Monday, January 23, 2012

References to Facebook Pics in Unallocated Space

There are a lot of articles/blog posts/webinars that I have reviewed recently regarding the ever-increasing role that evidence from social media sites, specifically Facebook is playing in both civil and criminal cases.  An interesting example of a case where Facebook evidence (more specifically the destruction of said evidence) was prominently involved can be found in Lester v. Allied Concrete, Nos. CL08-150, CL09-223 (Va. Circuit Court, Charlottesville).  Long story short here - Plaintiff's counsel directed their client to "clean up" his Facebook page, which resulted in the Plaintiff deleting multiple photographs off of the page.  Needless to say, the other side found out about the deletions and the judge smacked Plaintiff's counsel with an order to pay over $500K for the discovery violations.

That piqued my curiosity as to how exactly you could go about running a quick search for any evidence referring to photos that may have been deleted from your Facebook page.  The first step was for me to download a copy of my Facebook page as a compressed archive so I could review the HTML code to look for anything that could aid in my search.  Once that was downloaded, I used EnCase to look at the code (full disclosure - it's not necessary to use EnCase, any hex/text editor would work) and identified the following snippets of code, with which I could perform a search for data in unallocated space relating to Facebook pictures (bold text added by me to highlight variables): 

Profile Pictures

<a href="album-Profile%20Pictures.html" rel="enclosure"> 

Mobile Uploads

<div class="photo-container hmedia">

Photo Albums

<div class="album"><a href="album-[PHOTO ALBUM NAME].html" rel="enclosure">


The src attribute pointing to the URL for each of these is found immediately after the snippets listed above (for the photo albums, the src points to the first picture in the album).  While the pictures themselves reside in the various photo albums located within the Facebook page, the above-listed snippets can at least be used to identify the names of photos and photo albums that existed on the Facebook page at one time.  If nothing else, they can be compared to content currently located on a Facebook site to determine if the data is still there.

While this is by no means an exhaustive compilation of artifacts that can help identify pictures from a Facebook page, it is a start and could easily be incorporated into a quick search if this type of evidence is germane to the matter at hand.

No comments:

Post a Comment