Facebook OSINT Investigation

Joseph Moronwi 0

 


In the summer of 2019, Facebook drastically curtailed its Graph Search feature, which had allowed users to unearth large amounts of information. A number of free online tools that had made use of the feature stopped working. What followed has been a game of cat and mouse, as the creators of the tools made changes to get around the changes made by Facebook - which in turn tweaked things again to shut down. and the cycle continued. The upshot is that some tools are gone - probably permanently - and others work on and off.


While these changes were a boon for privacy advocates in that data was a little safer and more of a challenge to get to, OSINT investigators and law enforcement had some huge problems, as the data they had been harvesting for years disappeared overnight. Months later, many researchers had figured out methods to search for some of the same content as before, but Facebook did not make it a one-for-one transfer of features from the previous graph search to the current one. Many of the searches we relied upon to discover relationships and locations of people on Facebook are simply not available anymore.


Facebook Profile Details

Facebook assigns each user their own unique user number, each page its own page number, and each group its own group number. This number is then used by the site to note the activities (stories they post, pictures they comment on, videos they are tagged in, etc.) of that object (user, page, or group). This number is a unique identifier that will allow us to search for otherwise hidden information from Facebook. In order to conduct the following advanced searches to get content about our targets, you must know the user number of your target.


The most potent way to do this is to view the source code of your target user's Facebook profile. The process for this will vary by browser. In Firefox and Chrome, you can do any of the following:


  • Right-click on your target's Facebook profile page and select "View Page Source". 
  • Type Ctrl + U.


Be sure not to hover on any hyperlinks during the right-click. A new tab should open with the text-only view of the source code of that individual profile. Within the browser, conduct a search on this page for "userID". This will identify a portion of the code within this page that contains that specific term.


Figure 1: Facebook profile ID

Looking up the unique ID for a Facebook group is a more straightforward process. 


  • Locate the target Facebook group
  • Look at the URL and retrieve the number. The number to the right of "groups" will be the ID.



Figure 2: Facebook group ID

Facebook ID Creation Date

The OSINT researcher Josh Huff noticed that Facebook profile IDs were numbers and that newer accounts had larger numbers than older ones. He went on a year-long research project to track new and old Facebook profiles and map them when they were created.


Josh's output can be seen in his blog post and in Michael Bazzell's 8th edition of the Open Source Intelligence Techniques book (page 237).


Facebook transitioned from 32-bit numbers, such as 554432, to 64-bit numbers that begin with 100000 between April and December of 2009. Therefore, if your target's number is less than 100000000000000, the account was likely created prior to April 2009. An account with a 1 5-digit ID number would have been created after December 2009. We can break down the numbers by year. The following are rough estimates that should only be used as a general guideline. Facebook appears to have begun issuing random numbers in 2018


 Year of Account Creation

 Facebook ID Ranges

 2006

Numbers less than 600400000

 2007

600400000 - 1000000000

 2008

1000000000 - 1140000000 

 2009

1140000000- 100000628000000

 2010

100000629000000 - 100001610000000

 2011

100001 611000000 - 100003302000000 

 2012

100003303000000 - 100004977000000

 2013

100004978000000 - 100007376000000

 2014

100007377000000 - 100008760000000

 2015

100008761000000 - 100010925000000

 2016

100010926000000 - 100014946000000

 2017

100014947000000 - 100023810000000 

 2018

100023811000000 -


Facebook Search Options

The built-in search function in Facebook is the search bar located in the upper left of most screens. Typing in a target's real name may lead to results, many of which are unrelated to your investigation. To reach your target, you may need to take additional steps. When searching the name (Joseph Smith, for instance), several categories/options may emerge in the results. There are obviously more Joseph Smiths on Facebook than those listed here. An option to "See All" the profiles with your target name is available at the bottom of this list. This list is also not exhaustive. More profiles should automatically appear as you scroll down. You could look through these and hope to identify your target based on the photo, location, or additional information displayed in this view. Instead, you can refine your search by including filters in the left menu.


Figure 3: Facebook search

By default, Facebook search starts with the "top" category. We can also see this in the URL above ("/search/top/”) pointed to by arrow 1.


https://www.facebook.com/search/top?q=joseph%20smith


Choosing a new category will change the URL as seen in the figure below.


