AXIOM supports Facebook Warrant Returns that are in a .zip package as part of our Warrant Return support. Unlike Apple returns, Facebook and other providers don’t require you to decrypt the package before loading. Facebook specific content can include the Facebook Audit Log, Friend requests, Friends, Messenger Messages, Photos, Status Updates, and Wallposts. The Facebook Audit Log artifact can include Comments, Likes, Search, Share, and Unfollowed Activities along with their timestamps. This information can be put on a Timeline with other content from your investigation to tell a larger story. There is value to collecting content from the ISP even if you have the mobile device as you may find additional artifacts, especially from the Audit Log artifact.
So how do you load these returns? What does the content look like? Check out Tarah Melton’s video of processing a Facebook Warrant Return:
If you have any comments or questions feel free to reach out to me at Jessica.firstname.lastname@example.org. Has something changed in a Facebook return you have received? Is there more data available you would like us to support? Please drop us a line and let us know.