The threat of forensic analysis of user activity on social networks
Once, I had a very interesting conversation about social networks with my girlfriend. She was trying to download a video from a social network and said that the video she was watching didn’t load to her laptop. I was slightly amused by her conclusions because this is one of the most pervasive myths I’d like to get started this chapter with.
The forensic analysis of user activity on social networks is part of the forensic analysis of browser, but I will focus on it in a separate chapter as not all users are interested in a full forensic analysis of browsers.
In this chapter you will learn about the kind of information your activity on social networks can reveal to malicious intruders should they get physical access to your computer. It may happen during a legal visit of the law enforcement officers who came to your place with a search warrant to seize equipment as well as by illegally accessing your device.
MythAll user activity on social networks – watching videos, photos, listening to music, correspondence, voice messages don’t download to user’s computer and is not stored on it.
FactAll user activity on social networks: watching videos, photos, listening to music, correspondence, voice messages actually download to user’s computer and is stored on it (though not for a long amount of time).
It’s easy to understand why this myth is so common among users. You get authorized with a social network website and get access to information: correspondence, videos, music. Without a connection, nothing will be able to download, therefore your computer doesn’t save anything except for the browsing history. It’s quite logical, isn’t it?
Following this logic, if your connection is suddenly interrupted while you are using a social network, the information from your browser will be lost, won’t it? Yet it remains unaffected meaning the only thing: the information is still stored on your computer.
Now let’s take a closer look at what kind of information this is, where and why it is stored, and then proceed to how it is extracted and analyzed.
First, let’s remember how your browser interacts with a website. From the server the website is hosted on, your browser gets a chunk of code. Then the browser renders this code to display its visual representation – what you actually see on your screen. Videos and music are handled by graphics and music processors in the browser.
I hope you know that your computer has RAM that temporarily stores the data currently being used and the hard disk – the place used for permanent storage. Except for rare cases, all the information your browser receives is stored primarily in RAM allocated for the browser and cleared when it closes up.
But it doesn’t always happen like that, your confidential information from the browser can be saved to the hard drive to a hibernation file and then extracted from there. In the chapter devoted to the forensic analysis of RAM, we are looking at hibernation mode (known to users as “sleep mode” though these two are not completely synonymous notions) where all the information from RAM is written to the so-called hibernation file and stored on your hard disk.
In short, when entering hibernation mode, your computer powers down RAM to save power. RAM is dependent on having power all the time and can’t store information without it. The information from RAM is saved to the hard drive, and when your computer wakes up from the sleep, it is again loaded into RAM.
Of course, forensic experts will primarily examine your hibernation file. If your computer enters hibernation mode with the social networks opened in the browser, your correspondence and contents of the page will be saved to the hard drive. We strongly recommend you disable the hibernation file.
As I have mentioned before, when the webpage opens, the browser receives a copy of the website code and renders it onto the screen. Every day you open Vkontakte or Facebook, how often does the structure of these websites change? What about their logos? Or main buttons?
Code loading and rendering takes time, however, if you once loaded the website’s code, why load it again upon reopening the webpage? It’s far easier to save the code and update it when necessary, right?
The temporary storage of the website documents described above is called caching. A website loads once and is saved to your hard drive, and when you reopen the website it loads from your hard drive. This considerably reduces the load on your web server and Internet connect