Does anyone have a ...
 
Notifications
Clear all

Does anyone have a decent regex to share for yahoo data?

7 Posts
3 Users
0 Likes
325 Views
(@bdmeyer)
Posts: 36
Eminent Member
Topic starter
 

I am using FTK3. I am hoping someone has a decent regex they would share for automating the search for yahoo data in un/allocated space.

Thanks!
–Bruce D. Meyer

 
Posted : 20/05/2011 8:23 pm
(@xennith)
Posts: 177
Estimable Member
 

Yahoo messenger chat or yahoo mail?

I have both, but chat is hard to create a regex for because the first 4 bytes are a timestamp, so I scripted it.

 
Posted : 20/05/2011 10:39 pm
(@bdmeyer)
Posts: 36
Eminent Member
Topic starter
 

Chat mainly. If you don't mind sharing the mail also, I'll add it onto my list. I have a few of my own I don't mind posting here for others to look at, if that is appropriate.

 
Posted : 20/05/2011 11:13 pm
(@xennith)
Posts: 177
Estimable Member
 

At home atm, can it wait until after the rapture?

For chat you are looking for a structure that goes

4 bytes - timestamp
4 bytes 06 00 00 00 - magic number
4 bytes 01 00 00 00 (received message) or 00 00 00 00 (sent message)
4 bytes - length of data segment
<data segment>
4 bytes 00 00 00 00

Because the chat is xored with the user name, its hard to pick it up, because the first 4 bytes are a timestamp, the only way you could create a search term that doesnt get you thousands of false positives is to get the unix time you are interested in, and search for the higher order two bytes, plus the magic numbers above….

I tried this and realised it was an unworkable solution, so I scripted it with enscript to parse the structure out completely, based on a timestamp range and the structure aligning perfectly with that template, right up to the null terminator. As you're an FTK user, my script would be of no use to you at all.

 
Posted : 20/05/2011 11:30 pm
(@bdmeyer)
Posts: 36
Eminent Member
Topic starter
 

I certainly appreciate your willingness to assist though.
We have considered re-evaluating EnCase. Our previous experience with it about 3 years ago wasn't real fun, as it seemed to crash constantly. I saw similar problems with FTK while still in 32 bit mode. Once we switched to 64 bit OS with lot's of ram, I can't recall the last time FTK crashed. Presumably EnCase is just as stable now? It would be nice to take advantage of the ability to write perl scripts instead of only regexes.
Thanks again.
–Bruce

 
Posted : 20/05/2011 11:39 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

EnCase V7 is coming out right now. It appears to be a major improvement over V6 and is worth a look. I'll be updating my V6 license soon.

You can't drive EnCase with perl, only EnScript. And EnScript is definitely unique.

_David

 
Posted : 21/05/2011 12:44 am
(@xennith)
Posts: 177
Estimable Member
 

"Unique" is a very polite way of describing it.

I'd consider running encase alongside ftk rather than replacing it to be honest, both products have things to recommend them over the other.

 
Posted : 21/05/2011 1:15 am
Share: