Since my previous progress report I have conducted a similar examination for the web browser version of Pheed. Using Google Chrome to log into Pheed and generate the necessary data, I then followed that up by extracting and viewing the artifacts through Magnet Forensics' Internet Evidence Finder (IEF) version 6.3.0.0104. It yielded very similar results as the mobile examination but also turned up with some of the artifacts I was hoping to gain from both extractions.
Google Chrome stored all of the folders that contained pertinent artifacts in the same location making finding the artifacts quite easy; ROOT\Users\vfitzgerald\AppData\Local\Google\Chrome\User Data\Default. Some of these artifacts would include user interactions, such as the liking and disliking features available to users. Also found information about the users the test Pheed account was subscribed too. Below is a chunk of text extracted from the cache file that contained information about the users subscribed to.
{"subscriptions": [{"profile": {"status": "1", "rating": "3", "verified": "0", "url": "animals", "iconimage": "https://d1dcwuzxl9elyu.cloudfront.net/1330630/32x32_cND2Lxd7G8YR.jpeg", "monthly": "0.99", "plan": "0", "full_name": "Animals", "published": "1", "id": "1330630"}, "type": 0, "user_id": 3738881, "pheeder_id": "1330630"}
I was also able to locate a handful of useful cookie artifacts. The first is a cookie that identified a successful login to Pheed occurred. The next two that were very interesting were the failed login attempt to Facebook and then the successful login followed by the sharing of a Pheed post onto the test users Facebook page. A similar cookie was created after the same process was done for the users Twitter account.
The web history that was extracted was also helpful in determining what the user was doing on their Pheed at what time. By looking at the URLs and timestamps I was able to compare these to the recorded actions I had and determine exactly what each URL was for. These artifacts ranged from password resets to search terms.
IEF also comes with a feature that allows it to rebuild some web pages that the user was viewing. This proved very useful as IEF was able to show me information such as the user editing their bio as well as transaction history.
Conclusion
I was very satisfied with my final results and I felt I came up with a lot of useful data. I will start by addressing the mobile application data that I was able to extract. I came up with a lot of useful data, I was able to find a huge amount of media and was even able to find locations that allowed me to view more important media artifacts such as Pheed posts by the user, not just the massive cache volumes. Also finding some data that linked other accounts to the Pheed account including some username and password information. I did miss something things in this portion of the examination such as user interactions with other posts. This issue may have been able to be resolved by rooting the device and re-examining the device to hopefully turn up more data.
As for the web browser version of the social network I felt again I was very successful in my examination. I found similarly large cache volumes with no distinct naming method. However the web browser cache volumes supplied me with other useful artifacts not just images. There was other data like subscriber information and user interactions that I was not able to find in the mobile examination. I also found a lot more data in regards to the sharing between other social networks. The one major thing that did not turn up in the web browser examination was actual posts the user made to their personal Pheed. These were located in the cache volume but there was no way to know the difference between them and other files found here.
The research conducted was very significant in giving back to the forensic community I've learned so much about. New social networks seem to be popping up every year and it can be very overwhelming to keep up with. Even more so social networks are a key component in may digital crimes, and being able to jump right in and quickly gain the artifacts needed for the investigation can be immensely important. Time is often a factor in investigations so creating a good baseline of knowledge for a new social network and where to look for what data can prove to be very beneficial. The real goal of my research was to create a helpful guide for any that may need to do an examination of Pheed for a real time case where speed and accuracy is crucial. As I could not put everything I wanted into this series of blog post below is a link that contains the full report for all of the research I have conducted throughout my final semester at Champlain College.
https://drive.google.com/file/d/0Bzg8xMS1nfewMl82MTlMSWhKdGs/edit?usp=sharing