Figure 4: Facebook search by category


https://www.facebook.com/search/groups?q=joseph%20smith&sde=AbotKqEx6VFO7Xg9wiFDgE3hDSnw1teizHLB49vZpXF3bLbxyZ0OOuvrfrGEGCpzofDakrn8opGG9ML5UM4eRoBs


Changing the filters will also alter the URL and refine our search results. The figure below displays the result of my keyword search for "Joseph Smith" who lives in New York City, New York, attended New York University, and currently works at Facebook. This located only four results. The filters helped me get from thousands of targets to only four.


Figure 5: Facebook filter search

Once a target's profile is located, the default view looks as shown in the figure below. Clicking through each of these links may uncover valuable evidence.


Figure 6: Facebook profile of the target

Notice the URL of the profile in the image above. The numerical value is the profile ID of the target.


https://www.facebook.com/profile.php?id=100011556644317


It should be noted that any string after facebook.com/ is a unique identifier of the target's profile as it could be in any format. A few examples of profile identifiers are given below:


https://www.facebook.com/mark.hayes.75470316
https://www.facebook.com/moronwi.joseph


Clicking through each of these links in the profile page of the target (see Figure 6) may uncover valuable evidence. But it is better to search via a direct URL as shown below:


About
https://www.facebook.com/profile-name/about
https://www.facebook.com/profile.php?id=insert-profile-id&sk=about

Friends
https://www.facebook.com/profile-name/friends
https://www.facebook.com/profile.php?id=insert-profile-id&sk=friends

Photos
https://www.facebook.com/profile-name/photos
https://www.facebook.com/profile.php?id=insert-profile-id&sk=photos

Videos
https://www.facebook.com/profile-name/videos
https://www.facebook.com/profile.php?id=insert-profile-id&sk=videos

Check-ins
https://www.facebook.com/profile-name/map
https://www.facebook.com/profile.php?id=insert-profile-id&sk=map

Sports
https://www.facebook.com/profile-name/sports
https://www.facebook.com/profile.php?id=insert-profile-id&sk=sports

Music
https://www.facebook.com/profile-name/music
https://www.facebook.com/profile.php?id=insert-profile-id&sk=music

Movies
https://www.facebook.com/profile-name/movies
https://www.facebook.com/profile.php?id=insert-profile-id&sk=movies

TV Shows
https://www.facebook.com/profile-name/tv
https://www.facebook.com/profile.php?id=insert-profile-id&sk=tv

Books
https://www.facebook.com/profile-name/books
https://www.facebook.com/profile.php?id=insert-profile-id&sk=books

Likes
https://www.facebook.com/profile-name/likes
https://www.facebook.com/profile.php?id=insert-profile-id&sk=likes

Events
https://www.facebook.com/profile-name/likes
https://www.facebook.com/profile.php?id=insert-profile-id&sk=likes

Questions
https://www.facebook.com/profile-name/did_you_know
https://www.facebook.com/profile.php?id=insert-profile-id&sk=did_you_know

Reviews Given
https://www.facebook.com/profile-name/reviews_given
https://www.facebook.com/profile.php?id=insert-profile-id&sk=reviews_given


You can also conduct a generic Keyword search on Facebook. Assume you wanted to find any posts including the term malware, This presents us with a result page similar to Figure 3 where we searched the name of our target as shown below.


Figure 7: Facebook keyword search


An option to "See All" the profiles with your target keyword is also available at the bottom of each category. All basic Facebook filters can be applied using direct URLs as follows.


All: https://www.facebook.com/search/top/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Posts: https://www.facebook.com/search/posts/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
People: https://www.facebook.com/search/people/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Photos: https://www.facebook.com/search/photos/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Videos: https://www.facebook.com/search/videos/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Market Place: https://www.facebook.com/marketplace/search/?query=malware
Pages: https://www.facebook.com/search/pages/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Places: https://www.facebook.com/search/places/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Groups: https://www.facebook.com/search/groups/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB
Events: https://www.facebook.com/events/people/?q=malware&_epa_=SERP_TAB&_eps_=SERP_TOP_TAB


