BadB
Professional
- Messages
- 1,700
- Reaction score
- 1,679
- Points
- 113
I once had a very interesting conversation with a friend about social media. It started with her inadvertently saying that the videos viewed on the social network are not uploaded to her laptop. I was quite amused by this belief. This is a very common myth that I would like to start this Chapter with.
Forensic analysis of social media activity is part of the browser's forensic analysis, but I'll take this out separately, since not all users are interested in comprehensive forensic analysis of browsers.
In this article, I will tell you what information about your social media activity can be extracted by detractors if they gain physical access to your computer. This can be either a legal visit by law enforcement agencies with a search and seizure of equipment, or illegal access to your device.
Where this myth comes from is clear: you log in to a social network site and get access to information − correspondence, videos, and music. Without the Internet, nothing will load, which means that nothing is stored on your computer except the history of visited pages. Logical?
Following this logic, if the Internet is accidentally interrupted while using a social network, all information should disappear from your browser, but it doesn't disappear, does it? And this can only mean one thing: the information is still stored on your computer.
Let's take a closer look at what information is stored, where, and why, and then move on to the process of extracting and analyzing it.
First of all, let's remember how your browser interacts with the website. The browser receives a set of code from the server hosting the site. The browser then translates this code into a visual site – what you see on your screen. Video and music are converted by the image and music handlers in the browser.
I hope you know that your computer has RAM (=very fast), which temporarily stores the currently used data, and the hard disk is a place for permanent storage of information. With rare exceptions, all information received by the browser is initially stored in the RAM area allocated to the browser, and is cleared when the browser is closed. But this doesn't always happen.
Confidential information from the browser can be saved to the hard disk in a hibernation file and then extracted from there.
In short: in hibernation mode, the computer turns off power to the RAM to save power. RAM is volatile and cannot store information without power. Information from RAM is transferred to the hard disk, and when you Wake up from sleep mode, it is loaded back into RAM.
And, of course, forensics will definitely check your hibernation file first. If your computer goes into hibernation mode with social networks open in the browser, your correspondence and page content will be saved to your hard drive. We strongly recommend that you disable the hibernation file.
As mentioned above, when a web page is opened, the browser receives the code and processes it. For example, if you open Vkontakte or Facebook every day, tell us: does the site structure change often? Logo? Main buttons?
But loading and processing the code takes time. If you've already downloaded the site code once, why download it a second time when you open the page again? Agree, it is easier to save the code and only update it if necessary.
The site storage described above is called caching. The site is loaded once and saved to your hard drive, and when you open it again, it is loaded from your hard drive. This makes it possible to significantly reduce the loading time of the website when reopening and reduces the overall load on the Internet.
Agree, the words "I don't use Facebook" don't sound very plausible if you have a recently cached version of the site on your hard drive, which can only be displayed after authorization. From this data, you can extract information about when you used the site and that you were accurately logged in to the social network, even if no other information was saved.
Of course, valuable data can also be extracted directly from RAM − this topic will be discussed in the article devoted to forensic analysis of RAM. This situation is dangerous when ill-wishers have gained access to an enabled but blocked device.
Many users today never turn off their devices, for example, just close their laptop. Devices either transfer data from RAM to the hard disk, or supply power to the RAM in power-saving mode and store data there (while making copies to the hard disk for security reasons). The latter is commonly referred to as hybrid sleep mode: this is how many modern laptops work, and it is used by criminologists in their work.
In the course of its activity, a modern browser with standard settings saves a lot of technical information basically, this information is designed to make the user's work more comfortable. Technical data includes your site history, passwords, sessions, and cookies.
Getting this information into third hands is highly undesirable. For example, saved passwords and sessions will allow you to access your account. The history of visited sites, you know, will tell you about the pages you are viewing.
Also, do you think that your computer password will be a problem for a professional criminologist? Unfortunately, no. A password is not enough to protect your data. Even if the password is strong. We will tell you more about this in our course, but in the meantime, watch a video about the practical application of forensic analysis of social network activity.
Forensic analysis of social media activity is part of the browser's forensic analysis, but I'll take this out separately, since not all users are interested in comprehensive forensic analysis of browsers.
In this article, I will tell you what information about your social media activity can be extracted by detractors if they gain physical access to your computer. This can be either a legal visit by law enforcement agencies with a search and seizure of equipment, or illegal access to your device.
Where this myth comes from is clear: you log in to a social network site and get access to information − correspondence, videos, and music. Without the Internet, nothing will load, which means that nothing is stored on your computer except the history of visited pages. Logical?
Following this logic, if the Internet is accidentally interrupted while using a social network, all information should disappear from your browser, but it doesn't disappear, does it? And this can only mean one thing: the information is still stored on your computer.
Let's take a closer look at what information is stored, where, and why, and then move on to the process of extracting and analyzing it.
First of all, let's remember how your browser interacts with the website. The browser receives a set of code from the server hosting the site. The browser then translates this code into a visual site – what you see on your screen. Video and music are converted by the image and music handlers in the browser.
I hope you know that your computer has RAM (=very fast), which temporarily stores the currently used data, and the hard disk is a place for permanent storage of information. With rare exceptions, all information received by the browser is initially stored in the RAM area allocated to the browser, and is cleared when the browser is closed. But this doesn't always happen.
Confidential information from the browser can be saved to the hard disk in a hibernation file and then extracted from there.
In short: in hibernation mode, the computer turns off power to the RAM to save power. RAM is volatile and cannot store information without power. Information from RAM is transferred to the hard disk, and when you Wake up from sleep mode, it is loaded back into RAM.
And, of course, forensics will definitely check your hibernation file first. If your computer goes into hibernation mode with social networks open in the browser, your correspondence and page content will be saved to your hard drive. We strongly recommend that you disable the hibernation file.
As mentioned above, when a web page is opened, the browser receives the code and processes it. For example, if you open Vkontakte or Facebook every day, tell us: does the site structure change often? Logo? Main buttons?
But loading and processing the code takes time. If you've already downloaded the site code once, why download it a second time when you open the page again? Agree, it is easier to save the code and only update it if necessary.
The site storage described above is called caching. The site is loaded once and saved to your hard drive, and when you open it again, it is loaded from your hard drive. This makes it possible to significantly reduce the loading time of the website when reopening and reduces the overall load on the Internet.
Agree, the words "I don't use Facebook" don't sound very plausible if you have a recently cached version of the site on your hard drive, which can only be displayed after authorization. From this data, you can extract information about when you used the site and that you were accurately logged in to the social network, even if no other information was saved.
Of course, valuable data can also be extracted directly from RAM − this topic will be discussed in the article devoted to forensic analysis of RAM. This situation is dangerous when ill-wishers have gained access to an enabled but blocked device.
Many users today never turn off their devices, for example, just close their laptop. Devices either transfer data from RAM to the hard disk, or supply power to the RAM in power-saving mode and store data there (while making copies to the hard disk for security reasons). The latter is commonly referred to as hybrid sleep mode: this is how many modern laptops work, and it is used by criminologists in their work.
In the course of its activity, a modern browser with standard settings saves a lot of technical information basically, this information is designed to make the user's work more comfortable. Technical data includes your site history, passwords, sessions, and cookies.
Getting this information into third hands is highly undesirable. For example, saved passwords and sessions will allow you to access your account. The history of visited sites, you know, will tell you about the pages you are viewing.
Also, do you think that your computer password will be a problem for a professional criminologist? Unfortunately, no. A password is not enough to protect your data. Even if the password is strong. We will tell you more about this in our course, but in the meantime, watch a video about the practical application of forensic analysis of social network activity.
