Facebook For Android Artifacts - Free Android Forensics

Home » Com.facebook.orca/cache/image.stash » Facebook For Android Artifacts - Free Android Forensics

Maybe your like

Free Android Forensics

Pages

  • Home

About

This blog is a website for me to document some free Android forensics techniques. With some Linux knowledge (or willingness to learn it), a Windows computer and a Linux computer (or virtual machines), some free software (and I actually mean free, not 30 day trials), and some spare time and motivation to learn, you can do some outstanding work with Android forensics. Check out my Introduction post for more details.

Donation

If you find this blog useful, please consider making a small donation to help me purchase equipment to create more content for this site.

Monday, February 9, 2015

Facebook for Android Artifacts

A Cache of Personal and Communication Information

All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction First, a disclaimer. This post will detail lots of artifacts on the Facebook for Android app which can be useful from a forensic perspective. These findings regard personal information about the user and the user's communications with contacts. My goal with this post is to educate, inform, and possibly assist people working on cases involving Facebook data on mobile devices. My goal is not to scare the reader away from using Facebook. I am not writing this post with the goal of getting you, the reader, to remove Facebook from your phone. I use Facebook on my phone, so I obviously am not too worried about the incredible amount of personal information stored in an unprotected manner on my phone. So ... if this post disappears at any point, go ahead and assume I received a cease and desist note from Mark Zuckerberg! Now ... back to the post. I use Facebook. My wife occasionally uses Facebook. Her friends and my friends use Facebook. My siblings, parents, cousins, aunts, and uncles use Facebook. I have a grandmother who uses Facebook. I have a friend from grad school who has a Facebook page for her cat. Facebook launched over ten years ago as a collegiate social network and this mega-popular website revolutionized social networking. Facebook evolved from a set of unconnected profiles to a place to share status updates and thoughts of the day to one of the largest (if not the largest) collection of photographs of people in the world. I'm now of the age that whenever I log onto Facebook, I swear Facebook is nothing except a website for parents to upload cute picture of their kids. As with any other new technology, Facebook can also attract criminal activity. Facebook stalking is a real thing and can lead to in-life stalking and worse (even if this video makes it look humorous). In Facebook's early days, some universities used Facebook photos of underage students drinking as evidence of university policy violations. Facebook posts have admitted as evidence in criminal trials before and depending upon applicable state law, Facebook posts and messages may be admissible in court. If you are examining an image of an Android phone for a criminal case and Facebook is installed, there may be good reason to examine data associated with the Facebook app. This post will detail some of the Facebook data that can be stored on the device and how to interpret it. And again, please don't uninstall Facebook just because some guy on some Android forensics blog said the Facebook app is creepy! Where is the data? First, how do you access this Facebook data? The Facebook app is an app, so app data is protected by permissions. I'd recommend reading my previous post on viewing SQLite Databases before diving into this post. In short, you'll need a rooted device or an image of a device to access Facebook data. There are two Facebook apps that I'll detail in this post. The first is the main Facebook app. The package name is com.facebook.katana, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.katana. The version of the app on my device is 26.0.0.22.16. The second is the messenger app. The package name is com.facebook.orca, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.orca. The version of the app on my device is 20.0.0.19.13. Depending upon the version of Facebook installed on the device, data may be slightly different than what I present in this post. If you have any questions about where data is, you can always contact me. So yes, if you install both the main app and the messenger app on your device, you have a killer whale (orca) and Michonne's sword from the Walking Dead (katana). If you've already imaged the device you are investigating, go ahead and copy these directories away from the image to your forensic computer. Information about Facebook Friends First, we'll look at the com.facebook.katana app, or the main Facebook app. Check out the directory com.facebook.katana/databases. This directory predictably stores database files. In my previous post on viewing SQLite Databases, I showed how to open a SQLite database file to browse data. Explore the file contacts_db2. This file stores a database of Facebook friends. Within the file is a table called contacts. There are several columns in this table to be aware of:
