Windows 8.1 - LiveC...
 
Notifications
Clear all

Windows 8.1 - LiveComm

1 Posts
1 Users
0 Likes
693 Views
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

I have a Windows 8.1 Pro desktop which contains indecent material.

This indecent material is located 4 different sub-directories under the following directory structure

\Users\<username>\AppData\Local\Packages\microsoft.windowscommunicationapps.8wekyb3d8bbwe\LocalState\LiveComm\<16 char alpha numeric>\nnnnnn-nnn\Att

In these 4 different sub-directories, I have multiple copies of the same .zip file. For example; Photo.zip, Photo (1).zip, Photo (2).zip, etc. all the same size and same hash value but with different creation dates spread across a number of dates. The creation, last accessed, last written and entry modified dates and times are identical per file.

From checking on Google, it would appear that the folder structure I'm looking at is all to do with the 'Communication App' which includes the user's email, chat clients, social networking, etc., anything that allows the user to interact with another person.

I'd like to be able to find out where these .ZIP files came from and why there are multiple copies present.

I've looked at the associated 'livecomm.edb' file (using ESEDatabaseView from NirSoft) and this does seem to confirm what Google returned is as much as the 'Account' table shows multiple communication apps for my suspect.

The 'Contact' table appears to show all the contacts - only names, no email addresses in my case.

The 'MailAttachment' table appears to show files that have been sent or received (it's not clear which) but there are no .zip files amongst the files listed.

The 'Relevance' table appears to hold a list of email addresses - presumably contact email addresses.

There's a 'Person' table that loads over 1.3 million records and then causes the software to crash so I'm not sure whether this holds anything evidential.

There's also the standard Windows 'UserTiles' directory.

I suspect there's a load of cross linking going on between the tables in the 'livecomm.edb' file but I have no idea where to look.

What I need is some way to associate the folders that the .ZIP files were found in with an email address and associated email message. Has anyone else had any luck with this?

Kind regards,

Chris

 
Posted : 24/02/2016 5:00 pm
Share: