to me and this research would not have been possible without this resource. My dear colleagues have had to tolerate my unavailability for much of the past one year, and to fit in with my very limited social/work calendar. My heartfelt thanks to my boss Rob Martindale, who has provided his professional interest, unconditional support, and encouragements. I would like to extend my gratitude to my quality reviewer Peter Wilson. In writing my thesis, I have received generous advice from Peter Wilson, who agreed to provide me with assistant in proof reading of my lengthy thesis with helping track down grammatical errors. Peter provided stimulating discussions, challenging questions, and many exciting debates in my chosen area of Social Network Forensic research. Lastly, thank you to my fellow student Tom Laurenson for his friendship, inspiration and continued ideas and enthusiasm. iii Abstract The introduction of Social Networking Sites (SNSs) in recent years caused an explosion in consumer participation and these sites now attract hundreds of millions of users from around the world. Likewise, blogs and wikis are increasingly popular Web 2.0 venues that can evolve into formal communities of interest, providing significant knowledge-sharing and learning opportunities. Used appropriately, these venues therefore represent a valuable public space. Unfortunately, because a majority of the users of these sites are young people, the sites also tend to attract online predators and others who would exploit the sites. It is opportune to review and test the capability of different Digital Forensic tools that have practical application in the extraction of potential evidence from SNSs such as FacebookTM, TwitterTM, LinkedIn and Google+TM, in the event of criminal activity. This research evaluates evidence extraction tools in a systematic and forensically sound manner and based on the findings of the literature review in this research, to measure the capability of extracting evidence from SNSs in different test scenarios. The research question underpinning this research asks whether the existing digital forensic tools have enable forensic investigators to enhance investigative process, and what features there are in each tool that can collect evidence from SNSs. This research will explore evidence extraction tool capabilities by posing the following main research question: What are the capabilities of the 3 chosen tools to collect and analyse evidence from Social Networking Sites in a digital forensic investigation? There are volumes of blog articles and ACM publications on social network technologies that reflect research in a full range of related topics. However, although there is a large body of literature on social networks generated since 2009, there are only a few articles on forensics in SNSs. The available literature is concerned with the impact of social networking on society in general, rather than how to find evidence from social networking sites. In the proposed research, a samples of three software tools are evaluated for capability after a thorough review from literature about the available tools. A simulated social networking site is constructed in a controlled environment, and then iv stress-tested. The three selected tools are used to extract social network chat or web pages from allocated space on a hard disk partition, from unallocated space, and generated log data. Each tool is assessed for scope and capability. Advice on best practice for compliance with forensic data acquisition principles can be made based on performance. These outcomes can contribute to gaps in the current literature on conducting digital forensics investigation for SNSs. The research found that evidence extraction from SNSs is complex as evidence is typically not saved on the hard drive, and artifacts are stored in many different places, depending on a number of variables. Given that the data exchange in question creates largely volatile data for which no guarantee of later data retrieval is given, all tools attempting to recover SNS data as evidence meet this condition as a fundamental constraint. There is no guarantee of the survivability of data created during user interaction with SNSs. Field testing results shows that some tools can extract Facebook Chat messages but no other details, some tools could recover send dates and times for chat messages as well as users ID, and detailed messages. The research testing results provide an understanding of the capability of the evidence extraction tools. The findings help the forensic examiner determine the accuracy and effectiveness they can expect when they need to use a particular tool. The tools evaluated in this research, for their strengths and weaknesses, can dramatically improve the efficiency of a knowledgeable forensic examiner. The research findings presented may be valuable for law enforcement agents and digital forensic investigators in identifying current issues and limitations of the tools, and for software vendors to recognise the limitations of the tools, so that they can improve the tools for better extraction capability. It is hoped that the research findings may contribute to the future development of a social network artifact extraction tool, or to the enhancement of existing tools. v Table of Contents Declaration ........................................................................................................................... ii Acknowledgements ............................................................................................................. iii Abstract ................................................................................................................................ iv List of Figures ...................................................................................................................... xi List of Abbreviations ........................................................................................................ xiii Chapter One - Introduction 1.0 Background .................................................................................................................... 1 1.1 Motivation ..................................................................................................................... 3 1.2 Structure of Thesis ......................................................................................................... 4 Chapter Two - Literature Review 2.0 Introduction ................................................................................................................... 7 2.1 Social networking sites .................................................................................................. 8 2.1.1 Characteristics of Social Networking Sites ........................................................ 11 2.1.2 The modern media of Social Networking Sites and cultural factors ................. 12 2.1.3 Social Networking Site Usage by Country ........................................................ 13 2.2 Overview of Digital forensics environment ................................................................ 16 2.2.1 Digital Forensics ...............................................................................................