  • first_name: self explanatory
  • last_name: self explanatory
  • display_name: self explanatory
  • small_picture_url: A URL to a small version the user's profile picture. More on that later.
  • big_picture_url: A URL to a big version the user's profile picture. More on that later.
  • huge_picture_url: A URL to a huge version the user's profile picture. More on that later.
  • communication_rank: A number representing how often the user communicates with this particular contact. This number is calculated using some Facebook formula. Communications include messages, posts, likes, comments, etc. A 0 in this column means no communication. The higher the number, the more communication. From a forensic perspective, this number is a way of determining how often the user interacts with another user.
  • is_messenger_user: A true/false field. True indicates that the user uses a mobile messenger app (such as the com.facebook.orca app for Android).
  • data: A long string of data describing user profile information. More on this later
  • bday_day: Birthday.
  • bday_month: Birthday.
For some of the points above, I indicated that I would discuss more later. It is later now. There are entries for small_picture_url, big_picture_url, and huge_picture_url. Here is what a huge_picture_url string looks like for a friend of mine: https://fbcdn-<redacted>_n.jpg?oh=<more_redacted>eea. (I redacted most of the URL for privacy reasons.) And when I entered the URL into a browser, I found this image: (I chose this specific friend of mine for the sake of anonymity. No face in this Facebook profile picture). Yes, this friend of mine is an Oregon Ducks fan. Don't be too hard on him after the college football national championship game. Notice how there is no protection, no encryption, no login required to access these Facebook photos. While there is no public index page that I am aware of to associate a URL with a user, it still bears mentioning that photos are stored without protection online. There is an entry above for "data". I said that this is a blob of user data text. Here is what one of the blobs looks like (with redactions):
{"contactId":"Y2<redacted>k2","profileFbid":"62<redacted>09","graphApiWriteId":"contact_20<redacted>96","name":{"firstName":"<redacted>","lastName":"<redacted>","displayName":"<redacted>"},"phoneticName":{},"smallPictureUrl":"https://fbcdn-profile-a.<redacted>a40","bigPictureUrl":"https://fbcdn-profile-a.<redacted>26e","hugePictureUrl":"https://fbcdn-profile-a.<redacted>eea","smallPictureSize":160,"bigPictureSize":320,"hugePictureSize":466,"communicationRank":0.03445798,"withTaggingRank":0.3325288,"phones":[{"id":"62978<redacted>259","label":"Mobile","displayNumber":"(6xx) 9xx-xxxx","universalNumber":"+16xx9xxxxxx","isVerified":true}],"nameSearchTokens":["<redacted>","<redacted>"],"canMessage":true,"isMobilePushable":"YES","isMessengerUser":true,"messengerInstallTime":1417438579000,"isMemorialized":false,"isOnViewerContactList":true,"addedTime":1419017431000,"friendshipStatus":"ARE_FRIENDS","subscribeStatus":"IS_SUBSCRIBED","contactType":"USER","timelineCoverPhoto":{"focus":{"x":0.5,"y":0.39435146443515},"photo":{"image_midres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>201","width":320,"height":179},"image_lowres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>817","width":500,"height":281}}},"nameEntries":[],"birthdayDay":<redacted>,"birthdayMonth":<redacted>,"cityName":"<redacted>, Ohio","isPartial":false}
Obviously this blob is hard to read, but it is a nice treasure trove of useful information about the individual. I'll space this out to make it a little more readable:
contactId: Y2<redacted>k2 profileFbid: 62<redacted>09 graphApiWriteId: contact_20<redacted>96 name: firstName: <redacted> lastName: <redacted> displayName: <redacted> phoneticName: smallPictureUrl: https://fbcdn-profile-a.<redacted>a40 bigPictureUrl: https://fbcdn-profile-a.<redacted>26e hugePictureUrl: https://fbcdn-profile-a.<redacted>eea smallPictureSize: 160 bigPictureSize: 320 hugePictureSize: 466 communicationRank: 0.03445798 withTaggingRank: 0.3325288 phones id: 62978<redacted>259 label: Mobile displayNumber: (6xx) 9xx-xxxx universalNumber: +16xx9xxxxxx isVerified: true nameSearchTokens: ["<redacted>","<redacted>"] canMessage: true isMobilePushable: YES isMessengerUser: true messengerInstallTime: 1417438579000 isMemorialized: false isOnViewerContactList: true addedTime: 1419017431000 friendshipStatus: ARE_FRIENDS subscribeStatus: IS_SUBSCRIBED contactType: USER timelineCoverPhoto: focus: x: 0.5 y: 0.39435146443515 photo: image_midres: uri: https://fbcdn-sphotos-h-a.<redacted>201 width: 320 height: 179 image_lowres: uri: https://fbcdn-sphotos-h-a.<redacted>817 width: 500 height: 281 nameEntries: [] birthdayDay: <redacted> birthdayMonth: <redacted> cityName: <redacted>, Ohio isPartial: false
