Pages

Monday, February 9, 2015

Facebook for Android Artifacts


A Cache of Personal and Communication Information


All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction

First, a disclaimer.  This post will detail lots of artifacts on the Facebook for Android app which can be useful from a forensic perspective.  These findings regard personal information about the user and the user's communications with contacts.  My goal with this post is to educate, inform, and possibly assist people working on cases involving Facebook data on mobile devices.  My goal is not to scare the reader away from using Facebook.

I am not writing this post with the goal of getting you, the reader, to remove Facebook from your phone.  I use Facebook on my phone, so I obviously am not too worried about the incredible amount of personal information stored in an unprotected manner on my phone.

So ... if this post disappears at any point, go ahead and assume I received a cease and desist note from Mark Zuckerberg!

Now ... back to the post.  I use Facebook.  My wife occasionally uses Facebook.  Her friends and my friends use Facebook.  My siblings, parents, cousins, aunts, and uncles use Facebook.  I have a grandmother who uses Facebook.  I have a friend from grad school who has a Facebook page for her cat.

Facebook launched over ten years ago as a collegiate social network and this mega-popular website revolutionized social networking.  Facebook evolved from a set of unconnected profiles to a place to share status updates and thoughts of the day to one of the largest (if not the largest) collection of photographs of people in the world.  I'm now of the age that whenever I log onto Facebook, I swear Facebook is nothing except a website for parents to upload cute picture of their kids.

As with any other new technology, Facebook can also attract criminal activity.  Facebook stalking is a real thing and can lead to in-life stalking and worse (even if this video makes it look humorous).  In Facebook's early days, some universities used Facebook photos of underage students drinking as evidence of university policy violations.  Facebook posts have admitted as evidence in criminal trials before and depending upon applicable state law, Facebook posts and messages may be admissible in court.

If you are examining an image of an Android phone for a criminal case and Facebook is installed, there may be good reason to examine data associated with the Facebook app.  This post will detail some of the Facebook data that can be stored on the device and how to interpret it.  And again, please don't uninstall Facebook just because some guy on some Android forensics blog said the Facebook app is creepy!

Where is the data?

First, how do you access this Facebook data?  The Facebook app is an app, so app data is protected by permissions.  I'd recommend reading my previous post on viewing SQLite Databases before diving into this post.  In short, you'll need a rooted device or an image of a device to access Facebook data.

There are two Facebook apps that I'll detail in this post.  The first is the main Facebook app.  The package name is com.facebook.katana, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.katana.  The version of the app on my device is 26.0.0.22.16.  The second is the messenger app.  The package name is com.facebook.orca, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.orca.  The version of the app on my device is 20.0.0.19.13.  Depending upon the version of Facebook installed on the device, data may be slightly different than what I present in this post.  If you have any questions about where data is, you can always contact me.

So yes, if you install both the main app and the messenger app on your device, you have a killer whale (orca) and Michonne's sword from the Walking Dead (katana).

If you've already imaged the device you are investigating, go ahead and copy these directories away from the image to your forensic computer.

Information about Facebook Friends

First, we'll look at the com.facebook.katana app, or the main Facebook app.  Check out the directory com.facebook.katana/databases.  This directory predictably stores database files.

In my previous post on viewing SQLite Databases, I showed how to open a SQLite database file to browse data.  Explore the file contacts_db2.  This file stores a database of Facebook friends.  Within the file is a table called contacts.  There are several columns in this table to be aware of:
  • first_name:  self explanatory
  • last_name:  self explanatory
  • display_name:  self explanatory
  • small_picture_url:  A URL to a small version the user's profile picture.  More on that later.
  • big_picture_url:  A URL to a big version the user's profile picture.  More on that later.
  • huge_picture_url:  A URL to a huge version the user's profile picture.  More on that later.
  • communication_rank:  A number representing how often the user communicates with this particular contact.  This number is calculated using some Facebook formula.  Communications include messages, posts, likes, comments, etc.  A 0 in this column means no communication.  The higher the number, the more communication.  From a forensic perspective, this number is a way of determining how often the user interacts with another user.
  • is_messenger_user:  A true/false field.  True indicates that the user uses a mobile messenger app (such as the com.facebook.orca app for Android).
  • data:  A long string of data describing user profile information.  More on this later
  • bday_day:  Birthday.
  • bday_month:  Birthday.
For some of the points above, I indicated that I would discuss more later.  It is later now.

