Join Us!

Notifications
Clear all

e-mail &IM's  

  RSS
Jim48
(@jim48)
New Member

This is out of my field Iam a system builder and fix break tech.So this forensic stuff is pretty much new to me.I had a customer ask me if it were possible to get his wife's email and any IM's she has had.I couldnt realy answer him because I dont know for sure,this group seems to have the experts on this matter.Thanks

Quote
Posted : 16/02/2005 5:41 pm
AndyFox
(@andyfox)
Junior Member

Hi Jim

Yes it is possible to extract emails from the hard drive of a PC / Digital Media, a fairly routine task for someone with the right software (like us) and tools. Tracing email from an ISP can be very difficult as email addresses can be set up from anywhere and anonymously, not impossible but in some cases not worthwhile due to expense vs result.

Can you also calissfy what you mean by IM's. If you want to talk further about this then get in touch with me.

ReplyQuote
Posted : 17/02/2005 8:56 am
keydet89
(@keydet89)
Community Legend

Jim,

Yes, it is possible to extract emails from a system, if they are saved to that system.

Regarding IM, it depends…some IM clients don't save logs of the conversations. Versions of Trillian that I've used in the past did save logs of conversations, whereas AOL's client does not…it requires an add-on to do so.

I'm still trying to figure out the Yahoo Messenger…I've been told that it does log conversations, but the folks who have told me that haven't been able to tell me where, and in what files. I haven't had a case yet that dealt directly with them.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 17/02/2005 12:41 pm
gmarshall139
(@gmarshall139)
Active Member

I'm still trying to figure out the Yahoo Messenger…I've been told that it does log conversations, but the folks who have told me that haven't been able to tell me where, and in what files. I haven't had a case yet that dealt directly with them.

Yahoo messenger logs chats in the "C:\Program Files\Yahoo\Messenger\Profiles\Yahoo username\Archive\Messages" directory if the user chooses to archive them. They are stored as .dat files with the file name being the username of the person chatted with. The default setting is not to archive so you wont always have them.

There are some automated tools now to decode them, and a script for encase. But a fairly simple method is to create your own yahoo messenger account from a clean install of the software. Make your account name double what the user's in question is (ex. if they are using "roscoe" make yours "roscoeroscoe"). Move the .dat files over onto your system in the same place, sign onto yahoo messenger using your new account and use the "view archived messages" command under the menu to display the messages.

I would tell your friend if the information is that important he should hire someone to get it. Equally important is that they have legal standing to do so. Even if two people share a computer they can have an expectation of privacy in the data, just by virtue of having seperate user accounts. I try to make sure that whenever I do an analysis, particularly in domestic cases, that the appropriate court orders have been filed. Otherwise the information will ultimately be useless, stricken by the courts.

I would appreciate any comments on my last paragraph particularly. Most of my experience is on the criminal end, and the domestic stuff is relatively new to me. I have been asked to look at a system that the soon to be ex wife has had possession of but still has the husbands user files on it from over a year ago. Any thoughts on this one?

ReplyQuote
Posted : 17/02/2005 1:51 pm
 Anonymous

same goes for icq, i know that it is saved to the uin number with a .dat extention. there are several readers floating around which can dump it into a presentable format which can be exported to html etc.

I'm still trying to figure out the Yahoo Messenger…I've been told that it does log conversations, but the folks who have told me that haven't been able to tell me where, and in what files. I haven't had a case yet that dealt directly with them.

Yahoo messenger logs chats in the "C:\Program Files\Yahoo\Messenger\Profiles\Yahoo username\Archive\Messages" directory if the user chooses to archive them. They are stored as .dat files with the file name being the username of the person chatted with. The default setting is not to archive so you wont always have them.

There are some automated tools now to decode them, and a script for encase. But a fairly simple method is to create your own yahoo messenger account from a clean install of the software. Make your account name double what the user's in question is (ex. if they are using "roscoe" make yours "roscoeroscoe"). Move the .dat files over onto your system in the same place, sign onto yahoo messenger using your new account and use the "view archived messages" command under the menu to display the messages.

I would tell your friend if the information is that important he should hire someone to get it. Equally important is that they have legal standing to do so. Even if two people share a computer they can have an expectation of privacy in the data, just by virtue of having seperate user accounts. I try to make sure that whenever I do an analysis, particularly in domestic cases, that the appropriate court orders have been filed. Otherwise the information will ultimately be useless, stricken by the courts.

I would appreciate any comments on my last paragraph particularly. Most of my experience is on the criminal end, and the domestic stuff is relatively new to me. I have been asked to look at a system that the soon to be ex wife has had possession of but still has the husbands user files on it from over a year ago. Any thoughts on this one?

ReplyQuote
Posted : 17/02/2005 8:07 pm
pvissers
(@pvissers)
New Member

Greg:

You are perfectly right about your concerns regarding the privacy-expectations (and rights!) of users on a multi-user system, no matter if it's a home system or a criminal system. In this regard, keep in mind that even over Win98, with its very poor authentication and no discretionary access controls whatsoever, cases could be lost (or won, depending on the question 😉 ) if someone 'peeks' into another user's files.