The entry for a contact's "data", as you can see, can contain all kinds of personal information, ranging from birthday to cell phone number, and I've even seen people's addresses in this entry before. Two takeaways: one, be careful what you put online, and two, all of this sensitive information is stored on your phone without encryption. Facebook Messages Facebook has the ability to send private messages to other users. These messages are stored on Facebook's servers, and they also can be stored on your phone. The file com.facebook.katana/databases/threads_db2 stores messages the user has sent and received, and they are all stored in the table messages. As before, I'll point out columns of interest. text: the actual text of the message sender: the user who sent the message. You can use this column to tell if the message was sent or received timestamp_ms: the date and time of the message in epoch time attachments: any attachments with the message. The attachment may include a link to a photo coordinates: if the user sent the message using a mobile device and allowed access to device location, the location of the device when the message was sent. source: whether the message came from a computer or a device or any other source. Here is an example of the sender field: {""email"":""20<redacted>[email protected]"",""user_key"":""FACEBOOK:20<redacted>86"",""name"":""Mark Lohrum""}. This field is formatted similarly to the data field in the contacts table as I mentioned above. You can see a field for email, which is basically the numerical user ID @facebook.com. You can try sending an email to this address from your GMail; for me, the message forwarded to my email address where I receive Facebook notifications. But you can see my name in the sender field, so you know that the message in this entry is from me. You probably noticed above an entry for coordinates. This entry stores latitude and longitude as reported by the device at the time the message was sent. Yes, you can determine where a person was, or where their device was, when a message was sent. That can be rather useful information because you have determined where the device was when a message was sent at a specific time. If you can be sure that the user and not another individual was holding the device and sending the message, then you know where the person was at a specific time when sending a message. Note, on Android it is very easy to spoof location. Cached Images The Facebook app stores a whole lot of data on the device. Much of this data is cached images. For example, on my device, there is a file com.facebook.katana/cache/image//v2.ols100.1/99/8vNUdrezcgt0__oST83Rc5g0QIE.cnt. (I don't know what the .cnt extension means, but all of the cached images have this extension.) Obviously there is no context in this filename what the file is, but the file was 102 KB so I was interested. Here is what the file looks like in a Hex editor: You can see that the file header includes JFIF, so clearly this is a JPG file. I renamed the file to include a .jpg at the end and opened it as an image and here is what I found: Yes, I am a big football fan. Now how useful are these cached images? To be honest, not horribly. These are images from the timeline that my device saved. In other words, these are public pictures that a user posted online. It is not horribly useful, just interesting. That's all the data I'll cover for now from the com.facebook.katana app. If there's anything else you would like me to cover, comment or contact me and I'll take a look. com.facebook.orca data The com.facebook.orca app is just a messenger app. Basically there is also a threads_db2 file within the databases directory just like with com.facebook.katana. These database files store basically the same information, so I won't cover it again. The important thing to know is that if the com.facebook.orca app is present, the user uses Facebook messenger for Android. That is all I will cover for now. Did I cover everything that Facebook stores? No. Here's a few more artifacts worth noting that the app stores:
  • Facebook posts by the user
  • Facebook pictures and videos uploaded by the user
  • Places the user has been
Now something I haven't covered yet is important. The device stores a lot of data, but Facebook is ultimately a cloud service, meaning all Facebook data is ultimately stored on a remote server. If you are in law enforcement and you need data associated with a user from Facebook's servers and you have a court order allowing access to these records, there is an avenue to get this. Check out this link for more information. I am not law enforcement so I have no personal experience in this avenue, but I do know this avenue exists if needed. Summary
  • Facebook stores lots of data on Android devices if the user uses Facebook
  • Private messages and personal friend information can be retrieved from the device in an investigation
  • There exists a method for law enforcement to retrieve Facebook records should they be needed. The procedure requires a court order
Questions, comments, suggestions, or experiences? Walking Dead or college football fan chat? Leave a comment below, or send me an email. Posted by Mark Lohrum at 2:40 PM

