Welcome to our last blog post of the year! Today I’m going to provide information about Facebook URLs that will hopefully help you out when examining web history and trying to determine which user was logged in to Facebook vs URLs that just indicate a profile was viewed. This can be important when trying to tie Facebook activity to a specific account/person from a computer that had multiple users or guest access.
Facebook URLs – Who’s Logged In?
First off, here are a couple examples indicating a profile was viewed:
http://www.facebook.com/cool.facebook.username
Or an older version: http://www.facebook.com/profile.php?id=1000003483744733
As you can see, especially in the first example, there’s not much to go on. These URLs could indicate a user viewed someone else’s profile, or viewed their own. (Just to clarify, when I refer to URLs as being “older versions” in this context, I mean that Facebook has changed how they form their URLs and these are older formats that were used.)
However, the following URLs, if found in web history records, can provide some clues as to who was actually logged-in:
http://www.facebook.com/inbox/?ref=mb#/muffins?v=feed&story_fbid=179234345383515
http://www.facebook.com/pound.cake?ref=profile#/pound.cake?v=info&edit_info=all
These two are older versions of Facebook URLs, the first indicating that “muffins” was viewing a message in their Facebook inbox. The second indicates that “pound.cake” was editing their profile. As I’m sure you’ll agree, these are actions that apply only to a logged-in user (i.e. you can’t view a friend’s inbox or edit their profile) and are good indicators of who was logged in at the time of the history record containing this URL.
The following two URLs are newer examples that can also indicate who was logged-in:
http://www.facebook.com/old.chris?viewas=100000686899395&returnto=profile&privacy_source=privacy_lite
http://www.facebook.com/old.chris?ref=tn_tnmn
The first example is the URL found when a user (“old.chris” in this example) uses the new feature in Facebook where you can see what your profile looks like to the public. You can also use this URL to see what specific users see on your profile by replacing “100000686899395” (which appears to be a static Facebook ID representing “the public”) with a friend’s username or user ID.
The second URL is a little more vague, I haven’t been able to determine what the referrer “tn_tnmn” represents, it appears to have been “tn_tinyman” at one time and is something Facebook could be using for tracking its site usage or how people get around on Facebook. The key thing here is that in the testing I’ve done, you’ll only see this referrer attached to the logged-in username. I was able to consistently get it to show up by going to my Account Settings and then clicking the link containing my name at the top right of the page, to the left of the “Find Friends” link.
There seems to be a fair bit of concern over this referrer out on the web, poor Billy thinks it’s the government clamping down on the “anti-establishment” people on Facebook: (parts of the below screenshot have been redacted to protect the “innocent”, but you can see this bizarre thread in its entirety here: Why is this my url?)
That’s all for now! Hope you find the above helpful when looking at Facebook URLs in web history.
IEF Frontline
The second part of this blog post is about an exciting new product we’ll be releasing very soon.
Please click on this survey link to get a sneak peek and provide your opinion on a new product called IEF Frontline launching in January 2013.
It’s a drastically scaled down version of IEF targeted at non-technical (or less technical) users including: Law enforcement investigators (i.e. child exploitation), parole/probation officers, border security/customs agents, and frontline patrol officers that have no formal forensic or computer training. The product (comes on a USB stick) and can do a quick scan (5-15 min) in common areas/locations for Internet history, IM chat messages, and pictures & videos.
Happy New Year and Thank You!
Finally, we’d like to wish everyone a happy and prosperous New Year in 2013, especially our customers and our employees. 2012 was an exciting and busy year for us as we took our flagship product, Internet Evidence Finder (IEF), to the next level and started developing new products to be released in early 2013. It was great to meet many of you at tradeshows and conferences and we hope to see you again this year.
Please stay safe as this holiday season wraps up, especially those who have to work through it. As always, we’re here to help in any way we can. Thanks again to everyone for all your support and for making us a part of your digital forensics life!
Best regards,
Jad and the Magnet Forensics Team