How important are Facebook Artifacts?

In March 2013, Facebook reportedly had just over 1 billion users worldwide. Founded in February 2004, it can be considered one of the grandfathers of social networking. Nearly ten years later and even with hundreds of other social networking sites out there, Facebook is still a very popular social medium.

As a forensic investigator, Facebook can be used as an online resource when conducting an investigation and can be a wealth of information. It can provide a glimpse into a person’s life, provide a mechanism to obtain photos of potential subjects, friends & family. Timeline comments can provide geographical information of where a particular person was on a specific date and they can reveal the identity of close friends and other details not readily apparent.

I recently assisted in a theft/stolen property case where we were able to get a complete family history and an idea of how the person lived by looking at photos and connecting family members together. Facebook provided us with links that allowed us to look up residence information based on connections and family ties. It also provided phone numbers that were listed in comments and later tied to fraudulent ads on Craigslist.

Facebook can also provide a wealth of information as a forensic artifact when conducting host-based forensics. In the past few years there have been several high-profile cases that involved Facebook artifacts even though the crime was not associated with traditional ‘computer-related’ offense. For example, here is a recent case where Facebook messages were found on a victim’s computer (and later on the suspect’s computer) and used to identify a suspect in a murder case.

“Riverside County sheriff’s Investigator Tony Pelato, a computer forensics expert, said he found Facebook chat messages in Guzman’s computer between Santhiago and Leal, inviting Leal to buy some liquor and meet her at a park near Roanoke Street where Leal was killed. The chat messages were written minutes before the shooting.”

Or this one:

“According to state police, detectives interviewed a young man named Bryan Butterfield a day after Cable was reported missing. Butterfield told police that someone had created a phony Facebook account in his name, and police traced it to Dube’s parents’ house in Orono.

Cable was frequently contacted by the fake Butterfield and agreed to meet with him at the end of her road to get some marijuana the night she went missing, according to the state police affidavit.

Social media’s role in Nichole’s disappearance and death was a wakeup call for students, many of whom have become paranoid about online contacts, said Pattershall, Cable’s friend.”

Read more

Generally there are six specific categories of artifacts that can be individually identified when examining a computer hard disk:

  1. Facebook Chat

    This artifact is most commonly found in memory as JavaScript Object Notation (JSON) text in a running computer and/or in the pagefile.sys & hiberfil.sys file(s).

    Chat Artifact

  2. Facebook Messages

    Facebook Chat and Messages are now the same artifact. But in older versions of Facebook these were two different artifacts. This artifact is most commonly found in memory of a running computer and/or in the pagefile.sys & hiberfil.sys file(s).

  3. Facebook Wallpost/Status Update/Comments

    HTML that is carved from temporary internet files/web cache and memory

    Status Artifact

  4. Facebook Webpage Fragment

    A fragment of HTML that is carved from temporary internet files/web cache and memory

  5. Facebook Pictures

    A picture with a specific filename pattern found in temporary internet files/web cache. The filename contains three sets of numbers such as:


    The second set of numbers can indicate the Facebook UserID the photo belongs to and it can be queried through Facebooks ‘graph’ API here:

  6. Facebook URLs

    A URL in any web related (browser) artifact that references Facebook URLs. These artifacts commonly reference other Facebook users or specific Facebook activity

    “ 201526933901245715&set=at.10150672801465915.448027.507140714.552175374.1221785571&type=1& theater”

    201526933901245715 is the photo ID
    10150672801465915 is the album ID
    1221785571 is the user ID

    Viewed photos will appear in the cache file with the name:

    Viewing messages for profile currently being used:


As always, if you have any comments, suggestions or questions,
you can contact me directly at:


Read more: Recovering Facebook Artifacts