±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35144
New Yesterday: 5 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Carved Email or Text Data

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 7:44 am

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example:

"ts":1431389818977.0,"type":1},{"read":true,"text":"How did meeting with GA go? "

* I can see that "ts":1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION: Is the recovered content email messages or text messages?  

UnallocatedClusters
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 7:47 am

This seems like twitter time stamp data. Ts after short message.  

nightworker
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 7:50 am

Nightworker: The communication content was very sensitive in nature so it was definitely not Twitter Tweets.  

UnallocatedClusters
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 10:16 am

- UnallocatedClusters
Nightworker: The communication content was very sensitive in nature so it was definitely not Twitter Tweets.


Twitter DMs? They are private and probably formatted in a similar way. I know it's a computer but maybe they were using the Twitter app from the MS store which tends to be completely different format than the mobile apps they make for iOS or Android...

I'll look around to see if I recognize the format in any of my data.

Jamie  

mcman
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 10:19 am

I know this might be a basic way of looking at your issue, but have you looked to see if any email client is installed on the computer (Thunderbird, Outlook, etc)? It might give you a hint for what you are looking for.

I would also look and see if there is any web history for messaging services like Signal. I know they have a Windows program you can download and use.

Just some thoughts.  

kastajamah
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 10:48 am

In my limited experience with chat protocols, i know that some of them store data in JSON and email is usually stored as a whole in text with full headers and not broken up per line in JSON format. Also, text documens are rarely stored in JSON format.

Go through the drive and check for installed applications, find the most likely one and recreate and confirm this hypothesis.  

MDCR
Senior Member
 
 
  

Re: Carved Email or Text Data

Post Posted: Tue Aug 14, 2018 11:16 am

- UnallocatedClusters
Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example:

"ts":1431389818977.0,"type":1},{"read":true,"text":"How did meeting with GA go? "

* I can see that "ts":1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION: Is the recovered content email messages or text messages?


If you go to the area on the disk that it's sitting in; What other text/code precedes these messages?
Do you have some more flags/values, or a preamble to it, which might narrow it down?  

Rich2005
Senior Member
 
 

Page 1 of 1