Forensic analysis of activities on social networks
The threat of forensic analysis of user activity on social networks
Once, I had a very interesting conversation about social networks with my girlfriend. She was trying to download a video from a social network and said that the video she was watching didn’t load to her laptop. I was slightly amused by her conclusions because this is one of the most pervasive myths I’d like to get started this chapter with.
The forensic analysis of user activity on social networks is part of the forensic analysis of browser, but I will focus on it in a separate chapter as not all users are interested in a full forensic analysis of browsers.
In this chapter you will learn about the kind of information your activity on social networks can reveal to malicious intruders should they get physical access to your computer. It may happen during a legal visit of the law enforcement officers who came to your place with a search warrant to seize equipment as well as by illegally accessing your device.
All user activity on social networks – watching videos, photos, listening to music, correspondence, voice messages don’t download to user’s computer and is not stored on it.
All user activity on social networks: watching videos, photos, listening to music, correspondence, voice messages actually download to user’s computer and is stored on it (though not for a long amount of time).
It’s easy to understand why this myth is so common among users. You get authorized with a social network website and get access to information: correspondence, videos, music. Without a connection, nothing will be able to download, therefore your computer doesn’t save anything except for the browsing history. It’s quite logical, isn’t it?
Following this logic, if your connection is suddenly interrupted while you are using a social network, the information from your browser will be lost, won’t it? Yet it remains unaffected meaning the only thing: the information is still stored on your computer.
Now let’s take a closer look at what kind of information this is, where and why it is stored, and then proceed to how it is extracted and analyzed.
First, let’s remember how your browser interacts with a website. From the server the website is hosted on, your browser gets a chunk of code. Then the browser renders this code to display its visual representation – what you actually see on your screen. Videos and music are handled by graphics and music processors in the browser.
I hope you know that your computer has RAM that temporarily stores the data currently being used and the hard disk – the place used for permanent storage. Except for rare cases, all the information your browser receives is stored primarily in RAM allocated for the browser and cleared when it closes up.
But it doesn’t always happen like that, your confidential information from the browser can be saved to the hard drive to a hibernation file and then extracted from there. In the chapter devoted to the forensic analysis of RAM, we are looking at hibernation mode (known to users as “sleep mode” though these two are not completely synonymous notions) where all the information from RAM is written to the so-called hibernation file and stored on your hard disk.
In short, when entering hibernation mode, your computer powers down RAM to save power. RAM is dependent on having power all the time and can’t store information without it. The information from RAM is saved to the hard drive, and when your computer wakes up from the sleep, it is again loaded into RAM.
Of course, forensic experts will primarily examine your hibernation file. If your computer enters hibernation mode with the social networks opened in the browser, your correspondence and contents of the page will be saved to the hard drive. We strongly recommend you disable the hibernation file.
As I have mentioned before, when the webpage opens, the browser receives a copy of the website code and renders it onto the screen. Every day you open Vkontakte or Facebook, how often does the structure of these websites change? What about their logos? Or main buttons?
Code loading and rendering takes time, however, if you once loaded the website’s code, why load it again upon reopening the webpage? It’s far easier to save the code and update it when necessary, right?
The temporary storage of the website documents described above is called caching. A website loads once and is saved to your hard drive, and when you reopen the website it loads from your hard drive. This considerably reduces the load on your web server and Internet connection.
You can find out more about website caching in a separate chapter. Again, remember that the information about your activity on the Internet is saved to your hard drive. You may go by the “I don’t use Facebook” mindset, but your computer saves a cached copy of the website to your hard drive which your browser displays only after your authorization. This data can be used to find out when you used the website and that you actually authorized with the social network even if there has been no other information stored.
Of course, your sensitive data can be extracted directly from RAM, and this theme is explored in detail in the chapter devoted to the forensic analysis of RAM. Such situation when malicious intruders obtain access to the turned on but blocked device carries huge risks for you.
Today many users never shut down their devices, for instance, they just close down their laptop. Devices either save data from RAM to the hard drive or store the data in RAM by keeping RAM running when going into power saving mode (simultaneously saving their copies to the hard disk for security reasons). The latter is called “hybrid sleep”, and many modern laptops use it considerably easing the job for forensic experts.
While running, a modern browser with standard settings saves a lot of technical information that basically makes your day-to-day usage more comfortable. Such data include browsing history, passwords, sessions, cookies.
It is extremely important to prevent other people from obtaining this kind of information. For instance, saved passwords and sessions expose your account to unauthorized access. Your browsing history will reveal all the webpages you have viewed.
Do you still believe that a skilled forensic expert won’t be able to handle the password to your computer? Unfortunately, your password alone is unable to protect your sensitive data even if it is strong enough. You will know more on that as you progress through our course.
Protecting yourself from the forensic analysis of user activity on social networks
You can disable the hibernation file using the Panic Button application. Just install a free trial version, and when the system runs a security scan, choose to disable hibernation and then run a second check of your computer to make sure the file is successfully removed.
Download widget: Panic Button
Disable the hibernation file on your computer.
The Panic Button security scanner will check your system for exposure to direct access to RAM including Cold boot attack – the notorious attack that uses liquid nitrogen to cool RAM, extract it and load it to a new device (whose contents are then examined by forensic experts). Fortunately, the number of devices exposed to this kind of attack drops every year.
Check your system for exposure to attacks exploiting direct access to RAM.
Of course, you need to ensure the full encryption of your system to rule out any chance of direct access to the data on your hard drive obtained through exploiting loopholes in the security systems of your operating system. You can find out more about the comprehensive encryption of operating system in this chapter.
Securely encrypt your operating system.
To perform an emergency erasure of RAM, saved passwords, launched sessions, cookies, browsing history, use the application Panic Button you have already installed. The application can be launched independently as well as in logic bomb mode.
In logic bomb mode Panic button will be set off automatically and securely remove all your sensitive data should malicious intruders target your system.
There are alternate methods of deleting your data, and we go into them in the chapter focusing on browser security. There we will reveal the options of disabling the storage of the data about your activity by your browser. It will enhance your data security, but your user experience will be affected.