Instant Messages and Web Mail
I am continually frustrated by my inability to recover Instant Messages and Web Mail. I understand that data that is not saved to a local hard drive, canâ€™t be expected to end up on the local Hard Drive. However, I have heard discussions indicating that such traffic can be recovered from temporary files and printer spools.
I know from the URLs I surface that there is plenty of that type of traffic, yet I only pick up and occasional string â€“ and that is by luck rather than design. I have no difficulty with things like Outlook and even have some degree of success with AOL. But I find myself stymied when I encounter items like MSN Messaging, Yahoo Messaging and Mail2Web.
Its hard for me to believe that a group of professionals like this do not know how to address these problems. I would be grateful for whatever guidance members care to give. Thanks!
Web mail should be easy enough to pickup, look for pages in the temp internet files like getmsg, compose, etc. Do a keyword search in the cache for @hotmail.com, @yahoo.com, etc. Many of the pages you get hits in will be webmail. HTML is usually no problem to recover from unallocated as well.
As for instant messages I have had a great deal of success, particularly with Yahoo. I believe with all the applications it is the user's choice whether or not to log those chat sessions. For whatever reason I find the chats are logged much more often in Yahoo than any other. You are looking for "filename".dat files where "filename" is the user's name the person was chatting with. These .dat files will be located under the messenger folder in program files or under the user's folder in documents and settings depending on the version. It's quickest just to sort your whole case and look through the .dat files. They are encoded so you can't just read them. There are a couple of viewers but I usually just use the following procedure.
1. Install yahoo messenger on a computer that has internet access.
2. Create an account with Yahoo that is double your subjects username. For example if his is roscoe900 make your roscoe900roscoe900.
3. Copy out the .dat files and place them on your computer in the same locations as they were on the subject computer.
4. Log on to yahoo messenger with your new account. Look for "view archived messages" under the menus, you will be able to see the contents of the .dat files.
Other's will have similar copy over procedures as well. I've got a ton of stuff on this from some nw3c classes. There advanced data recovery - INET is really geared toward this but offered only to law enforcement and government.
I use Paraben Chat Examiner to parse chat databases. I was lucky in parsing Yahoo, ICQ and Miranda chat files.
That looks like first rate guidance. I have been trying to get in position to try it, but other committments get in the way. I have one desktop and one laptop. I am hitting a real bottleneck with this single desktop machine that does everything from computer forensics to paying bills. I guess I'm going to have to build a new box for the forensic work.
I had actually bought and tried both Chat Examiner and eMail Examiner before I started this thread. I had no luck with Chat Examiner, but I have not yet talked to their tech support. I experimented with putting eMail Examiner on the root directory of my own C Drive and just letting it do its thing. I was amazed to recover almost 800 full text eMails I wrote and received between 1997 and 1999. I had been using MSN in those days, but have not used them since about 1999. I didn't have the foggiest notion that that stuff was still on my HD. My C drive is about 80% used and there has been a transfer of data from a smaller HD and 3 or 4 OS installations since 1999.
You can try to use their forum. When in forum, they are pretty fast to response 😉 especially in problem things…
In respect of yahoo chat - if you are law Enforcement there is a utility called yahoom available. All you do is export the Yahoo .dat file and open it with Yahoom and there you go, nicely presented for you in the correct form and esay to read.
In respect of Yahoo E-mail you need to be a little bit more pedantic. Whilst looking through the Temporary Internet Files just looking for HTML/Htm file extensions will probably not reveal much for yahoo. That is because it appears to fetch a lot of files into your computer in a GZip compressed format to save time in the download and space and extract them on disk. These files do not have any file extension shown and so are easy to miss. What you need to do is search your Temporary Internet files and view each individual file without a file extension in Hex (EnCase shows you this anyhow) looking for the GZip header (Cannot remember what it is offhand) Again you can search for these using the file signature tool in Encase. When you find them you need to copy them out to a location on your drive and open them using Win Zip. In the course of opening them you will have the opportunity to rename them as whatever. HTM . You then extract them to your desktop and open them as an HTML file and there you have your Yahoo E-mail sitting waiting to be read.
One other thing you may encounter doing it this way is when you double click the HTML file you made and it opens you may get the white page of death saying unable to connect to server. If you do do not worry. What you need is NavRoad 32. If you open the HTML file in Nav Road the white unable to connect to server page will not appear and the Yahoo page will in all its glory
Hope that helps
Thank you very much Mark! I've got to take time out to understand and try your methodology.
Quite by coincidence, earlier this afternoon, I got the following response to a similar question I posed to Access Data:
Yahoo! Instant Messenger* - FTK will now read and analyze yahoo messenger chat logs (.DAT). The path to the .DAT file is C:\Program Files\Yahoo!\Messenger\Profiles\SENDER_USER_NAME\Archive\Messages\RECEIVER_USER_NAME. The actual log file is named yearmonthday-SENDER_USER_NAME.dat (where the "yearmonthday" portion is the Calendar date of the archived session). This .DAT file will not be generated unless one of the two parties carrying on a chat session chooses to archive sessions.
Extended AOL Support* - Several enhancements have been made to FTK which allow it to analyze additional AOL items.
AOL Email- Background and embedded messages now show as attachments to the AOL message.
AOL Buddy Lists- FTK identifies AOL buddy lists and displays information about users and groups.
AOL IM Buddy Lists-FTK now identifies AOL IM buddy lists and displays information about users and groups.
Global.org-FTK can now understand and dissect the global.org file from AOL
Username.arl-This is an AOL file that maintains the user history. FTK can now extract and dissect this file.
Username.aut-FTK examines and extract information in this file about the urls that have been typed on a machine.
AOL Thumbnail Extraction-FTK will now extract thumbnails from the AOL tmb.lst files.
AOL Address Books-FTK now automatically decrypts and extracts all information from AOL username.aby address book files. It can extract and display AOL Communicator contacts as well.
Thanks for that
One thing i forgot to mention is that when you copy them out onto your own drive give them a .gz file extension and then open with Win Zip etc etc
Good tips Mark, I'll have to look into that,
Are they saying, relating to Yahoo chat, that if one party chooses to archive chats then they are saved on both computers? That may explain why I'm finding more Yahoo chats archived than any other.
It's also good to hear that FTK is now capable of viewing the .dat files. That'll make it a lot easier. They've got a good product there.