Social Network Forensic

By Xing Liu

CSC153Spring 2009

Background of Social Network

Bring people with special interests together.

Classmates.com(1995) sixDegrees.com(1997) on

indirect ties. Myspace(2003) Facebook(2003) Flickr(2004) - Photos Ning(2005) - Own Social

Network twitter(2006)-text-based

posts

Background of Social Network con't

Huge amount of people related in social network.

75% of software developers belong to at least one social network.

Social networking among US broadband users has grown 93% since 2006.

Twitter - From Feb '08 to Feb '09, it clocked in at a whopping 1,382% growth rate.

Source: http://www.socialnetworkingwatch.com/all_social_networking_statistics/

Technical Details of Social Networks

• Mostly web-based systems.

• Web servers and databases in the backend.

• Have its own API services and application languages.

• Facebook – FBML(Facebook Markup Language).

• MySpace Developer Platform – based on the OpenSocial model from Google Code.

Issues with Social Networking

• Privacy – easy accesses to personal information such as birthday or personal images.

• Potential misuse – fake identities.

• Child safety – online sexual predators.

Social Networking Cases

• October 2005, pictures from Facebook were used to cite violators at North Carolina State University for under age drinking.

• In November 2005, student used the message board of a Facebook group to share class information without authorization of professor at Kansas State University.

• February 2007, following the fatal hit-and-run death of freshman in University of Connecticut, police was able to link to the suspect driver by identifying suspect's girlfriend with the help of Facebook.

Sources: http://en.wikipedia.org/wiki/Use_of_social_network_websites_in_investigations

Forensic Methods for Social Networking Cases

• Client Side – seize victims' or suspects' computers.

• Server Side – contact social network service providers to grab information from their servers.

• Real Time – intercept the message sent in real time.

Forensic Methods – Client Side

• Use forensic tools such as FTK to look for any deleted browser history or messages in the hard drive.

• Check the registry for device connection information.

• If a case is involved in photo evidence, we can do a FTK keyword search for related photo information.

• Steganography Tools for hidden message within photos.

Forensic Methods – Server Side

• Contact service providers to give out server information.

• Log files in the web servers, such as Access Log in Apache web server – get IP address of clients.

• FTP log for uploaded images' information.

• Live system imaging using dd & Netcat. (Discussed in Chapter 6)

Forensic Methods – Real Time

• Contact ISP provider to monitor information sent between the client and server machines.

• Monitor suspect's router for live traffic data stream.

• Install Keylogger in the suspect's machine.

Social Networking Forensic – obstacles

• The the impact of social network is getting bigger and bigger.

• From acquiring evidence standpoint, it's getting harder to acquire because of more servers involved.

• Computer forensic experts need to be more familiar to different web and database server settings.

• Learn different web services application languages such as FBML and OpenSocial.

Social Networking Forensic – advantages

• Information in social network can be easily searched by investigators.

• Photos posted in the social network profiles may be used as evidence.

• Because of the social network links of degrees, investigators can learn important information by identifying related personnels in the network.

Questions?

The End

Thank You