±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35745
New Yesterday: 2 Visitors: 172

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Carved Email or Text Data

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

UnallocatedClusters
Senior Member
 

Carved Email or Text Data

Post Posted: Aug 14, 18 13:44

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example:

"ts":1431389818977.0,"type":1},{"read":true,"text":"How did meeting with GA go? "

* I can see that "ts":1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION: Is the recovered content email messages or text messages?  
 
  

nightworker
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 13:47

This seems like twitter time stamp data. Ts after short message.  
 
  

UnallocatedClusters
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 13:50

Nightworker: The communication content was very sensitive in nature so it was definitely not Twitter Tweets.  
 
  

mcman
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 16:16

- UnallocatedClusters
Nightworker: The communication content was very sensitive in nature so it was definitely not Twitter Tweets.


Twitter DMs? They are private and probably formatted in a similar way. I know it's a computer but maybe they were using the Twitter app from the MS store which tends to be completely different format than the mobile apps they make for iOS or Android...

I'll look around to see if I recognize the format in any of my data.

Jamie  
 
  

kastajamah
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 16:19

I know this might be a basic way of looking at your issue, but have you looked to see if any email client is installed on the computer (Thunderbird, Outlook, etc)? It might give you a hint for what you are looking for.

I would also look and see if there is any web history for messaging services like Signal. I know they have a Windows program you can download and use.

Just some thoughts.  
 
  

MDCR
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 16:48

In my limited experience with chat protocols, i know that some of them store data in JSON and email is usually stored as a whole in text with full headers and not broken up per line in JSON format. Also, text documens are rarely stored in JSON format.

Go through the drive and check for installed applications, find the most likely one and recreate and confirm this hypothesis.  
 
  

Rich2005
Senior Member
 

Re: Carved Email or Text Data

Post Posted: Aug 14, 18 17:16

- UnallocatedClusters
Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example:

"ts":1431389818977.0,"type":1},{"read":true,"text":"How did meeting with GA go? "

* I can see that "ts":1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION: Is the recovered content email messages or text messages?


If you go to the area on the disk that it's sitting in; What other text/code precedes these messages?
Do you have some more flags/values, or a preamble to it, which might narrow it down?  
 

Page 1 of 1