Hi all,
I've searched the previous threads on this topic and managed to find a few from years past. Has much changed? Is it easier now a days to find old IM chats? I have FTK which I believe can automatically pull them out but I have yet to get my hands on the actual hard drive to analyze.
I'm looking into an incident where a past student is now dating a much older teacher and it is believed that it started via chat sessions when she was still a student (under 18).
Any suggestions would be greatly appreciated.
John
LA,
I can't speak for every version of AOL IM but all the versions I have examined didn't by default store any chat logs. I did however find deleted temporary files in which the whole chats (minus dates and times) took place. These were found in unallocated space by searching for the usernames of the relevant people.
Yahoo no longer stores chat logs by default, older versions did. You might find something in pagefile.sys but if logging was turned off it won't do what AOL does and leave you these temporary files.
With regards to AOL have a look through the folders under "/Documents and Settings/All Users/Application Data" where there is an error log file storing the last 1000 failed events, such as trying to message someone who is offline. Again you mght find an occasion where a 'suspect' tried to initiate a chat with the 'victim'. This log does store dates and times, which are in local time format (rather than GMT as many logs are).
It seems most chat clients I see now are not storing chat logs by deault anymore. I wonder if this is because people are becoming more privicy aware and feel more invaded by anti-privicy laws, therefore the software makers are giving the public what they want?
Steve
Hi LA
Not much to add to Steve's but … Whose drive will you have? the suspect or the victim?
Depending upon which chat clients were used, they may have duplicated from AOL / Yahoo onto MSN, You could try trawling for key words/names under html and xml extensions. Some store the chats as cached files under the hotmail logon name of the "chatted to" person. If you have either persons email account name, maybe do a search for partials on that. or filename searches that contain 'hotmail' etc.
Be aware also that users often have huge nicknames with lots of colour code and ascii type graphics inbuilt. so John would not look like jay-oh-haitch-en@hotmail to a text parser. ie .. this is a friends (anonymised) chat client nick. The person, however, has quite a normal email nickname that they login under.
(L)Mi$$ LiS4 (L) Bob8y (J)(Y) sHiLdOn Ya wKd m8 (Y) sTeVe yA mInT (luurv) M@ddY T-b0nA l@Ra@ Rhee$ d33 zO3 j3nNi3 LiVi(yoh)
(grep that ! ) )
The Contacts list of a fresh install of some chat clients is populated from the chat server, so even if evidence of contact has been destroyed on the target PC, you maybe able to establish the persons have at least got each other on a "Buddies" list by rejoining a new install using the users login details or checking the other parties PC for Buddies.
Let me check some files, i'll get back for AOL/Yahoo specificly if i find anything else
Kern
Steve & Kern,
Thank you for your posts. I haven't been able to acquire the victims hard drive yet but wanted to let the client know what the success rate might be before going further. I'm sure it is the same with all cases that you can't always be sure what you'll be able to recover but I wanted to have a stronger base of knowledge on the subject matter before continuing.
I truly appreciate both of your feedback and I will look for all of those items you both pointed out.
Cheers,
John