18 comments:

  1. UnknownApril 6, 2016 at 3:59 AM

    thank you alot for This post ,and i Explore (search_bootstrap_db) and find data in (keywords filed).. what is this data ? and what is the data stores in search_bootstrap_db?

    ReplyDeleteReplies
    1. Sebastian LasiaJuly 1, 2016 at 7:05 AM

      i think that there are all the searches did by user.no?

      DeleteReplies
        Reply
    2. AnonymousApril 18, 2022 at 9:14 PM

      Facebook For Android Artifacts >>>>> Download Now>>>>> Download FullFacebook For Android Artifacts >>>>> Download LINK>>>>> Download NowFacebook For Android Artifacts >>>>> Download Full>>>>> Download LINK Zy

      DeleteReplies
        Reply
      3. Reply
  2. UnknownApril 27, 2016 at 9:21 PM

    This is exceptional. Thank you for the information.

    ReplyDeleteReplies
      Reply
  3. UnknownApril 27, 2016 at 9:21 PM

    This is exceptional. Thank you for the information.

    ReplyDeleteReplies
      Reply
  4. IhadTOsignUPjustTOpostAcommentOctober 23, 2016 at 5:56 PM

    What about location of status updates written and uploaded via the android app? I ask as I just lost one I wrote and am reluctant to loss. the upload failed with some message about trying again but no way to get to it now within the app. I assume it is still in cache data somewhere

    ReplyDeleteReplies
      Reply
  5. UnknownMarch 14, 2017 at 3:21 AM

    That will be very useful for my understanding while using Facebook Messenger. Btw, if anyone want to update newest update of this app, you can view my website by clicking here.

    ReplyDeleteReplies
      Reply
  6. Eric Gitonga NjueMay 26, 2017 at 3:56 AM

    I've connected a rooted phone on my forensic computer, however on both packages (com.facebook.orca & com.facebook.katana) folder, there are no databases present. Where could they be?

    ReplyDeleteReplies
      Reply
  7. UnknownOctober 9, 2017 at 10:02 PM

    Hi, I have checked the contacts.db of both Katana and Orca , but cant see the coordinates information.Any Idea what i am missing. Using image of mmcblk0p12(user data block) from a rooted samsung galaxy s3.and using SQL Lite Forensic Explorer.One more thing , I cant export from SQL Lite Forensic Explorer . Can you please point any other SQL Lite explorer where i can export as well. (without going for pro versions).Thanks .

    ReplyDeleteReplies
      Reply
  8. AnonymousFebruary 15, 2021 at 2:09 PM

    Nice Content affordable seo services

    ReplyDeleteReplies
      Reply
  9. DB Computer Solutions LtdFebruary 25, 2021 at 2:27 AM

    Thanks for share the useful information about facebook for android artifacts.

    ReplyDeleteReplies
      Reply
  10. AnonymousMarch 6, 2021 at 7:41 AM

    Hi, thank you sharing the wonderful information, Please do visit gripfact for more information.

    ReplyDeleteReplies
      Reply
  11. Elon MuskApril 8, 2021 at 11:35 AM

    Want to get Free YouTube Subscribers for your YouTube channel then do visit our website YTBPals now and grab unlimited free subscribers instantly for free.

    ReplyDeleteReplies
      Reply
  12. Elon MuskApril 8, 2021 at 11:36 AM

    Want to get free guest posting use LetMePost now and grab unlimited guest posts for your website. We at LetMePost also provides a bulk da pa checker tool that provides MOZ domain authority metrics and also MOZ Spam metrics.

    ReplyDeleteReplies
      Reply
  13. Elon MuskApril 8, 2021 at 11:38 AM

    Stuck while solving outlook pii errors. Dont worry, we here proving you a way to solve [pii_email_037d07812f905a3927ae]: Permission Denied (Publickey). errors easily.

    ReplyDeleteReplies
      Reply
  14. Jagdish PrajapatMay 1, 2021 at 8:38 PM

    Great Article mate. I found lots more info Facebook Katana over here.

    ReplyDeleteReplies
      Reply
  15. flyingvoicesJune 21, 2021 at 2:35 PM

    Awesome Blog it's a hypnotizing post, finding a particularly entrancing post over the web is exceptional, I interpret your post is helping a various group and keep on doing stunning Plea check it out The Best Things to Do in Redding

    ReplyDeleteReplies
      Reply
  16. AnonymousApril 18, 2022 at 9:14 PM

    Facebook For Android Artifacts >>>>> Download Now>>>>> Download FullFacebook For Android Artifacts >>>>> Download LINK>>>>> Download NowFacebook For Android Artifacts >>>>> Download Full>>>>> Download LINK wO

    ReplyDeleteReplies
      Reply
Add commentLoad more... Newer Post Older Post Home Subscribe to: Post Comments (Atom)

Blog Archive

  • ▼  2015 (4)
    • ▼  February (1)
      • Facebook for Android Artifacts
  Copyright © Free Android Forensics | Designed for r4 - r4i gold, r4 3ds, r4 sdhc

Tag » Com.facebook.orca/cache/image.stash