A colleague is looking for the best way to line up Yahoo! Instant Message chats (archived) with Images used in either Photo Sharing or Flickr during the IM into a time frame. The messages should be easy as far as dates and times go. However, I am not sure about Photo Sharing and Flickr artifacts related to the image file name and dates and times.
I plan on doing some tests with photo sharing and flickr, but I'm hoping someone has dealt with this same issue before.
Maybe mounting the forensic image into a virtual machine will show the chat and display the photo sharing?
Thank you,
Chris Currier
I worked on a case this last semester and needed to do the same thing.
Here's the basics of what I did
First, check the "date created" property of each photoshare folder. This will allow you to match it up to a chat based on the chat's date created property.
Next, check the folder for photos. Each file will be a long string of letters and numbers ending with either _m or _t. If you only have the _m file, that means the photo was received by the local user. If you have two files with the same name, except one ends in _m and the other ends in _t, that means the file was sent by the local user. This distinction is very important.
I'm not sure what exactly you need from Flickr, however you can subpoena them for user account information and creation times.
PM me if you have any questions. I had this great paper on Yahoo messenger forensics at some point, but now I can't find it. If you'd like a copy, I'll need to contact the detective I worked with and get it from him.
Alex,
Thank you for the response. I appreciate the help and passed it along.
Thank you,
Chris