±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36209
New Yesterday: 7 Visitors: 172

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 8.1 - LiveComm

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Chris55728
Senior Member
 

Windows 8.1 - LiveComm

Post Posted: Feb 24, 16 17:00

I have a Windows 8.1 Pro desktop which contains indecent material.

This indecent material is located 4 different sub-directories under the following directory structure:

\Users\<username>\AppData\Local\Packages\microsoft.windowscommunicationapps.8wekyb3d8bbwe\LocalState\LiveComm\<16 char alpha numeric>\nnnnnn-nnn\Att

In these 4 different sub-directories, I have multiple copies of the same .zip file. For example; Photo.zip, Photo (1).zip, Photo (2).zip, etc. all the same size and same hash value but with different creation dates spread across a number of dates. The creation, last accessed, last written and entry modified dates and times are identical per file.

From checking on Google, it would appear that the folder structure I'm looking at is all to do with the 'Communication App' which includes the user's email, chat clients, social networking, etc., anything that allows the user to interact with another person.

I'd like to be able to find out where these .ZIP files came from and why there are multiple copies present.

I've looked at the associated 'livecomm.edb' file (using ESEDatabaseView from NirSoft) and this does seem to confirm what Google returned is as much as the 'Account' table shows multiple communication apps for my suspect.

The 'Contact' table appears to show all the contacts - only names, no email addresses in my case.

The 'MailAttachment' table appears to show files that have been sent or received (it's not clear which) but there are no .zip files amongst the files listed.

The 'Relevance' table appears to hold a list of email addresses - presumably contact email addresses.

There's a 'Person' table that loads over 1.3 million records and then causes the software to crash so I'm not sure whether this holds anything evidential.

There's also the standard Windows 'UserTiles' directory.

I suspect there's a load of cross linking going on between the tables in the 'livecomm.edb' file but I have no idea where to look.

What I need is some way to associate the folders that the .ZIP files were found in with an email address and associated email message. Has anyone else had any luck with this?

Kind regards,

Chris  
 

Page 1 of 1