±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36209
New Yesterday: 3 Visitors: 113

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Instant Messenger Discussions or Research Projects

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

bernieregans
Member
 

Instant Messenger Discussions or Research Projects

Post Posted: Jul 24, 05 05:21

I am currently undertaking a Poject devising a Framework for a Forensic Examiner to use in order to retrive digital evidence left behind by the use of Instant Messengers. Part of my Literature Review i have to look into what each IM is, how it operates, etc. (MSN, YAHOO, JABBER, ICQ) Also i need to identify and analyse any other research project within the same area so i can compare and also find holes within it to incoporate them into mine.

I would be grateful of any replies pointing me in the directions of any of the above mentioned.

Yours truly

Bernieregans  
 
  

akaplan0qw9
Senior Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 24, 05 20:40

Dear Bernie,

I'm not able to offer any assistance at this time. But, I'm sure I'm not alone in wanting to see the results of your very worthwhile study.

We currently use FTK (Full Suite), Winhex Forensics (Full Suite), Paraben Chat and e-mail detective (Hot Pepper Technology) all of which might be of interest to you. Time permitting, I will be glad to run tests for you using that software and furnish you with the results.
_________________
Alan M. Kaplan, ACE
Nevada PI License #220
AKaplan @ LasVegasPI.com 
 
  

keydet89
Senior Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 25, 05 02:17

<i>...devising a Framework for a Forensic Examiner to use in order to retrive digital evidence left behind by the use of Instant Messengers.</i>

At what point are you trying to get this data?

If the system is still live, there is a lot of info you can retrieve. The most recent edition of the Digital Investigation Journal contains my article on the subject.

If you're looking at an imaged system, your mileage is going to vary. AIM, by default, does not log conversations, while Trillian does.

If you have specific questions, feel free to contact me directly.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

bernieregans
Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 25, 05 16:44

Hi,

Thanks Al Kaplan, but i am using EnCase as my University has licences for the use and as it is regarded to be one of the best i was directed to using that. If there is enough time i will be using freeware tools that will allow most investigators to retrieve the reults that i get. I will keep you posted and if i may i would like to contact you to complete an evealuation questionnaire for me.

Thanks Helen, is that the article you sent me in June? I am running it from a shut down system and i will be making an image and as mentioned above using EnCase to do my investigation.

YOu can email me straight to bernieregans @ hotmail.com for easier correspondence.

Many Thanks

Berniregans  
 
  

keydet89
Senior Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 27, 05 15:53

I don't know who "Helen" is, and what article she sent you (could you send me a copy??) but would be interested in knowing more about the framework project you're working on. What information have you collected thus far?

One thing you may consider doing is documenting your findings with regards to Windows Registry artifacts for each IM client, as well as the artifacts found in the Prefetch directory (if you're using XP as the client system).

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

bernieregans
Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 27, 05 20:23

I do beg your pardon, i ment harlan. at the moment i am currently undertaking the research part. i am currently looking at 6 major IM's, MSN, Yahoo!, ICQ, Trillian, AOL & GCN (using Jabber). I am looking into each of these and how they work using the windows xp professional architecture to enable full use. i will be looking into forensics and pointing the research into digital evidence and what exactly it is.

After this i will be conducting tests on each of the IM's and will then be using encase to analyse the digital evidence. I will also be using freeware tools to enable other examiners to be able to repeat my steps.

if your could offer any additional information to which u think i have missed i would be grateful.

many thanks

bernieregans  
 
  

keydet89
Senior Member
 

Re: Instant Messenger Discussions or Research Projects

Post Posted: Jul 28, 05 19:42

Here's what I suggest...

Start w/ a VMWare image of XP, if you can. Launch the first phase of InControl5, install the software, and then run the second phase of InControl5. You might even run something like the SysInternal's RegMon and FileMon tools during the installation, to catch any files or keys that are created and then deleted during the installation process.

Once this is done, I'd suggest using static analysis tools such as Dependency Walker on the executable image (ie, for AIM, "aim.exe").

i will be looking into forensics and pointing the research into digital evidence and what exactly it is.

I'm not entirely sure what you're looking at here, other than the files and Registry keys that are installed and used by the applications. Are you looking specifically for log files created by the applications? If that's the case, I think part of that has already been documented to some degree.

Good luck.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 

Page 1 of 1