MySpace.com Forensic Artifacts

Until recently, the most commonly used search strings for MySpace investigations included the terms, “friendID” or "FriendID=user-account-number.  While these search terms are useful, they present a major disadvantage in that they often result in thousands of hits when greater specificity is needed. In a search for a better solution, I studied individual MySpace profiles by viewing source data as well as HTML syntax to look for common areas within the pages. I discovered that the MySpace.com programmers, who use ColdFusion (the web application responsible for MySpace.com architecture), assign  unique data tags to each of the different pages within MySpace.

When viewing “Page Source Data” within the MySpace website, note that each area has its own unique data tag.  The data tags are generated by the server website application, ColdFusion.  ColdFusion Markup Language (CFML) includes a set of tags applied to web pages that allow users to interact with data sources, manipulate data, and display output. CFML tag syntax is similar to HTML element syntax.  The data tags below appear in MySpace.com pages:

HTML & CFML Data Tags
 

  



 


 

  
<!-- MailInbox -->
<!-- MailReadMessage -->
<!-- MailReply -->
<!-- Bulletin -->
<!-- BulletinRead -->
<!-- MailForward -->
<!-- MailTrashBox -->
<!-- UserViewComments -->
<!-- ViewFriends2 -->
<!-- UserViewProfile -->
<!-- User -->
<!-- UserViewPicture -->
<!-- UserViewAlbums -->
<!-- MailFriendRequests -->
<title>Myspace.com Blogs -

 

 -User message inbox
-User mail message
-User reply to message/ bulletin
-Bulletin inbox
-Bulletin message
-Forward mail message
-Messages in trash
-User comments page
-User friends page list
-User profile page
-User control panel
-User view pictures area
-User picture album area
-Incoming Friend Requests
-MySpace Blog Pages

You can import the Keywords listed above into your exam.  Click on the "EnCase Keywords" link and download the *.zip file.  The Keywords were formatted using EnCase version 6.10.

EnCase Keyword Import



EnCase Keyword Import Box



You can use the same search terms for FTK.  In FTK under the "search" tab, click on the "Live Search" sub tab.  You will need to check the "Regular Expression" options box under "Item Type".   Click on the arrow next the "Search Term" and choose the "Edit expression" option.


FTK Regular Expressions


Click on the "FTK Regular Expressions" link and download the *.zip file.  Cut and paste the regular expressions into your RegexList.ini file [inside the FTK "Programs" sub directory] and click save.

RegexList.ini


There is no guarantee that ALL of the data searched for will be retrieved. Fragmented data in unallocated areas of the hard disk area may not have captured the data containing the aforementioned ColdFusion and HTML syntax tags. I suggest that examiners use as many search strings as possible to yield the most effective results.