Physical memory acquisition has been an import facet for digital forensics (DF) specialists due to its volatile characteristics. Nowadays, thousands of millions of global participants utilize online social networking (OSN) mechanisms to expand their social lives, ranging from business-oriented purposes to leisure motivations. Facebook (FB) is one of the most dominant social networking sites (SNS) available today. Unfortunately, it has been a major avenue for cybercriminals to commit illegal activities. Therefore, the digital traces of previous sessions of an FB user play an essential role as the first step for DF experts to pursue the disclosure of the identity of the suspect who was exploiting FB. In this research work, we provide a systematic methodology to reveal a previous session of an FB identity, as well as his/her partial social circle via collecting, analyzing, preserving and presenting the associated digital traces to obtain the online social snapshots of a specific FB user who was utilizing a computing device with Internet Explorer (IE) 10 without turning off the power of the gadget. This novel approach can be a paradigm for how DF specialists ponder the crime scene to conduct the first response in order to avoid the permanent loss of the precious digital evidence in previous FB sessions. The hash values of the image files of the random access memory (RAM) of the computing device have proven to be identical before and after forensics operations, which could be probative evidence in a court of law.
OPEN ACCESSSymmetry 2015, 7 547