YIM Photo Sharing /...
 
Notifications
Clear all

YIM Photo Sharing / Flickr

3 Posts
2 Users
0 Likes
293 Views
nlpd120
(@nlpd120)
Posts: 96
Trusted Member
Topic starter
 

A colleague is looking for the best way to line up Yahoo! Instant Message chats (archived) with Images used in either Photo Sharing or Flickr during the IM into a time frame. The messages should be easy as far as dates and times go. However, I am not sure about Photo Sharing and Flickr artifacts related to the image file name and dates and times.

I plan on doing some tests with photo sharing and flickr, but I'm hoping someone has dealt with this same issue before.

Maybe mounting the forensic image into a virtual machine will show the chat and display the photo sharing?

Thank you,

Chris Currier

 
Posted : 04/08/2010 2:51 am
(@agbarnet)
Posts: 75
Trusted Member
 

I worked on a case this last semester and needed to do the same thing.

Here's the basics of what I did
First, check the "date created" property of each photoshare folder. This will allow you to match it up to a chat based on the chat's date created property.

Next, check the folder for photos. Each file will be a long string of letters and numbers ending with either _m or _t. If you only have the _m file, that means the photo was received by the local user. If you have two files with the same name, except one ends in _m and the other ends in _t, that means the file was sent by the local user. This distinction is very important.

I'm not sure what exactly you need from Flickr, however you can subpoena them for user account information and creation times.

PM me if you have any questions. I had this great paper on Yahoo messenger forensics at some point, but now I can't find it. If you'd like a copy, I'll need to contact the detective I worked with and get it from him.

 
Posted : 04/08/2010 4:37 am
nlpd120
(@nlpd120)
Posts: 96
Trusted Member
Topic starter
 

Alex,

Thank you for the response. I appreciate the help and passed it along.

Thank you,

Chris

 
Posted : 04/08/2010 6:27 pm
Share: