I am using FTK3. I am hoping someone has a decent regex they would share for automating the search for yahoo data in un/allocated space.
Thanks!
–Bruce D. Meyer
Yahoo messenger chat or yahoo mail?
I have both, but chat is hard to create a regex for because the first 4 bytes are a timestamp, so I scripted it.
Chat mainly. If you don't mind sharing the mail also, I'll add it onto my list. I have a few of my own I don't mind posting here for others to look at, if that is appropriate.
At home atm, can it wait until after the rapture?
For chat you are looking for a structure that goes
4 bytes - timestamp
4 bytes 06 00 00 00 - magic number
4 bytes 01 00 00 00 (received message) or 00 00 00 00 (sent message)
4 bytes - length of data segment
<data segment>
4 bytes 00 00 00 00
Because the chat is xored with the user name, its hard to pick it up, because the first 4 bytes are a timestamp, the only way you could create a search term that doesnt get you thousands of false positives is to get the unix time you are interested in, and search for the higher order two bytes, plus the magic numbers above….
I tried this and realised it was an unworkable solution, so I scripted it with enscript to parse the structure out completely, based on a timestamp range and the structure aligning perfectly with that template, right up to the null terminator. As you're an FTK user, my script would be of no use to you at all.
I certainly appreciate your willingness to assist though.
We have considered re-evaluating EnCase. Our previous experience with it about 3 years ago wasn't real fun, as it seemed to crash constantly. I saw similar problems with FTK while still in 32 bit mode. Once we switched to 64 bit OS with lot's of ram, I can't recall the last time FTK crashed. Presumably EnCase is just as stable now? It would be nice to take advantage of the ability to write perl scripts instead of only regexes.
Thanks again.
–Bruce
Greetings,
EnCase V7 is coming out right now. It appears to be a major improvement over V6 and is worth a look. I'll be updating my V6 license soon.
You can't drive EnCase with perl, only EnScript. And EnScript is definitely unique.
_David
"Unique" is a very polite way of describing it.
I'd consider running encase alongside ftk rather than replacing it to be honest, both products have things to recommend them over the other.