±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36763
New Yesterday: 2 Visitors: 192

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Suggestions for Searching Domestic Cases

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Suggestions for Searching Domestic Cases

Post Posted: Apr 27, 06 01:58

Reciently, I have been working on a number of domestic case (primaily a spouse wanting to know or to confirm what he or she suspects. I have come up with some key word searches that have had some success, but I would welcome others and offer this post for that reason. When thinking about communication with others, first person works well:

I would
I could
I wish
I want (however, there are a lot of "I want"s in the operating system)

There are often questions that are asked as well, such as:

could you
would you
should we
can you
can we
should I
could I

If pornography is an issue, inappropriate "dirty" words don't work well, because the meta data in websites are full of them.

Obvously, e-mail, images sent and received, and instant messages are also key.

What else have you tried?  

Senior Member

Re: Suggestions for Searching Domestic Cases

Post Posted: Apr 27, 06 16:20

Take into account localised 'slang' in your keyword searches such as 'wanna' vs 'want'.

Online dating sites have java enabled chat utils as well, but tracking conversations post incident can be a nightmare if not impossible in some cases so realtime monitoring is perhaps the best way forward.

I found the best set of tools for this type of scenario is real-time monitoring using tools like Spector; no need in most cases to dig any further. Likewise even if the offending spouse is using some sort of privacy/evidence eliminator type tool - Spector will still give you the goods, as it was captured in realtime.

likewise access to the mobile of the 'offending' spouse can often reveal alot more than what one whould find on their pc/notebook namley in the form of deleted SMS and items deleted from the calls register. a couple of minutes with their mobile whilst their in the shower can yield high returns.

You'd need to plan and arrange this quite carefully, best is get the other spouse to pass the mobile to you outside the premises, do a dump of the mobile, and hand it back. They can later call you for the results, better still give them a print out & let them analyze the recovered contents and draw what ever conclusions they see fit.

Check your local laws, but also note that in most countries the concept of 'communal property' allows one spouse to use and access items belonging to the other without breach of any other privacy laws. In most cases you may find that if the offending spouse was employed they would use their work PC/notebook (if possible), not the home pc for any 'illicit' communications.

I dont work domestic cases, not I'm not a PI either, and am not connected in anyway to Spector.

Just my 2 pennies worth. Good luck
#include <std.disclaimer.H> 

Senior Member

Re: Suggestions for Searching Domestic Cases

Post Posted: Apr 28, 06 17:17

If you're working with an XP system, or even just Windows in general, there are several areas where text searches like this will fail, particularly in the Registry. MS stores some text-based information in binary format, and other information is "encrypted" via ROT-13.

When working with domestic cases, there are several commonalities with other types of cases in which you want to get a view of user activity. One common way to do this is to look at the Internet history. Another is to look at the contents of the user's UserAssist (Registry) keys, and correlate that to the contents of the Prefectch (XP only) folder.

If you're interested in communications, you may want to see what software is installed, and look for IM clients. Many don't log by default, but you can get information from the Registry. For example, if the case involves a missing minor child, and the kid used AIM, you can get the screenname and encrypted password from the Registry and use that to log in...the same is true with other domestic cases.

P2P file sharing clients generally put significant artifacts in the Registry, as well.

You may want to look at recent searches (not only Google searches, but searches done on the local system, as well), and files recently accessed. The various MRU lists provide a great deal of useful information. Media Player, for example, keeps an MRU list of movies opened in that application.



Page 1 of 1