Online Messanger Fo...
 
Notifications
Clear all

Online Messanger Forensics

10 Posts
6 Users
0 Likes
401 Views
(@muirner)
Posts: 65
Trusted Member
Topic starter
 

Hello Forensic Focus readers,

I’m a long time lurker of the forums, but a first time poster. I am doing a project on online messenger forensics. The problem is I’m having trouble coming across information pertaining to this topic. What I tend to find, even with searching forensic focus, is people looking for information. This leads me to believe I’m not using a adequate keyword search. The programs that I’m attempting to write about are anything that has documentation on forensic analysis. From my improper searches I believe I’ve found that Yahoo, and MSN seem to be the best, most common, and easiest to investigate.

I’m reaching out to the FF community for help. Within this past week I had 2 500GB HDD’s crash without apparent reason, after investigation it seems the HDD controller went bad. The problem with this is I’ve lost all of my previously researched sites, as well as information and the paper I had mostly done. I was wondering if anyone knew of a site, or a set of keywords that I could search that would help me to quickly get back to where I was. The problem is that the paper is due very soon and this isn’t the only class I lost a lot of information in and I’m struggling to play catch-up the last few weeks.

 
Posted : 12/12/2008 12:23 am
(@acarr31)
Posts: 32
Eminent Member
 

Muirner,

I don't really have a list of sites for you but we sometimes use a program called Yahoom for decrypting Yahoo messenger chats, the only issue with it is that you have to assign the usernames. Also I believe there is a program called AIM Log Manager by Nalsoft, I used this for a couple of projects in college. Download.com has a couple chat log programs but they are more for logging during a conversation rather than after the fact type of forensics but it may help to add some variety to your paper. Try using the search "chat examiner" or "chat log examiner", it may help.

Hope this helps.

 
Posted : 12/12/2008 12:38 am
(@jeffcaplan)
Posts: 97
Trusted Member
 

Send me a PM with your e-mail address and I'll send you 3 PDFs I have on Skype log file analysis, Yahoo chat fragments in unallocated space and MSN/Live Messenger. I tried looking for links for them on the Internet, but couldn't find all 3. I originally obtained them from GSI's forums.

Jeff

 
Posted : 12/12/2008 1:15 am
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
 

Below is a link for a good resource regarding MSN messenger / Windows Live Messenger

http//computerforensics.parsonage.co.uk/downloads/MSNandLiveMessengerArtefactsOfConversations.pdf

This may be one of the pdf's jeffcaplan is referencing

 
Posted : 12/12/2008 2:30 am
(@jeffcaplan)
Posts: 97
Trusted Member
 

Yup, that's one of 'em.

 
Posted : 12/12/2008 8:13 am
(@jonathan)
Posts: 878
Prominent Member
 

Hello Forensic Focus readers,

I am doing a project on online messenger forensics. .

Do you mean web messenger forensics as opposed to a messenger client which you download and install?

 
Posted : 12/12/2008 2:39 pm
(@muirner)
Posts: 65
Trusted Member
Topic starter
 

Thank you for the links everyone you've been extremely helpful

No i mean the traditional download and install version. I may try to continue this into my Senior year to expand on the ones that use java that are just a web app.

 
Posted : 13/12/2008 1:42 am
neddy
(@neddy)
Posts: 182
Estimable Member
 

You should try to find a PCB for your failed hard disks. It is possible to swap the PCB from the failed disk with a PCB from the same product batch, thereby allowing the platters to be accessed along with your data. Speak to a Data Recovery/Wholesale Hard Disk supplier and you may get a result.

 
Posted : 15/12/2008 12:42 am
(@muirner)
Posts: 65
Trusted Member
Topic starter
 

Western Digital is going to replace the drives. The thing is they are from a different "generation" The ones i have are AKS, and the new ones are AAKS drives. I'm thinking i may be able to swap the controllers on the hdd to access it.

Do you think i need to look for the exact hdd to pull the controller off of?

By the way, thank you everyone for the help you gave. I managed to write my paper and learn a good amount more about messenger forensics.

 
Posted : 15/12/2008 1:57 am
neddy
(@neddy)
Posts: 182
Estimable Member
 

Muirner,

Indeed, all you need is another disk of the same capacity that was manufactured in the same batch as your failed disk or disk's. Swap the PCB and your problem should be resolved.
The important thing is that the controllers need to be from the same batch and programmed to recognise the same size of hard disk. Controllers from the next or prior batch may not do.
Data Recovery/Wholesale Hard Disk suppliers would be the place to start for more detailed and reliable information.

 
Posted : 15/12/2008 2:54 am
Share: