Join Us!

Carved Email or Tex...
 
Notifications
Clear all

Carved Email or Text Data  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example

"ts"1431389818977.0,"type"1},{"read"true,"text""How did meeting with GA go? "

* I can see that "ts"1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION Is the recovered content email messages or text messages?

Quote
Posted : 14/08/2018 2:44 pm
nightworker
(@nightworker)
Active Member

This seems like twitter time stamp data. Ts after short message.

ReplyQuote
Posted : 14/08/2018 2:47 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Nightworker The communication content was very sensitive in nature so it was definitely not Twitter Tweets.

ReplyQuote
Posted : 14/08/2018 2:50 pm
mcman
(@mcman)
Active Member

Nightworker The communication content was very sensitive in nature so it was definitely not Twitter Tweets.

Twitter DMs? They are private and probably formatted in a similar way. I know it's a computer but maybe they were using the Twitter app from the MS store which tends to be completely different format than the mobile apps they make for iOS or Android…

I'll look around to see if I recognize the format in any of my data.

Jamie

ReplyQuote
Posted : 14/08/2018 5:16 pm
kastajamah
(@kastajamah)
Member

I know this might be a basic way of looking at your issue, but have you looked to see if any email client is installed on the computer (Thunderbird, Outlook, etc)? It might give you a hint for what you are looking for.

I would also look and see if there is any web history for messaging services like Signal. I know they have a Windows program you can download and use.

Just some thoughts.

ReplyQuote
Posted : 14/08/2018 5:19 pm
MDCR
 MDCR
(@mdcr)
Active Member

In my limited experience with chat protocols, i know that some of them store data in JSON and email is usually stored as a whole in text with full headers and not broken up per line in JSON format. Also, text documens are rarely stored in JSON format.

Go through the drive and check for installed applications, find the most likely one and recreate and confirm this hypothesis.

ReplyQuote
Posted : 14/08/2018 5:48 pm
Rich2005
(@rich2005)
Senior Member

Colleagues,

I used Forensic Explorer v4 to carve deleted email content from a forensic image of a Windows 10 workstation.

Forensic Explorer recovered correspondence like the below example

"ts"1431389818977.0,"type"1},{"read"true,"text""How did meeting with GA go? "

* I can see that "ts"1431389818977.0 is clearly a date/time stamp

The recovered file has multiple examples like the above example, delimited by commas.

QUESTION Is the recovered content email messages or text messages?

If you go to the area on the disk that it's sitting in; What other text/code precedes these messages?
Do you have some more flags/values, or a preamble to it, which might narrow it down?

ReplyQuote
Posted : 14/08/2018 6:16 pm
Share: