2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th

IEEE International Conference On Big Data Science And Engineering

Browser Analysis of Residual Facebook Data

Taylor Cloyd Trey Osborn Brian Ellingboe

Department of Information Systems and Department of Information Systems and Department of Information Systems and
Cyber Security, College of Business Cyber Security, College of Business Cyber Security, College of Business
University of Texas at San Antonio University of Texas at San Antonio University of Texas at San Antonio
San Antonio, TX, USA San Antonio, TX, USA San Antonio, TX, USA
taylor.cloyd@my.utsa.edu trey.osborn@gmail.com brian.ellingboe@my.utsa.edu

William Bradley Glisson Kim-Kwang Raymond Choo

Department of Computer Science Department of Information Systems and Cyber Security,
College of Science and Engineering Technology College of Business
Sam Houston State University University of Texas at San Antonio
Huntsville, TX, USA San Antonio, TX, USA
glisson@shsu.edu raymond.choo@fulbrightmail.org

Abstract—As social media applications such as Facebook questions about the way that browsers interact with social media
become an integral part of our society, they are also becoming an sites and the types of residual data that are resident after these
important source of information in a digital (forensics) interactions [5-7]. A recent article in government technology
investigation. In this paper, we examine the potential to recover acknowledges that information posted publicly on social media
artifacts of forensic interest after three popular browsers, namely: sites is legally admissible in criminal investigations [8]. While
Mozilla Firefox, Google Chrome and Internet Explorer, have been postings on social media outlet prompts investigations into
used to access Facebook. Findings from this research will everyone from high school students to police officers [9, 10],
hopefully contribute to a better understanding to mobile device questions arise as to how evidence is acquired when social
and app forensics.
media data is either not public or has been removed from a
Keywords—Digital forensics, Mobile forensics, Mobile app
particular social media site. Web browsers, such as Mozilla
forensics, Browser forensics, Facebook forensics Firefox, Google Chrome and Internet Explorer, provide end-
users with access to their social media accounts across a wide
range of devices. This perverseness makes them interesting from
I. INTRODUCTION an investigation perspective. In addition, forensic artifacts from
The continued assimilation of social media into all aspects browsers may complement evidence from the analysis of the
of life is blatantly visible in today’s networked societies. Statista specific social network app, such as Facebook.
estimates that by the end of 2019 there will be approximately
As noted by Statista [11], Facebook is the dominate social
2.77 billion social media users worldwide and that this number
media provider. These queries prompted a preliminary
will increase to around 3.02 billion by the end of 2021 [1]. This
investigation into the forensic analysis of residual information
escalation creates opportunities for legitimate revenue streams,
that is resident on browsers that have interacted with the
dissemination of false news and augmentation of digital
Facebook social networking platform. Specifically, in this
investigation capabilities. It was also estimated that revenue
paper, we investigate Mozilla Firefox, Google Chrome and
from social media will reach 39 billion Euros by the end of 2019
Internet Explorer browsers that interact with Facebook over a
[2]. Gartner predicts that individuals in mature markets will
two-week timeline. Individual categories are documented for
consume more “fake news” than factual information by 2022
comparison purposes to indicate which browsers retain the
[3]. As social media application (app) functionality increases,
largest amount of data.
new opportunities for residual data generation emerge. A recent
article indicates that Facebook is testing the ability to upload 24- The contributions of this research are two-fold.
hour self-deleting logs from desktop browsers [4].
1. Provides a proof-of-concept that different browsers
The reality is that social networking apps can be used in retain various amounts of data when they interact with
today’s society for a host of unpleasant and/or potentially illegal social media sites.
activities like bullying, stalking harassment and slander.
Coupling this reality with research indicating that residual data, 2. Contributes to discussions about documentation and
in general, is increasingly being introduced into legal contexts, evidentiary artifacts generated through social media
along with the legal implications for researchers, raises interactions while highlighting the importance of
verifying residual data artifacts.

2324-9013/18/31.00 ©2018 IEEE 1440

DOI 10.1109/TrustCom/BigDataSE.2018.00200
 The rest of the paper is structured as follows. The next Facebook’s chat to gain an understanding of specific artifacts
section reviews related literature on social media and browser that are of interest for extraction and reconstruction[28]. The
forensics. The third section presents the research methodology. researchers did note that Arabic conversations had to convert to
The fourth section presents findings for the individual browsers. Unicode to be retrieved in searches. This is an indication that
The final section draws conclusions and outlines opportunities there is the potential for missed evidence if chats occur in other
for future work. languages. Other researchers are interested in inferring
information from uploaded images to Facebook [27]
II. LITERATURE REVIEW Additional research by Mulazzani et al. [32] utilizes
As researchers and practitioners alike become increasingly Facebook API’s to extract data and cluster information without
becoming concerned with the residual data generated via social interacting with the provider. The researchers did note that this
media interactions, residual data visibility in everyday life is approach is easier with the user’s credentials. Previous research
bound to increase accordingly. Previous research indicates that has also investigated live memory data procurement from
residual data generated on devices can be used as a proxy to data desktops that have interacted with Facebook [29]. The reality is
that is being stored in cloud environments [12-15]. Since many that solutions of this type require hardware access, which may
of these devices have browser capabilities, researchers are or may not be realistic depending on circumstances. A real-
investigating social media services [16-21], specific browser world, viable scenario for this type of interaction would be
forensics [22-26], and specific social media forensic forensic investigations in organizations. However, it does
opportunities [4, 27-30]. surface recurring incident response and digital forensics
investigations issues in organizations. For this type of
The importance of digital forensics, particularly in the investigation to take place, organizations need to recognize that
context of social media forensics, is visible not only in news there has been an incident and have policies, standards and
articles but in research activities as well. Weiss and Warner [17] procedures in place to handle an investigation [33, 34].
presented the results of their efforts to track criminals through
Facebook activities. They successfully used a Facebook A number of other studies have emphasized the importance
Application Programmer Interface (API) to query groups for of the browser in social media interactions along with examining
specific key words. They reported that their activities led to the specific residual data generated by various browsers. For
nine arrests by law enforcement. It was noted that the tool they example, Mendoza et al [35] studied how Google Chrome,
created need open access to selected groups. If they did not have Internet Explorer, Mozilla Firefox, Opera, and Apple's Safari
open access, then they attempted to join a group in order to implemented their web storage, as well as how web storage
execute their code. artifacts could be a source of information not present in other
browser artifacts. The authors then presented a proof-of-concept
Taylor et al [16] made the point that both companies and tool, designed to facilitate the analysis of web storage artifacts
individuals are utilizing these services and that these networking on Windows platform.
applications can also be abused. The authors pointed out that
online information can be changed by a suspect prior to an Focusing on portable web browsers, Choi et al [36]
analyst capturing relevant information. Hence, they went on to demonstrated how the use of such browsers can be detected via
make the point that a range of devices from the suspect may need examining the ‘UserAssist’ key value and prefetch file.
to be examined during an investigation. The authors also pointed Existing browser forensics literature, such as the study of
out that the acquisition of evidence form a variety of platforms Mahaju and Atkison [37] who evaluated the effectiveness of five
presents difficulties. web browser forensics analysis tools for Firefox, provide
Yusoff et al [26] specifically looked at the extraction of data instructional information that is relevant to extracting data.
from mobile device running Mozilla Firefox that interacted with However, there is currently minimal or up-to-date research that
social media services. The social media services that the examines the extraction of a range of data from multiple
researchers interacted with included Twitter and Facebook. browsers that have interacted with a specific social media
They located account credentials from Facebook and Twitter in provider. Thus, this is the focus of this paper.
the device’s volatile memory.
In 2011, Oh et al [31] put forth the idea that forensic analyst III. METHODOLOGY
should be able to collect evidence from multiple browsers This research investigates the residual artifacts resident in
through the analysis of log files. In order to achieve this, they three different browsers that have interacted with Facebook. The
developed a tool that worked with Internet Explorer, Firefox, browsers selected for the experiment are Firefox Version 43.0.4,
Chrome, Safari and Opera. Their tool handles necessary Google Chrome Versions 61.0.3163.100 and Internet Explorer
decoding and time zone translations as needed. It also attempts (IE) Version 11.0.9600.18124. All of the browsers were set to
to account for deleted logs by caring out deleted information. public where applicable. The investigation of private or
The authors did note that at the time of publication that it only incognito mode is considered out of scope for this investigation.
worked on a Windows OS.
This research investigates the residual artifacts resident in
Specific research efforts that explicitly studied Facebook three different browsers that have interacted with Facebook.
forensic issues include efforts to extract Facebook actives that Any tool could have been used to examine the browsers after
include friends, news feeds, postings to walls group messages, interacting with Facebook. As a matter of convenience, the
and chats [30]. Other researchers have specifically examined