There are entries for small_picture_url, big_picture_url, and huge_picture_url.  Here is what a huge_picture_url string looks like for a friend of mine:  https://fbcdn-<redacted>_n.jpg?oh=<more_redacted>eea.  (I redacted most of the URL for privacy reasons.)  And when I entered the URL into a browser, I found this image:


(I chose this specific friend of mine for the sake of anonymity.  No face in this Facebook profile picture).  Yes, this friend of mine is an Oregon Ducks fan.  Don't be too hard on him after the college football national championship game.

Notice how there is no protection, no encryption, no login required to access these Facebook photos.  While there is no public index page that I am aware of to associate a URL with a user, it still bears mentioning that photos are stored without protection online.

There is an entry above for "data".  I said that this is a blob of user data text.  Here is what one of the blobs looks like (with redactions):
{"contactId":"Y2<redacted>k2","profileFbid":"62<redacted>09","graphApiWriteId":"contact_20<redacted>96","name":{"firstName":"<redacted>","lastName":"<redacted>","displayName":"<redacted>"},"phoneticName":{},"smallPictureUrl":"https://fbcdn-profile-a.<redacted>a40","bigPictureUrl":"https://fbcdn-profile-a.<redacted>26e","hugePictureUrl":"https://fbcdn-profile-a.<redacted>eea","smallPictureSize":160,"bigPictureSize":320,"hugePictureSize":466,"communicationRank":0.03445798,"withTaggingRank":0.3325288,"phones":[{"id":"62978<redacted>259","label":"Mobile","displayNumber":"(6xx) 9xx-xxxx","universalNumber":"+16xx9xxxxxx","isVerified":true}],"nameSearchTokens":["<redacted>","<redacted>"],"canMessage":true,"isMobilePushable":"YES","isMessengerUser":true,"messengerInstallTime":1417438579000,"isMemorialized":false,"isOnViewerContactList":true,"addedTime":1419017431000,"friendshipStatus":"ARE_FRIENDS","subscribeStatus":"IS_SUBSCRIBED","contactType":"USER","timelineCoverPhoto":{"focus":{"x":0.5,"y":0.39435146443515},"photo":{"image_midres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>201","width":320,"height":179},"image_lowres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>817","width":500,"height":281}}},"nameEntries":[],"birthdayDay":<redacted>,"birthdayMonth":<redacted>,"cityName":"<redacted>, Ohio","isPartial":false}
Obviously this blob is hard to read, but it is a nice treasure trove of useful information about the individual.  I'll space this out to make it a little more readable:
contactId:  Y2<redacted>k2
profileFbid:  62<redacted>09
graphApiWriteId:  contact_20<redacted>96
name:
   firstName:  <redacted>
   lastName:  <redacted>
   displayName:  <redacted>
phoneticName:
smallPictureUrl:  https://fbcdn-profile-a.<redacted>a40
bigPictureUrl:  https://fbcdn-profile-a.<redacted>26e
hugePictureUrl:  https://fbcdn-profile-a.<redacted>eea
smallPictureSize:  160
bigPictureSize:  320
hugePictureSize:  466
communicationRank:  0.03445798
withTaggingRank:  0.3325288
phones
   id:  62978<redacted>259
   label:  Mobile
   displayNumber:  (6xx) 9xx-xxxx
   universalNumber:  +16xx9xxxxxx
   isVerified:  true
nameSearchTokens:  ["<redacted>","<redacted>"]
canMessage:  true
isMobilePushable:  YES
isMessengerUser:  true
messengerInstallTime:  1417438579000
isMemorialized:  false
isOnViewerContactList:  true
addedTime:  1419017431000
friendshipStatus:  ARE_FRIENDS
subscribeStatus:  IS_SUBSCRIBED
contactType:  USER
timelineCoverPhoto:
   focus:
      x:  0.5
      y:  0.39435146443515
photo:
   image_midres:
      uri:  https://fbcdn-sphotos-h-a.<redacted>201
      width:  320
      height:  179
   image_lowres:
      uri:  https://fbcdn-sphotos-h-a.<redacted>817
      width:  500
      height:  281
nameEntries:  []
birthdayDay:  <redacted>
birthdayMonth:  <redacted>
cityName:  <redacted>, Ohio
isPartial:  false
The entry for a contact's "data", as you can see, can contain all kinds of personal information, ranging from birthday to cell phone number, and I've even seen people's addresses in this entry before.  Two takeaways: one, be careful what you put online, and two, all of this sensitive information is stored on your phone without encryption.

