Forensic Investigation of any FaceBook Profile

Facebook forensic toolkit is a Forensic tool where you can Investigate on a criminal or a prime suspect’s facebook account hence you can get all the information such as (User info, profile, Timeline, Messages, Events, Albums, Group, Likes, Friends, Contacts)

Download FaceBook forensic toolkit from here and install it in your pc

Now open FaceBook forensic tool kit and click on “Examine Profile and Clone Data”

Now in New Case – Information, Browse the location to save the report
for example: C:\Users\RAJ\Desktop\facebookforensic

Now fill the following details like case number, evidence number, description, examiner, Notes.

Now click on next button

Now in next step you have to enter the desired FaceBook account URL
for example: Proceed for the next step.

Now in new case – Evidence step you have to choose the content that you want to search in desired FaceBook account like in the image I have chose to show all content, now I can see all the content

In this step you have to authenticate with your FaceBook account to proceed the process

Note: Desired FaceBook account authentication is not required.  And no FaceBook account details will be disclosed

Now on the top right corner you can see start button to start the process click the button and start the process. And wait until the toolkit gathers all the information from the desired facebook account.

Now you can see the result, as I choose to show all the content from desired facebook account.

All the content like profile, Timeline, photo albums, and etc. will be shown for the desired facebook account, here in the image displaying the desired accounts profile

Here in timeline FFT displaying information as XML form but all the data required is shown in text.

Here in the image you can see the categories user has liked
eg: website, actor, cars, etc.

Here you can see the user groups and to which group he is administrator.

Now when you complete the process then a report will be created with a name Eg: report-2124

In location you given at second step as I have given location as  C:\Users\RAJ\Desktop\facebookforensic Report will be saved there
Now open the report and you can see each and every content that user has done in his facebook account including facebook post with date.

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies. He is Having 2+ Year Experience in Cyber Security.

How to create copy of Suspects Evidence Using (FTK Imager)

(From )

The Forensic Toolkit Imager (FTK IMAGER) is a commercial forensic Imaging software package distributed by Access Data  (AccessData offers computer forensics software and training. Their flagship product is Forensic Toolkit, but they offer several others)

FTK Imager supports storage of disk images in EnCase’s or SMART’s file format, as well as in raw (dd) format. With Isobuster technology built in,

IMPORTANT: before proceeding must make sure that when using FTK Imager to create a forensic image of a suspect’s hard drive, make sure you are using a hardware-based write blocking device. This ensures that your operation system does not alter the suspect’s hard drive when you attach the drive to your computer.

First Download FTK Imager from ( and install the FTK Imager

Now open the FTK Imager and Click on Create Disk Image

Now a “Select source” box will open and choose “Physical Drive” click NEXT  

Now choose the drive of the Suspect Evidence you want to make image.

After choosing the Drive Click on finish to Start Creating Image of Suspect Evidence

(Note: choose option “Verify images after they are created”)

Now in Select Image Type Choose “Raw (dd)” and click on NEXT

Now In” Evidence Item Information” Fill the Following attributes, as you can see some random information given can be random as per the Suspects Evidence. Click NEXT

Now choose the location of the image you want to create and Name the Image Filename. And click on FINISH

Now in final Step Click START button to start Creating Image.

Now the Processing has started wait till the Creation completes.

As we choose Verify images after they are created, the process will verify and complete.

Successfully the Suspects Evidence Image Is Created .Now You can audit the Suspects evidence from The image Created from FTK Imager.

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies. He is Having 2+ Year Experience in Cyber Security.

How to find the usage of files in Remote victim PC (Remote PC Forensics)

From wikipedia

“Forfiles”  is a windows command that was first available for windows vista operating system, it allows command line users to run command to know the usage of files which was used past 10 days or 30 days,their  are several options that makes things more interesting which helps in cyber forensics

Options For forfile in command prompt

Shows past number of days of modified date(option /D)
Searches file by name (option /M)
Shows files in subdirectories (option /S)
shows file in a specific directory  (option /P)

How to find all .txt or .xslx or .exe that are used in last 30 days

forfiles /D -30 /S /M *.exe /C “cmd /c echo @path”

Below image displays all .exe files that are used last 30 days

In the above command @path is just used to display the complete path of the file,instead we can use @fdate(file date) , @ftime(file time), @fsize(file size), @fname(file name), @file(name with extension), @ext(extension). Here we can use multiple commands in single execution

For example:   forfiles /D -30 /S /M *.exe /C “cmd /c echo  @ext  @fname  @fdate”

This following will display extension file name and file date

Find usage of files in a specific directory by date

Forfiles  /P d: /S /D +2/26/2015

This below image appears to display all the files present in the (d:) directory by given date

Dates are flexible and also the directory can be anything like (d: c: e: etc…) 

How to find usage of files that are used past 30 days

forfiles /p d: /s /D -30

Here in the below image it appears to be showing all the


Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies Pvt. Ltd. He is Having 2+ Year Experience in Cyber Security.

How to Collect Telephonic Evidence in Victim PC

First capture the victim’s ram using dump it tool. (For details visit here)

Download bulk extractor viewer (from hereand install it in your PC.

Now open bulk extractor viewer and click on to generate report

Now select the dump it image file and select an output folder for the report and click on start bulk extractor as seen below

Now in order to investigate the victim saved information of Telephone/Mobile Click on telephone.txt as seen below

And also click on telephone_histogram.txt

Related Posts Plugin for WordPress, Blogger...