Facebook Base64 Encoding

After June 2019, Facebook changed the format in which URLs of filters are displayed from the straightforward format into a more difficult one such as seen below:


https://www.facebook.com/search/posts?q=Drugs&filters=eyJycF9hdXRob3I6MCI6IntcIm5hbWVcIjpcImF1dGhvclwiLFwiYXJnc1wiOlwiMTAwMDE1MTE0OTM2Mzk5XCJ9IiwicnBfY3JlYXRpb25fdGltZTowIjoie1wibmFtZVwiOlwiY3JlYXRpb25fdGltZVwiLFwiYXJnc1wiOlwie1xcXCJzdGFydF95ZWFyXFxcIjpcXFwiMjAyM1xcXCIsXFxcInN0YXJ0X21vbnRoXFxcIjpcXFwiMjAyMy0xXFxcIixcXFwiZW5kX3llYXJcXFwiOlxcXCIyMDIzXFxcIixcXFwiZW5kX21vbnRoXFxcIjpcXFwiMjAyMy0xMlxcXCIsXFxcInN0YXJ0X2RheVxcXCI6XFxcIjIwMjMtMS0xXFxcIixcXFwiZW5kX2RheVxcXCI6XFxcIjIwMjMtMTItMzFcXFwifVwifSJ9

Facebook filters are JSON strings that are then Base64 encoded and placed in the URL. Facebook encodes that JSON content in Base64 so that any special characters that might break a URL (like "&" and "?") are safely transformed. Base64 encoding is not encryption and is easily reversed or decoded.


The breakdown of the above URL is given as follows:

  • https://www.facebook.com/ - The Facebook domain
  • search/ - Instructs Facebook to conduct a search
  • posts - Specifies the type of information desired
  • ?q=Drugs - Search any posts containing the keyword 'Drugs'.
  • &filters= - Finishes the URL with a filter demand.


There are tools online that allows for the decoding of Base64 encoded strings. To decode the Base64 string above, I will use Cyberchef. The CyberChef application allows us to do this transformation and more. Visit the website, copy your Base64 encoded string and paste it into the box as shown below


Figure 8: Decoding Bas64 encoded string with Cyberchef


{"rp_author:0":"{\"name\":\"author\",\"args\":\"100015114936399\"}","rp_creation_time:0":"{\"name\":\"creation_time\",\"args\":\"{\\\"start_year\\\":\\\"2023\\\",\\\"start_month\\\":\\\"2023-1\\\",\\\"end_year\\\":\\\"2023\\\",\\\"end_month\\\":\\\"2023-12\\\",\\\"start_day\\\":\\\"2023-1-1\\\",\\\"end_day\\\":\\\"2023-12-31\\\"}\"}"}


Interpreting Decoded String 

{"rp_author:0":"{\"name\":\"author\",\"args\":\"100015114936399\"}"}

This is the profile name of the target depicted by his profile ID (highlighted in red above). The name of the target can therefore be determined by conducting the search https://www.facebook.com/100015114936399


{"rp_creation_time:0":"{\"name\":\"creation_time\",\"args\":\"{\\\"start_year\\\":\\\"2023\\\",\\\"start_month\\\":\\\"2023-1\\\",\\\"end_year\\\":\\\"2023\\\",\\\"end_month\\\":\\\"2023-12\\\",\\\"start_day\\\":\\\"2023-1-1\\\",\\\"end_day\\\":\\\"2023-12-31\\\"}\"}"}


This is the date of the creation of the post(s). The start year is 2023, The start month is 2023-1, the end year is 2023, the end month is 2023-12, the start day is 2023-1-1, and the end day is 2023-12-31.


Therefore the URL


https://www.facebook.com/search/posts?q=Drugs&filters=eyJycF9hdXRob3I6MCI6IntcIm5hbWVcIjpcImF1dGhvclwiLFwiYXJnc1wiOlwiMTAwMDE1MTE0OTM2Mzk5XCJ9IiwicnBfY3JlYXRpb25fdGltZTowIjoie1wibmFtZVwiOlwiY3JlYXRpb25fdGltZVwiLFwiYXJnc1wiOlwie1xcXCJzdGFydF95ZWFyXFxcIjpcXFwiMjAyM1xcXCIsXFxcInN0YXJ0X21vbnRoXFxcIjpcXFwiMjAyMy0xXFxcIixcXFwiZW5kX3llYXJcXFwiOlxcXCIyMDIzXFxcIixcXFwiZW5kX21vbnRoXFxcIjpcXFwiMjAyMy0xMlxcXCIsXFxcInN0YXJ0X2RheVxcXCI6XFxcIjIwMjMtMS0xXFxcIixcXFwiZW5kX2RheVxcXCI6XFxcIjIwMjMtMTItMzFcXFwifVwifSJ9


is interpreted to mean "Search Facebook for posts by the user 100015114936399 for the keyword Drugs from 1st January 2023 to 31st December 2023".


