±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 97

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Paltalk - Chat room program - Chat Logs & other Artifacts??

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

kiashi
Senior Member
 

Paltalk - Chat room program - Chat Logs & other Artifacts??

Post Posted: Dec 18, 09 20:32

Hello, I have a case where there is a lot of information to suggest that the subject was using the Paltalk Messenger application. For starters it is an installed program and there are a number of URLs to the paltalk.com domain turning up in Internet History.

I am wondering if anyone has performed any analysis on this application before and whether any chat logs may be extracted from it?

There is a Paltalk folder under the user's Application Data folder. This contains four folders:
->groups
->local_banners
->overlays
->profile repository

The only one of these that appears to contain useful information is the profile repository. This seems to have profile pictures of users that they may have had contact with.

The groups folder has one folder underneath it which may be the name of a Paltalk group that the user belonged to.

I have not signed up for a Paltalk account and this seems to be the only way to access their own support forms but I was just hoping someone here would be able to offer a little insight before I go along the route of downloading software I know little about.

Thanks in advance.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

kiashi
Senior Member
 

Re: Paltalk - Chat room program - Chat Logs & other Artifact

Post Posted: Jan 05, 10 21:51

Seeing as I appeared to stump everyone with this post I thought I would let you all know what I discovered.

The PC that I am analysing had Windows reinstalled on it relatively recently however it was not wiped previously because I was able to carve old documents from unallocated dating back as far as 2004 (according to MS Word metadata and dates in the letters themselves).

There are also three virtual hard disks on the system which I have mounted in EnCase and am searching through now. Previous keyword searches were done in both EnCase and X-ways, although X-ways unable to mount .vhd's natively so just searched logically as a single file.

All the chat logs I have found so far are contained within previously deleted files, for example .mp3, .vob etc. The chat logs are in plain text and appear to be in Unicode. At this stage I am unable to say exactly what file they were in to start with.

So, to the format of the chat logs themselves. All logs located so far have the following patterns (usernames do not actually have square brackets):
- User enters the chat room:
(1:53AM) *** [Username] has joined the room ***
- User leaves the chat room:
(10:09PM) *** [Username] has left the room ***
- Actual chat conversation:
(10:10PM) [Username]: Thanks for your help Bob

My strategy after finding the first fragment was then to just do a keyword search for the string ‘M) ***’ as this would at least identify all instances where a user either joined or left the chat room. It would be fairly straight forward to determine a GREP search for finding the actual chat entries but in my case it doesn’t seem worth it because some user is always entering or leaving the chat room so you will always find the actual conversations in the same place in Chronological order.

I will be sure to update the thread again if I determine what type of file these chat logs are initially stored in.
Smile
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

CFP001
Member
 

Re: Paltalk - Chat room program - Chat Logs & other Artifacts??

Post Posted: Jan 06, 10 07:49

My two cents would be to sign up for a PalTalk account, run it on a "clean" VM and monitor any changes.

I like that you are diving in and sharing your experiences.

Thanks.  
 
  

kiashi
Senior Member
 

Re: Paltalk - Chat room program - Chat Logs & other Artifacts??

Post Posted: Jan 06, 10 20:56

Cheers CFP001, I know how frustrating it is when you search a forum and find the same question that you had but then realise that there was never a solution offered by anyone!

Update is that all these fragments I am finding are located in the Pagefile.sys of the relevant system, both host system and within each .vhd

The chat logs are very fragmented and there is no obvious date recorded so it is only possible to tell the time of day the chat took place. I have not yet managed to confirm any other details such as chat room names from the fragments of information recorded.

With regards to signing up for PalTalk etc. for this case it does not seem to be important enough to spend the time, but that could be some research for the future. Wink
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 

Page 1 of 1