Case Studies
Explore our confidential case studies where Xpert Forensics uncovered digital fraud, insider threats, data leaks, and cyber misconduct using advanced forensic tools and investigative techniques. Each case reflects our commitment to precision, discretion, and delivering actionable insights that drive resolution.
Complete Social Media Forensics: Download and Analyze Facebook Data in Magnet AXIOM
In modern digital forensic investigations, social media platforms like Facebook have become a goldmine of potential evidence. From messages, images, and videos to account activities and shared files, Facebook data can play a crucial role in solving cases related to cybercrime, insider threats, financial fraud, and online harassment.
To efficiently analyze this data, investigators rely on advanced forensic tools like Magnet AXIOM. This powerful platform simplifies the entire process by enabling experts to process, analyze, and extract actionable insights from downloaded Facebook data quickly and accurately.
In this guide, Xpert Forensics walks you through a beginner-friendly, step-by-step process — from downloading Facebook data to analyzing it within Magnet AXIOM.Today, we’ll perform a comprehensive data analysis of both a Facebook page and a Facebook profile to explore what types of hidden insights, conversations, and artifacts can be extracted and used as digital evidence.
Why Use Magnet AXIOM for Facebook Forensics
Magnet AXIOM is widely used in the field of digital forensics because of its ability to extract, organize, and analyze large datasets efficiently. Here’s why it’s a preferred choice for facebook investigations:
- Supports Multiple Evidence Types – Analyzes chats, images, videos, contacts, login history, and more.
- Powerful Search & Filtering – Quickly locate critical artifacts using filters and keyword searches.
- Metadata Extraction – Retrieves timestamps, geolocation data, and other hidden details.
- Cross-Platform Analysis – Supports data from Android, iOS, and downloaded archives.
Step 1: Download Facebook Data
Before starting the forensic analysis, we need to legally acquire facebook data. Facebook allows users to request and download a complete data archive, which includes messages, photos, videos, comments, and account activity.
Steps to Download Facebook data:.
- Login to Facebook page → Go to Settings & Privacy → Settings.
- Navigate to Your Facebook Information.
- Click Download Your Information.
- Select the Date Range:
- All Time → To download everything
- Custom → Select a specific investigation period
- Choose the Format:
- JSON (recommended for forensic analysis)
- HTML (for manual viewing only)
6. Select Media Quality:
- High / Medium / Low (choose High if needed for evidence)
7. Click Create File → Facebook will prepare the archive.
8. Once ready, download the ZIP file to your forensic workstation.
Note: Here we downloaded both (HTML & JSON) data for analysis.
Step 2: Importing Data into Magnet AXIOM
Once you’ve downloaded the facebook data archive, the next step is to import it into Magnet AXIOM for processing.
Steps to Import:
- Open Magnet AXIOM Process.
- Select New Case and provide basic details like case name, investigator name, and reference number.
- Click Add Evidence Source → Select Instagram Data (ZIP/Extracted Folder).
- Choose the extracted Instagram data folder and click Next.
- AXIOM will automatically detect and parse available artifacts.
Step 3: Analyzing Facebook HTML Data in Magnet AXIOM
After the data is processed, Magnet AXIOM Examine provides a powerful interface to analyze all facebook artifacts. You can investigate:
Analysis of Your Magnet AXIOM Results
- All Evidence (3,758) → The total number of artifacts recovered from the Facebook JSON data.
- Refined Results (171) → Contains identifiers, primarily people-related data, such as profile IDs, usernames, linked accounts, and other user references.
- Web Related (1) → Includes WebKit Browser Web History (Carved), meaning Magnet AXIOM recovered web browsing data related to Facebook activity.
- Social Networking (1,292) → Facebook and Instagram-related artifacts, including:
- Direct Messages (DMs)
- Comments, posts, and reactions
- Profile metadata and account activity.
- Media (2,277) → Includes:
- Pictures (2,184) – Photos uploaded, received, or cached via Facebook and Instagram.
- Videos (86) – Video files from posts, stories, or saved reels.
- Audio (7) – Voice notes, call recordings, or audio files shared.
- Documents (15) → Likely contains structured JSON/HTML files with profile information, messages, settings, and extracted user data.
- Operating System (1) → Minimal OS-level information recovered, such as file system metadata and timestamps.
- Location & Travel (1) → Contains Google Maps data possibly linked to check-ins, tagged locations, or shared travel history.
Identifiers – People
The Identifiers – People category extracted by Magnet AXIOM provides critical information about participants involved in conversations, including their names, IDs, and relationships. This data primarily comes from Facebook Messenger and Instagram Direct Messages contained within the downloaded ZIP file.
Social Networking
The Social Networking section in Magnet AXIOM extracted 1,292 artifacts from Facebook messages. These include private chats, group conversations, friend requests, and call logs with complete metadata such as sender names, participants, timestamps, and message texts. The recovered data helps reconstruct communication patterns, identify relationships, and track user interactions across both platforms, making it highly valuable for digital forensic investigations.
Media
The Media → Pictures section in Magnet AXIOM displays 2,277 total media artifacts, out of which 2,184 are images extracted from the downloaded Facebook JSON archive. These images include profile pictures, shared photos, story highlights, chat attachments, and other visual media associated with the user’s Facebook activities.