1441
Forensic Toolkit (FTK) Version 4.1.0.12 was utilized for the TABLE II. FIREFOX
data acquisition. Actions Performed - FF Evidence Found - FF Category Found % - FF
Account Creation 2 2 100%
The experiment took place in three stages that included Image Upload 2 2 100%
Facebook profile creation, data generation and data extraction. Text Write 38 12 32%
The evidence was determined to be discovered if there was a Searches
Chat Messages
4
6
4
0
100%
0%
match between keywords found and the activities performed, as Wall Posts 24 4 17%
well as by the matching of the recorded date/time stamps. Profile Information 4 4 100%
Text Read 18 11 61%
In the profile creation stage, three Facebook accounts were Wall Posts/Comments 12 10 83%
created using three separate browsers. The three accounts that Chat Messages
Profile/Page View
5
1
0
1
0%
100%
were created on each browser were Fred Fox, Chris Chrome and Login 1 1 100%
Bob IE. The data generation stage consisted of a number of Session End/Logout 0 0 0%
photo uploaded, comments, statuses, and created groups. The Total 61 28 46%

actions performed in this stage are summarized in Table 1 –

Actions. These activities were recorded in a Microsoft Excel Paths that were utilized to locate residual data from the
spreadsheet. To extract the data in the third stage, FTK was Mozilla Firefox browser included:
utilized for this procedure.
• FBFirefoxImage1.001/Partition2/NONAME[NTFS]/[root]/
Users/Administrator/AppData/Roaming/Mozilla/Firefox/P
TABLE I. ACTIONS rofiles/6hj921xl.default/places.sqlite.
Category Description • Evidence/FBFirefoxImage1.001/Partition 2/NONAME
Account Email or Facebook account sign-up/creation [NTFS]/[root]/Users/Administrator/AppData/Local/Mozill
Creation a/Firefox/Profiles/6hj921xl.default/cache2/doomed

Image Image was uploaded or posted on the website • Evidence/FBFirefoxImage1.001/Partition 2/NONAME

Upload [NTFS]/[root]/Users/Administrator/AppData/Local/Micro
soft/Windows/WebCache/WebCacheV01.tmp
Text Write Action involving text that was input by the
user
Text Read An action involving text that was
viewed/read by the user, but not typed by the
user viewing it.
Login User logs on to Facebook. Start of a session.
Session Manual user log out of Facebook
End/Logout

IV. RESULTS: A SNAPSHOT

In reference to the Firefox browser, FTK recovered 28 out
of the 61 actions performed (46% recovery). It is interesting that
while six individual categories recovered 100 percent of the
information that was input into the browser, seven categories
defined in the experiment did not have complete recovery of the
data. Regarding the high-level categories, only 32% of the text
writes and 61% of the text reads were recovered. The detailed
results are presented in Table II - Firefox.
It is interesting to observe that several residual data artifacts
were recovered by accessing the “Mozilla Firefox Browse
History” in the Internet/Chat Files section of FTK. Specific
keywords and date/time information to confirm the information Fig. 1. Firefox History
found. A sample of the information recovered from the Firefox
browser history is presented in Fig. 1.
The FTK extraction of the Google Chrome browser
identified 33 activities out of a total of 54 actions performed
(61%). The detection of text writes was slightly higher and
slightly lower with text reads with the Chrome browser than the
residual data recovered from the Firefox browser. Chrome
recovered 52% of the text writes and 53% of the text reads.