Recognizing Base64 strings will make you more powerful in your work, as you may be able to reveal what is encoded. In Facebook's filters, we not only can decode the Base64, but we can tamper with it too!


Let us assume that an investigator wants to search for information from a specific profile (author) whose profile ID is 100058085257465, given our decoded Base64 string above, we can modify the profile ID with the profile ID of our new target as shown below:


{"rp_author:0":"{\"name\":\"author\",\"args\":\"100058085257465\"}"}


Now, you will convert this information to Base64 using your preferred encoding/decoding tool such as Cyberchef as shown below:



The output is given below:


eyJycF9hdXRob3I6MCI6IntcIm5hbWVcIjpcImF1dGhvclwiLFwiYXJnc1wiOlwiMTAwMDU4MDg1MjU3NDY1XCJ9In0=


Assume we want to identify posts on ChatGPT created by this user, we will combine the URL https://www.facebook.com/search/posts?q=ChatGPT&filters= with the Base64 encoded string above


https://www.facebook.com/search/posts?q=ChatGPT&filters=eyJycF9hdXRob3I6MCI6IntcIm5hbWVcIjpcImF1dGhvclwiLFwiYXJnc1wiOlwiMTAwMDU4MDg1MjU3NDY1XCJ9In0=



The OSINT Curious Project’s The New Facebook Graph Search – Part 1 blog post outlines a huge number of possible filters for each category type. You can use this list to better understand what is possible to retrieve from Facebook using its search. For those filters that have static content, like shown in the slide above, the Base64 content has been encoded for you.


Facebook Directories 

Another method of discovering data on Facebook is to browse it. Facebook has directory pages that show a certain type of entry, like pages. You can then browse and click to get from a broad range of pages or people to specific pages or accounts. Facebook maintains these directories for many different types of entities on their site, and the OSINT guru Kirby Plessas maintains a list of the different ones that are available. These directory pages are mostly accessible without authenticating to Facebook. Of course, those entities may not appear in the directory pages for private accounts and hidden groups. He also lists formulas for Searching Facebook by using Facebook’s native search and advanced techniques/tools which can be found here


Facebook Friends Extraction

First, identify the page of your target, for example, https://facebook.com/moronwi.joseph/friends. Highlight the entire friends' list by clicking "Ctrl" + "A" or clicking directly above the left side of the first friend and hold until the lower right area of the last friend. Now, open Microsoft Excel. Click on the "B" in column B to highlight the entire column. Paste the content with either "Ctrl" + "V" (or right-click > paste). This will appear disorganized, but the data is there. The images will be on top of the user data, which will not work for a final report.


Use F5 to launch the "Go To" menu and select "Special" in the lower left. Select "Objects" and click OK This will select all of those images. Hit the delete key to remove them. You will now see only the text data (with hyperlinks). Now click on the "A" in column A and paste the friend content again with either "Ctrl" + "V" (or right-click > paste). Right-click any cell in this column and choose "Clear Contents". This will remove any text, but keep the images.


Place your mouse in between columns A and B and resize column A to be a bit larger than one of the images. Do the same with Column B to fit in all of the text. Use the "Find and Replace" feature to find every instance of " Add Friend" and replace it with nothing. This will remove those unnecessary entries. In the "Home" menu, choose "Format" and then "Auto Fit Row Height". This will eliminate unnecessary spacing. Select Column B and Left Justify the text. Your final result will be a clean spreadsheet with all of the images, names, and active links from your target's Facebook "friends" page.


Facebook investigations are always a moving target. Fortunately, any changes always bring new investigation opportunities. When we lost Graph search in 2019, we gained Base64 methods. When we lose the current strategies, something else will become available. As with all OSINT techniques, daily practice and understanding of the resources is more vital than the occasional nugget of data which is displayed on our screens.


Tags

Joseph Moronwi

DFIR and Adversary Hunting, Malware Research, and OSINT.

Post a Comment

Post a Comment

Previous Post Next Post