±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 6
Overall: 27333
Visitors: 38

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensic Artifacts for PayPal Transactions

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Forensic Artifacts for PayPal Transactions

Post Posted: Thu Oct 24, 2013 6:54 am

I am trying to identify a PayPal account name and hopefully details of a transaction.

I have been using EnCase Version 6 and IEF and have so far found artifacts that would suggest PayPal use but not a lot else.

If anyone has any specific details of where i can look for artifacts or something i can use to identify an account that would be really helpful.

Thanks  

joe.w
Newbie
 
 
  

Re: Forensic Artifacts for PayPal Transactions

Post Posted: Thu Oct 24, 2013 7:18 am

As with any web page, visit the page yourself and look at the source. How does it display the logged in user ID? Can you create a search term from that? (Hint: yes).

How does it do authentication? Is there a specific auth servername, or perhaps something in the URL or some post data that could be used to search?  

Xennith
Senior Member
 
 
  

Re: Forensic Artifacts for PayPal Transactions

Post Posted: Thu Oct 24, 2013 10:30 am

How about webpages in cache folders?

URL strings for paypal *MAY* contain either the actual username or an ID or some help. Like Xennith said... test it out and see what the different URLs show in your browser

Did you look for a email receipt or transaction email from Paypal sent to an email account that is on the drive?

Good luck!
-=Art=-  

4n6art
Senior Member
 
 
  

Re: Forensic Artifacts for PayPal Transactions

Post Posted: Mon Oct 28, 2013 4:22 am

I know of three ways of determining PayPal ID on a given computer.

1. Analyze cookies (if the user set the "This is my private computer" check box)
2. Check Windows Registry (Internet Explorer) or SQLite databases (Mozilla, Chrome etc.) for cached account IDs
3. Analyze email receipts sent by PayPal

In addition, if you have access to the user's eBay account, that one may have a PayPal ID linked.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: Forensic Artifacts for PayPal Transactions

Post Posted: Mon Oct 28, 2013 12:37 pm

e-mail.

PayPal sends, be default copious amounts of e-mail on various transactions.  

jhup
Senior Member
 
 
  

Re: Forensic Artifacts for PayPal Transactions

Post Posted: Tue Oct 29, 2013 3:46 pm

The best answer is this thread so far is the one advising you to check the paypal website.

Go to the paypal website, create an account and see what unique identifiers exist for each of the types of pages you are looking for. Once you've identified what marker will lead you to paypal username your best next step is to search for a fragment of the page.

Paypal switches to https by default when you are logged in so web page history may not exist within the webcache, instead focus on the pagefile and hiberfil with searches to find fragments of these files. Once you do find the paypal id and possibly the email associated with it do a separate search of the same location for webmail artifacts of the emailed receipt for the transactions.

IEF does a great job with webpage reconstruction and webmail recovery but if fragment is only a partial or the format of the json changed after the latest IEF release you are back to manual searching and carving.  

dcowen
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1