Each image entry shows details such as file name, size, format (.jpg), and storage location. Magnet AXIOM also provides a built-in preview feature, allowing investigators to visually examine each recovered image.
This data is crucial in social media forensics, as it helps in:
- Identifying shared or received images
- Correlating pictures with chat conversations
- Recovering deleted or archived media
- Extracting metadata (timestamps, device info, GPS if available)
By analyzing these artifacts, investigators can reconstruct user activity timelines, verify interactions between participants, and gather visual evidence essential for digital forensic investigations.
Step 4: Analyzing Facebook JSON Data in Magnet AXIOM
After the data is processed, Magnet AXIOM Examine provides a powerful interface to analyze all Facebook artifacts. This Magnet AXIOM dashboard provides a comprehensive summary of the evidence extracted from a Facebook JSON data package. A total of 11,286 artifacts were recovered, categorized into Social Networking (7,555), Media (2,275), Refined Results (1,454), and minimal Operating System and Location & Travel data (1 each). The extracted data primarily focuses on Facebook-related activities, including messages, media, and other user interactions, which are critical for digital forensic investigations and timeline reconstruction.
All Evidence
The total 11,286 artifacts, which are crucial for focused investigation. Key findings:
- Total Refined Results: 1,454 artifacts
- Facebook URLs: 111 items → Links to profiles, posts, and shared content.
- Google Maps Queries: 1 item → Shows a location-related search.
- Identifiers – People: 1,332 items → Includes names, user IDs, and linked accounts.
- Social Media URLs: 10 items → Direct URLs to social media activities.
- Social Networking: 7,555 artifacts → Contains Facebook messages, chats, timeline activities, and interactions.
- Media Evidence: 2,275 artifacts → Includes pictures, videos, and audio files extracted from the dataset.
- Location & Travel: 1 artifact → Shows geolocation data, possibly linked to user movements or map searches.
Refined Results
From the 11,286 total artifacts, 1,454 items were categorized under Refined Results. The breakdown is as follows:
- Facebook URLs (111 items) → These contain links to Facebook profiles, posts, images, and shared content, useful for tracing online activity and user interactions.
- Google Maps Queries (1 item) → Shows a specific address or location search performed by the user, which can help in determining movement patterns or visited places.
- Identifiers – People (1,332 items) → Includes information about friends, followers, and connected accounts, allowing investigators to map the user’s social connections.
- Social Media URLs (10 items) → Consists of links to Instagram reels, posts, and TikTok videos, showing the user’s activity and content consumption on different platforms.
Social Networking
Cloud Facebook Timeline (2,950 posts)
- This section contains Facebook posts made by the user.
- In this screenshot, we see posts like: “User shared a post to the group: Yamabir…”
- Each entry shows:
- Type → post
- Person → Who posted/shared
- Created Date → when exactly the post was made
Facebook – Instagram Messages (2,305 messages)
- This section contains messages exchanged on Facebook/Instagram Messenger (via Facebook’s platform).
- Here, you can find:
- Who messaged whom
- Exact timestamps of messages
Instagram Direct Messages (2,300 messages)
- This section contains Instagram chat data (from IG’s own Direct Messages system).
- Similar details as above:
- Sender, recipient names & Message text
- Date & time of each DM
Media
Total Media files: 2,275
- Pictures: 2,182
- Videos: 86
- Audio: 7
Each file is listed with its system-assigned ID (middle), and investigators can preview the actual image/video/audio (right).
Operating System
This confirms the Facebook data was obtained in a ZIP archive format. The forensic tool treats it as a file system container and parses its internal structure to extract posts, messages, media, etc.
Location & Travel
This means at least one location-based artifact was found. It is most likely from a Google Maps link shared by the user or location metadata tied to posts or messages.
Conclusion
The forensic analysis of the extracted Facebook data using Magnet AXIOM reveals crucial digital evidence, including social networking activity, media files, location data, user identifiers, and refined results such as URLs, chats, and followers. This information provides deep insights into the user’s online behavior, communication patterns, location traces, and media interactions. By analyzing these artifacts, investigators can reconstruct timelines, identify suspects, locate hidden connections, and gather admissible evidence for cybercrime investigations involving harassment, fraud, impersonation, stalking, data leaks, and other social media-related crimes.
How Xpert Forensics Can Help
Xpert Forensics specializes in social media forensics and can assist law enforcement, legal professionals, and individuals by:
- Comprehensive Social Media Data Analysis → Extracting, processing, and analyzing data from Instagram, Facebook, WhatsApp, and other platforms.
- Timeline Reconstruction → Mapping out user activities, chat histories, shared media, and login sessions to establish a clear sequence of events.
- Identification of Cybercrime Evidence → Detecting fraud, phishing, identity theft, stalking, harassment, and unauthorized access attempts.
- Geo-Location & IP Tracking → Using Google Maps queries, metadata, and server logs to track a suspect’s movements and login locations.
- Detailed Forensic Reporting → Providing legally admissible reports with screenshots, timelines, and metadata to strengthen cybercrime cases.
- Expert Testimony → Assisting courts and investigators by explaining digital evidence in a clear and professional manner.
Need Expert digital forensic support or training?
✉️Feel free to connect with us today | Email: service@xpertforensics.in