Facebook Messages

Facebook has the ability to send private messages to other users.  These messages are stored on Facebook's servers, and they also can be stored on your phone.  The file com.facebook.katana/databases/threads_db2 stores messages the user has sent and received, and they are all stored in the table messages.  As before, I'll point out columns of interest.
text: the actual text of the message
sender:  the user who sent the message.  You can use this column to tell if the message was sent or received
timestamp_ms:  the date and time of the message in epoch time
attachments: any attachments with the message.  The attachment may include a link to a photo
coordinates: if the user sent the message using a mobile device and allowed access to device location, the location of the device when the message was sent.
source: whether the message came from a computer or a device or any other source.

Here is an example of the sender field:  {""email"":""20<redacted>86@facebook.com"",""user_key"":""FACEBOOK:20<redacted>86"",""name"":""Mark Lohrum""}.  This field is formatted similarly to the data field in the contacts table as I mentioned above.  You can see a field for email, which is basically the numerical user ID @facebook.com.  You can try sending an email to this address from your GMail; for me, the message forwarded to my email address where I receive Facebook notifications.  But you can see my name in the sender field, so you know that the message in this entry is from me.

You probably noticed above an entry for coordinates.  This entry stores latitude and longitude as reported by the device at the time the message was sent.  Yes, you can determine where a person was, or where their device was, when a message was sent.  That can be rather useful information because you have determined where the device was when a message was sent at a specific time.  If you can be sure that the user and not another individual was holding the device and sending the message, then you know where the person was at a specific time when sending a message.  Note, on Android it is very easy to spoof location.

Cached Images

The Facebook app stores a whole lot of data on the device.  Much of this data is cached images.

For example, on my device, there is a file com.facebook.katana/cache/image//v2.ols100.1/99/8vNUdrezcgt0__oST83Rc5g0QIE.cnt.  (I don't know what the .cnt extension means, but all of the cached images have this extension.)  Obviously there is no context in this filename what the file is, but the file was 102 KB so I was interested.  Here is what the file looks like in a Hex editor:



You can see that the file header includes JFIF, so clearly this is a JPG file.  I renamed the file to include a .jpg at the end and opened it as an image and here is what I found:



Yes, I am a big football fan.

Now how useful are these cached images?  To be honest, not horribly.  These are images from the timeline that my device saved.  In other words, these are public pictures that a user posted online.  It is not horribly useful, just interesting.

That's all the data I'll cover for now from the com.facebook.katana app.  If there's anything else you would like me to cover, comment or contact me and I'll take a look.

com.facebook.orca data

The com.facebook.orca app is just a messenger app.  Basically there is also a threads_db2 file within the databases directory just like with com.facebook.katana.  These database files store basically the same information, so I won't cover it again.  The important thing to know is that if the com.facebook.orca app is present, the user uses Facebook messenger for Android.

That is all I will cover for now.  Did I cover everything that Facebook stores?  No.  Here's a few more artifacts worth noting that the app stores:
  • Facebook posts by the user
  • Facebook pictures and videos uploaded by the user
  • Places the user has been
Now something I haven't covered yet is important.  The device stores a lot of data, but Facebook is ultimately a cloud service, meaning all Facebook data is ultimately stored on a remote server.  If you are in law enforcement and you need data associated with a user from Facebook's servers and you have a court order allowing access to these records, there is an avenue to get this.  Check out this link for more information.  I am not law enforcement so I have no personal experience in this avenue, but I do know this avenue exists if needed.

Summary
  • Facebook stores lots of data on Android devices if the user uses Facebook
  • Private messages and personal friend information can be retrieved from the device in an investigation
  • There exists a method for law enforcement to retrieve Facebook records should they be needed.  The procedure requires a court order
Questions, comments, suggestions, or experiences?  Walking Dead or college football fan chat?  Leave a comment below, or send me an email.