1442
Detailed extraction results for the Chrome browser are available TABLE IV. INTERNET EXPLORER
in Table III - Google Chrome. During the analysis of the Actions Performed - IE Evidence Found - IE Category Found % - IE
extraction result it was observed that two paths provided Account Creation 2 0 0%
Image Upload 3 3 100%
valuable residual artifacts that included: Text Write 8 4 50%
Searches 4 4 100%
• FacebookChrome .001/Partition 1/NONAME [NTFS]/ Chat Messages 1 0 0%
[root]/sers/FTKuser/AppData/Local/Google/Chrome/User Wall Posts
Profile Information
3
0
0
0
0%
0%
Data/Default/History Text Read 11 5 45%
Wall Posts/Comments 4 1 25%
• FacebookChrome .001/Partition 1/NONAME [NTFS]/ Chat Messages 3 0 0%
Profile/Page View 4 4 100%
[root]/Users/FTKuser/AppData/Local/Google/Chrome/Us Login 2 2 100%
er Data/Default/Cache Session End/Logout 1 0 0%
Total 27 14 52%

TABLE III. GOOGLE CHROME

Actions Performed - GC Evidence Found - GC Category Found % - GC
Account Creation 2 2 100% V. CONCLUSIONS AND FUTURE WORK
Image Upload 2 2 100%
Text Write 29 15 52% Our analysis of the data gathered from the Mozilla Firefox,
Searches 3 3 100% Google Chrome, and Internet Explorer browsers using FTK
Chat Messages 4 0 0%
Wall Posts 14 5 36% supports the idea that different browsers retain varying amounts
Profile Information 8 7 88% of information about social media interactions. Findings from
Text Read 15 8 53% this study suggested that chat messages can be challenging to
Wall Posts/Comments 6 6 100%
Chat Messages 3 0 0% locate, while login information was consistently available across
Profile/Page View 6 2 33% all three browsers. In this experiment, Google Chrome retained
Login 4 4 100%
the most information while Mozilla Firefox saved the least
Session End/Logout 2 2 100%
Total 54 33 61% amount of residual data.
This research raises the question of artifact validation when
users have interacted with social media sites from different
The FTK extraction of the IE Browser identified 14 out of devices that potentially use different browsers. The initial results
the 27 actions performed (52%). Login information (Login) and of this experiment indicated that browsers retained different
image uploads (Image Upload) were the two categories where residual data artifacts when interacting with social media sites.
evidence was retrieved at a 100% rate. Session start, or Login This scenario potentially impacts an investigation from an
information was available and indicated the session start date evidence perspective and an overall cost perspective. If an
and time. The three images that were uploaded during our analyst needs to validate a user’s social media actives, then they
evidence generation were all found during the analysis. plausibly will be required to attempt to identify, locate and
Evidence of the email account creation in Internet Explorer extract information manually. Consequently, this increases the
could not be found. The session end or manual log off time that they spend on an individual case.
information also could not be found during the analysis. There are a number of potential extensions to this research,
Actions involving text that was input by the user (Text such as the following.
Write) left behind evidence that was found at a 50% rate. Of the Forensic taxonomy of browser apps: Future work will build
Text Write evidence, text that was input into Facebook’s search on this experiment to investigate the viability of validating
tool was found 100% of the time. Evidence of chat messages and residual data gathered from multiple end user devices (e.g.
wall posts to Facebook user profiles could not be found. Actions Android, iOS and Windows Phone devices) using multiple
that involved text that was viewed or read by the user (Text browsers, including lightweight browsers (e.g. Dolphin,
Read) was found at a rate of 45%. Of this category, evidence of Maxthon, Puffin, and UC), that have interacted with social
viewing a Facebook user’s profile or event page was found at a media websites. This will allow us to present a taxonomy of
rate of 100%. Evidence of chat messages could not be found, forensic artifacts that can be recovered from different browser
and a very limited amount of wall post or comments to wall posts apps using different forensic tools like Encase, Sleuth Kit and
could be found. Detailed extraction results for the IE browser Autopsy which is similar to forensic taxonomies for Android
are available in Table IV. and Windows specific apps [15, 38-40]. It is envisioned that the
future taxonomy will list the artifacts down the left side of the
Table V presents the location where evidence was found for table. The first row across the top will identify the individual
particular actions. A large portion of the residual data was found browsers like Firefox, Chrome, and IE. The second row will
in the ‘Temporary Internet Files’ and the ‘AppData’ folders. identify specific social media sites, i.e., Facebook, WhatsApp,
Some residual data items were also recovered from unallocated Snapchat, etc. Individual cells will intersect the artifacts with
space. specific social media sites in order to indicate the tool that was
used and the percentage of the artifact that was recovered.

1443
 TABLE V. IE RESIDUAL DATA LOCATIONS Forensically sound data extraction toolkit: Future work
Evidence will also investigate designing a forensically sound data
Action Description Action Details Evidence Location
Description extraction toolkit that can be used to automate the collection of
uploaded profile
C:\Users\trey.osbor
data from browser applications on personal computers, laptops,
Found image n\AppData\Local\Te
photo
mp\adtemp\ad_tm mobile devices and virtual machines.
facebookIEimage.00
1\Partition
Machine learning-aided forensics: Another extension of
2\NONAME this work is to explore the use of machine learning algorithms to
searched for chris Found keyword
chrome search
[NTFS]\[root]\Users aid investigators in the identification and establishment of action
\Administrator\App
intent. The result of this future work could perceivably provide
Data\Local\Microsof
t\Windows\Tempor data that encourages additional investigation, creation, and
searched for and Found evidence of implementation of more efficient and effective solutions for
sent chris chrome being a friend with extracting social media residual data.
accepted friend Found evidence of
request from fred Fred Fox profile
fox including From

logged into found session

C:\Users\trey.osbor References
n\AppData\Local\Te
facebook logs/cookies
mp\adtemp\ad_tm [1] Statista. Number of social media users worldwide from 2010 to 2021 (in
facebookIEimage.00 billions). Available: https://www.statista.com/statistics/278414/number-
1\Partition of-worldwide-social-network-users/
Found keyword
2\NONAME [2] Statista. Global revenue from social media from 2013 to 2019 (in billion
searched fred fox
search
[NTFS]\[root]\Users euros). Available:
\Administrator\App https://www.statista.com/statistics/562397/worldwide-revenue-from-
Data\Local\Microsof social-media/
t\Windows\Tempor [3] Gartner. (2017, 01/22/2018). Gartner Reveals Top Predictions for IT
C:\Users\trey.osbor
Organizations and Users in 2018 and Beyond. Available:
posted pic to fred file name: n\AppData\Local\Te
Found picture https://www.gartner.com/newsroom/id/3811367
fox wall 60075952eebif_sm mp\adtemp\ad_tm
p_60075952eebif_s
[4] H. Grigonis. (2018, 01/22). Desktop users could soon post to Facebook
facebookIEimage.00 Stories in their browser. Available:
1\Partition https://www.digitaltrends.com/social-media/facebook-stories-on-
2\NONAME desktop-tested/
searched chris Found keyword [5] K. Berman, W. B. Glisson, and L. M. Glisson, "Investigating the Impact
[NTFS]\[root]\Users
chrome search
\Administrator\App of Global Positioning System (GPS) Evidence in Court Cases," in
Data\Local\Microsof Hawaii International Conference on System Sciences (HICSS-48),
t\Windows\Tempor Kauai, Hawaii 2015: IEEE
facebookIEimage.00 [6] J. McMillan, W. B. Glisson, and M. Bromby, "Investigating the Increase
1/Partition in Mobile Phone Evidence in Criminal Activities," in Hawaii
