Carved Email or Tex...
 
Notifications
Clear all

Carved Email or Text Data

7 Posts
6 Users
0 Likes
943 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example

"ts"1431389818977.0,"type"1},{"read"true,"text""How did meeting with GA go? "

* I can see that "ts"1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION Is the recovered content email messages or text messages?

 
Posted : 14/08/2018 1:44 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

This seems like twitter time stamp data. Ts after short message.

 
Posted : 14/08/2018 1:47 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Nightworker The communication content was very sensitive in nature so it was definitely not Twitter Tweets.

 
Posted : 14/08/2018 1:50 pm
(@mcman)
Posts: 189
Estimable Member
 

Nightworker The communication content was very sensitive in nature so it was definitely not Twitter Tweets.

Twitter DMs? They are private and probably formatted in a similar way. I know it's a computer but maybe they were using the Twitter app from the MS store which tends to be completely different format than the mobile apps they make for iOS or Android…

I'll look around to see if I recognize the format in any of my data.

Jamie

 
Posted : 14/08/2018 4:16 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

I know this might be a basic way of looking at your issue, but have you looked to see if any email client is installed on the computer (Thunderbird, Outlook, etc)? It might give you a hint for what you are looking for.

I would also look and see if there is any web history for messaging services like Signal. I know they have a Windows program you can download and use.

Just some thoughts.

 
Posted : 14/08/2018 4:19 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

In my limited experience with chat protocols, i know that some of them store data in JSON and email is usually stored as a whole in text with full headers and not broken up per line in JSON format. Also, text documens are rarely stored in JSON format.

Go through the drive and check for installed applications, find the most likely one and recreate and confirm this hypothesis.

 
Posted : 14/08/2018 4:48 pm
(@rich2005)
Posts: 535
Honorable Member
 

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example

"ts"1431389818977.0,"type"1},{"read"true,"text""How did meeting with GA go? "

* I can see that "ts"1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION Is the recovered content email messages or text messages?

If you go to the area on the disk that it's sitting in; What other text/code precedes these messages?
Do you have some more flags/values, or a preamble to it, which might narrow it down?

 
Posted : 14/08/2018 5:16 pm
Share: