Forensic Artifacts ...
Clear all

Forensic Artifacts for PayPal Transactions

6 Posts
6 Users
Posts: 1
New Member
Topic starter

I am trying to identify a PayPal account name and hopefully details of a transaction.

I have been using EnCase Version 6 and IEF and have so far found artifacts that would suggest PayPal use but not a lot else.

If anyone has any specific details of where i can look for artifacts or something i can use to identify an account that would be really helpful.


Posted : 24/10/2013 6:54 pm
Posts: 177
Estimable Member

As with any web page, visit the page yourself and look at the source. How does it display the logged in user ID? Can you create a search term from that? (Hint yes).

How does it do authentication? Is there a specific auth servername, or perhaps something in the URL or some post data that could be used to search?

Posted : 24/10/2013 7:18 pm
Posts: 210
Estimable Member

How about webpages in cache folders?

URL strings for paypal *MAY* contain either the actual username or an ID or some help. Like Xennith said… test it out and see what the different URLs show in your browser

Did you look for a email receipt or transaction email from Paypal sent to an email account that is on the drive?

Good luck!

Posted : 24/10/2013 10:30 pm
Posts: 169
Estimable Member

I know of three ways of determining PayPal ID on a given computer.

1. Analyze cookies (if the user set the "This is my private computer" check box)
2. Check Windows Registry (Internet Explorer) or SQLite databases (Mozilla, Chrome etc.) for cached account IDs
3. Analyze email receipts sent by PayPal

In addition, if you have access to the user's eBay account, that one may have a PayPal ID linked.

Posted : 28/10/2013 2:22 pm
Posts: 1442
Noble Member


PayPal sends, be default copious amounts of e-mail on various transactions.

Posted : 28/10/2013 10:37 pm
Posts: 4
New Member

The best answer is this thread so far is the one advising you to check the paypal website.

Go to the paypal website, create an account and see what unique identifiers exist for each of the types of pages you are looking for. Once you've identified what marker will lead you to paypal username your best next step is to search for a fragment of the page.

Paypal switches to https by default when you are logged in so web page history may not exist within the webcache, instead focus on the pagefile and hiberfil with searches to find fragments of these files. Once you do find the paypal id and possibly the email associated with it do a separate search of the same location for webmail artifacts of the emailed receipt for the transactions.

IEF does a great job with webpage reconstruction and webmail recovery but if fragment is only a partial or the format of the json changed after the latest IEF release you are back to manual searching and carving.

Posted : 30/10/2013 1:46 am
Share to...