Today we will tell about how to acquire a Facebook account. Of course, you can use commercial tools such as: Cloud Analyzer (Cellebrite), Cloud Extractor (Oxygen Forensics), E3 Platform (Paraben Corporation), etc. However, this can be done manually and in this article will show how to do this step-by-step.
Open your browser and go to the Facebook page. Enter the Login and Password of the account that you want to acquire, click the Log in button.
If this account has 2 factor authentication, you will see the window in which you will be asked to enter the code sent to the trusted device of the account holder.
Enter the code and click the Continue button.
In the next window, select ‘Save Browser’ and click the Continue button.
Congratulations! You are currently signed in to this account. Click the triangle located in the upper right corner.
In the menu that opens, select the Settings option.
In the ‘General Account Settings’ window, click Download a copy.
In the next window, click the Start My Archive button.
After that you will see a warning window. Click the Start My Archive button.
After that, two emails will be sent to the Facebook owner’s account. The first one explains what data will be copied and how to behave if there is a suspicion that the account was hacked.
In the second letter there will be a link to download the archive of this Facebook account.
Copy the link to the browser window and press Enter.
In the window that opens, click the Download Archive button.
Re-enter the password for the account and click Submit.
After that, the download of the archive of data from this Facebook account will begin.
To view the acquiring data, unpack the archive and double click the index.htm file.
Conclusion
This method of acquiring of the Facebook account is not forensically sound. However, if you do not have expensive cloud forensic tools, or even have these tools but do not have token of the Facebook account, your sequence of actions, when acquiring the Facebook account will not differ much from the sequence described in the article. Besides, Facebook often changes the Facebook API, so some cloud forensic tools may not acquire the Facebook account.
Happy forensicating!
About the authors
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.