Ante Markić has completed postgraduate specialist study at the Faculty of Organization and Informatics in Varaždin. Since 2004, he has worked as a permanent expert witness for Informatics and a professor of Information Systems in the Ministry of Interior. He is a qualified Internal Assessor in accordance with ISO 27001: 2005 holding a certificate "Internal Assessor for ISO 27001: 2005 Information security system”. He has ECDL Expert certification as Instructor for the National Information System for border control CRO-NBMIS N 91096. His main fields of interest are computer forensics and computer networks, information system audit, information system security, the misuse of computers and computer systems.
Post-mortem Facebook forensics
Facebook is the most widespread social network that allows different communication activities. However, when these activities become illegal or turn into a form of cyber violence, criminal acts or other legally prohibited actions then it is necessary to find digital evidence that prove these illegal activities.
Each of the activities on social networks (chat, wall comments, group events ...) may leave a series of evidence at different memory locations. The purpose of this paper is to show how, where and what tools to look for in order to find digital evidence of illegal activities. The work is focused on the use of existing tools and techniques for post-mortem analysis and analysis of Internet communication.
Post-mortem analysis is performed with tools for web browsers and different memory types. The work focuses on Facebook communication. After finding illegal activities using one tool, another tool is being used to confirm the existence of the same activity. Only when two different tools confirm the existence of illegal activity, that activity can be considered as digital evidence submitted in court.
The tools for this analysis are: Internet EvicenceFinder (IEF), Facebook JPG Finder (FJF), CacheBack, Helix, ForensicToolkit (FTK) and hex editor.