2/NONAME International Conference on System Sciences (HICSS-46), Wailea,
posted pic to chris [NTFS]/[root]/Users Hawaii, 2013: IEEE.
file name: graffiti-ie Found picture
chrome /Administrator/App [7] W. B. Glisson, T. Storer, M. Campbell, A. Blyth, and G. Grispos, "In-
Data/Local/Microsof
the-Wild Residual Data Research and Privacy," Journal of Digital
t/Windows/Tempor
Forensics, Security and Law, vol. 11, no. 1, pp. 7-36, 2016.
ary Internet
read chris chrome Found page visit
[8] Government Technology. (2017, 01/29). Can the Police Use Facebook
C:\Users\trey.osbor
to Investigate Crimes? Available: http://www.govtech.com/public-
logged into
Found session log n\AppData\Local\Te safety/can-the-police-use-facebook-to-investigate-crimes.html
facebook
mp\adtemp\ad_tm [9] C. Clutter. (2018, 01/29). Police investigating social media threats made
facebookIEimage.00 toward Valley High School. Available:
1/Partition http://wtov9.com/news/local/police-investigating-social-media-threats-
Invited to Like Page. 2/NONAME made-toward-valley-high-school
Liked page "Let's [NTFS]/[root]/Wind [10] J. S. Cohen. (2018, 1/28). Chicago Cop Under Investigation Again Over
Pass Forensics Found invite link. ows/SoftwareDistri Social Media Posts. Available:
Maybe." (Closed bution/Download/4 https://www.propublica.org/article/chicago-police-officer-john-
group) a7d77dbff0bf4a0c11 catanzara-investigation
e5070d988f47b/amd [11] F. Richter. (2018, 01/29). Facebook Inc. Dominates the Social Media
64_microsoft- Landscape. Available: https://www.statista.com/chart/5194/active-
Chris Chrome (Oct 2 Found notification facebookIEimage.00
Read post Bob IE users-of-social-networks-and-messaging-services/
7:49pm): The Boat of tagged post from 1\Partition
was tagged in [12] G. Grispos, W. B. Glisson, and T. Storer, "Chapter 16 - Recovering
Party this weekend Chris Chrome and 2\NONAME
residual forensic data from smartphone interactions with cloud storage
Replies -
Fred Fox (Oct 2
providers," in The Cloud Security Ecosystem, R. K.-K. R. Choo, Ed.
7:52pm): Sorry man, Boston: Syngress, 2015, pp. 347-382.
Chris Chrome (Oct 2 [13] G. Grispos, W. B. Glisson, J. H. Pardue, and M. Dickson, "Identifying
7:58pm): Looks like User Behavior from Residual Data in Cloud-based Synchronized Apps,"
facebookIEimage.00 Journal of Information Systems Applied Research, vol. 8, no. 2, pp. 4-
Read Boat Party! Also found details 1\Partition 14, 2015.
event invite (past responded Can't go such as host (Chris 2\NONAME [14] G. Grispos, W. B. Glisson, and T. Storer, "Using Smartphones as a Proxy
date: Sep 30) Chrome), date/time [NTFS]\[orphan]\pa for Forensic Evidence contained in Cloud Storage Services," in Hawaii
ckage_112_for_kb30 International Conference on System Sciences (HICSS), 2013.
[15] N. D. W. Cahyani, N. H. A. Rahman, W. B. Glisson, and K.-K. R. Choo,
"The Role of Mobile Forensics in Terrorism Investigations Involving the
Use of Cloud Storage Service and Communication Apps," Mobile

1444
 Networks and Applications, journal article vol. 22, no. 2, pp. 240-254, [37] S. Mahaju and T. Atkison, "Evaluation of Firefox Browser Forensics
April 2017. Tools," in Annual ACM Southeast Conference Featuring
[16] M. Taylor, J. Haggerty, D. Gresty, P. Almond, and T. Berry, "Forensic Multidisciplinary and Interdisciplinary Computing, 2017, pp. 5-12.
investigation of social networking applications," Network Security, vol. [38] A. Azfar, K. K. R. Choo, and L. Liu, "Forensic taxonomy of Android
2014, no. 11, pp. 9-16, 2014. social apps," Journal of forensic sciences, vol. 62, no. 2, pp. 435-456,
[17] D. Weiss and G. Warner, "Tracking Criminals on Facebook: A Case 2017.
Study From A Digital Forensics REU Program," in Proceedings of the [39] A. Azfar, K.-K. R. Choo, and L. Liu, "Forensic taxonomy of android
Conference on Digital Forensics, Security and Law, 2015, p. 205: productivity apps," Multimedia Tools and Applications, vol. 76, no. 3,
Association of Digital Forensics, Security and Law. pp. 3313-3341, 2017.
[18] Y.-J. Jang and J. Kwak, "Digital forensics investigation methodology [40] A. Azfar, K. K. R. Choo, and L. Liu, "An android communication app
applicable for social network services," Multimedia Tools and forensic taxonomy," Journal of forensic sciences, vol. 61, no. 5, pp.
Applications, vol. 74, no. 14, pp. 5029-5040, 2015. 1337-1350, 2016.
[19] B. Cusack and S. Alshaifi, "Mining social networking sites for digital
evidence," 2015.
[20] Y.-J. Jang and J. Kwak, "Social network service real time data analysis
process research," in Frontier and Innovation in Future Computing and
Communications: Springer, 2014, pp. 643-652.
[21] N. B. Al Barghuthi and H. Said, "Social networks IM forensics:
Encryption analysis," Journal of Communications, vol. 8, no. 11, pp.
708-15, 2013.
[22] N. Shafqat, "Forensic Investigation of User's Web Activity on Google
Chrome using various Forensic Tools," International Journal of
Computer Science and Network Security (IJCSNS), vol. 16, no. 9, p. 123,
2016.
[23] F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.-
K. R. Choo, "Investigating Social Networking applications on
smartphones detecting Facebook, Twitter, LinkedIn and Google+
artefacts on Android and iOS platforms," Australian journal of forensic
sciences, vol. 48, no. 4, pp. 469-488, 2016.
[24] N. Al Mutawa, I. Baggili, and A. Marrington, "Forensic analysis of social
networking applications on mobile devices," Digital Investigation, vol.
9, pp. S24-S33, 2012.
[25] Y. Mohd Najwadi and A. Dehghantanha, "Network traffic forensics on
Firefox Mobile OS: Facebook, Twitter and Telegram as case studies,"
2016.
[26] M. Yusoff, A. Dehghantanha, and R. Mahmod, "Forensic Investigation
of Social Media and Instant Messaging Services in Firefox OS:
Facebook, Twitter, Google+, Telegram, OpenWapp, and Line as Case
Studies."
[27] M. Moltisanti, A. Paratore, S. Battiato, and L. Saravo, "Image
Manipulation on Facebook for Forensics Evidence," Cham, 2015, pp.
506-517: Springer International Publishing.
[28] N. A. Mutawa, I. A. Awadhi, I. Baggili, and A. Marrington, "Forensic
artifacts of Facebook's instant messaging service," in 2011 International
Conference for Internet Technology and Secured Transactions, 2011, pp.
771-776.
[29] H. C. Chu, D. J. Deng, and J. H. Park, "Live Data Mining Concerning
Social Networking Forensics Based on a Facebook Session Through
Aggregation of Social Data," IEEE Journal on Selected Areas in
Communications, vol. 29, no. 7, pp. 1368-1376, 2011.
[30] K. Wong, A. Lai, J. Yeung, W. Lee, and P. Chan, "Facebook forensics,"
Valkyrie-X Security Research Group, 2011.
[31] J. Oh, S. Lee, and S. Lee, "Advanced evidence collection and analysis of
web browser activity," Digital Investigation, vol. 8, pp. S62-S70,
2011/08/01/ 2011.
[32] M. Mulazzani, M. Huber, and E. Weippl, "Social network forensics:
Tapping the data pool of social networks," in Eighth Annual IFIP WG,
2012, vol. 11.
[33] G. Grispos, W. B. Glisson, D. Bourrie, T. Storer, and S. Miller, "Security
Incident Recognition and Reporting (SIRR): An Industrial Perspective,"
in Twenty-third Americas Conference on Information Systems, Boston,
2017: Americas Conference on Information Systems.
[34] S. Hoolachan and W. B. Glisson, "Organizational Handling of Digital
Evidence," in The 2010 ADFSL Conference on Digital Forensics,
Security and Law, St. Paul, Minnesota, USA, 2010: Association of
Digital Forensics, Security and Law.
[35] A. Mendoza, A. Kumar, D. Midcap, H. Cho, and C. Varol, " BrowStEx:
A tool to aggregate browser storage artifacts for forensic analysis,"
Digital Investigation, vol. 14, pp. 63-75, 2015.
[36] J. H. Choi, K. Lee, J. Park, C. Lee, and S. Lee, "Analysis Framework to
Detect Artifacts of Portable Web Browser," Lecture Notes in Electrical
Engineering, vol. 180, pp. 207-214, 2012.

1445