What is *really* important in Holland is the legal status of the one (be it an office or an investigator) who does the research. Over here, apart from the government, only licensed private investigators working for an accredited private investigation bureau may conduct such research. If research in another person's files is conducted by a 'civilian', you will have a tough case, if any, to win.

So for the case of the instant messages and the mail: I totally agree with you to hire a bureau for the investigation. If the husband conducts the research himself, he could not win the case.

To get to your question.. over here it's like this: if the wife is the legal owner of the machine, she could ask a PI to conduct the investigation without problems. Or is it a more difficult situation?

ReplyQuote
Posted : 18/02/2005 10:24 am
gmarshall139
(@gmarshall139)
Active Member

We have no requirement in the US, or in any state that I'm aware of, that an examiner be licensed in any manner. However, in any contested matter the qualifications of the examiner will come into question. That's why I suggested that they hire a professional.

ReplyQuote
Posted : 18/02/2005 1:21 pm
Jamie
(@jamie)
Community Legend

Mijnheer Vissers,

Lange tijd niet gesproken…welkom op de Forensic Focus forums (and despite that, my Dutch hasn't really improved since the last time we spoke!)

mvg

Jamie

ReplyQuote
Posted : 21/02/2005 9:29 pm
pvissers
(@pvissers)
New Member

Hi Jamie!

Thank you very much! Let me introduce myself for the others: I work as a private digital investigator / security consultant / practical trainer for Fox-IT in Holland. And between us… Jamie's dutch is pretty good 😉

Regards,

ReplyQuote
Posted : 22/02/2005 2:42 pm
akaplan0qw9
(@akaplan0qw9)
Member

Greg,

I try to make sure that whenever I do an analysis, particularly in domestic cases, that the appropriate court orders have been filed. Otherwise the information will ultimately be useless, stricken by the courts.

I would not argue with you about having to walk on eggs to preserve admissability. However, it is very important to avoid being detered from obtaining or acting upon information that has probative value, just because doing so will render it inadmissable.

In many states such as NV we have "no fault" divorce laws. Although some lawyers are skillful enough to bring "adultery" into their arguments, the word, "Adultery" is not to be found in the statutes. In most instances divorces are filed on the basis of "incompatibility". Don't quote me, but the other two causes of action are "Desertion" and "Insanity".

So, evidence of adultery found on a computer or anyplace else would never have to pass any sort of an admissibility test here. The question then becomes one of probative value. In this instance that is strictly up to the client. In fact, no real legal test has to be made and no rigid criteria has to be met. It is all up to the injured party.

Of course anyone can sue anyone for anything, so I will never claim that our approach renders us bulletproof. However, whether we are talking about the installation of GPS devices on a family or company vehicle or the examination of a home or office Hard Drive, we use the same general test. The client has to be the "owner in posession" and that individual has to consciously give us access.

As I say, I am not so arrogant or naive to say that I am bulletproof, but I am not particularly worried.

Of course you must be careful not to commit a crime even if admissability is not an issue. As a PI, I have found that many clients don't really care how they use you, as long as they get their information. We frequently, get wives wanting us to accompany them to their husband's office in the dead of night to access a computer. A few questions soon reveal that they are trying to use us for a warrantless black bag sneak and peek. Those are easy to spot and easy to avoid.

I learned that lesson more than 70 years ago when I was 6 years old. Some pretty little 4 year old neighbor girl convinced me that a car parked on the street belonged to her Dad and that if we could get into it we could listen to the radio. That was a big deal in those depression days. My family did not own a car and I don't recall even knowing anyone who owned a car. In spite of that, I believed her and set about trying to pick the door locks with match sticks we found on the street. In due course it was clear that we had failed. What I failed to grasp was the fact that the owner would not be able to get his key into the lock. That evening I went out on the street to see a group of angry looking strangers at the car. One of the "Innocent Bystanders" was that 4 year old trouble maker. I can still remember running down the street after she pointed at me and said, "There he is!"

ReplyQuote
Posted : 02/03/2005 3:59 am
andy1500mac
(@andy1500mac)
Member

Hi Al,

Since joining the forum a few months back I have scratched my head a few times, frowned a couple and rolled my eyes on occasion….I can now say I’ve also chuckled out loud. Good story…

Andrew

PS-I have also been humbled by the knowledge and insight provided by the members who post…can't forget that!

ReplyQuote
Posted : 02/03/2005 12:25 pm
akaplan0qw9
(@akaplan0qw9)
Member

I have also been humbled by the knowledge and insight provided by the members who post…can't forget that!

Dear Andrew,

You are sooo right! This is really a fine forum.

ReplyQuote
Posted : 02/03/2005 8:57 pm
Jamie
(@jamie)
Community Legend

That's very good to hear!

I couldn't agree more with Andrew too, we're really very fortunate to have so many members who are willing to share their experiences. A big thank you to them all is certainly due.

Cheers,

Jamie

ReplyQuote
Posted : 05/03/2005 2:57 pm
Share: