Join Us!

Instant Messenger D...
 
Notifications
Clear all

Instant Messenger Discussions or Research Projects  

  RSS
bernieregans
(@bernieregans)
New Member

I am currently undertaking a Poject devising a Framework for a Forensic Examiner to use in order to retrive digital evidence left behind by the use of Instant Messengers. Part of my Literature Review i have to look into what each IM is, how it operates, etc. (MSN, YAHOO, JABBER, ICQ) Also i need to identify and analyse any other research project within the same area so i can compare and also find holes within it to incoporate them into mine.

I would be grateful of any replies pointing me in the directions of any of the above mentioned.

Yours truly

Bernieregans

Quote
Posted : 24/07/2005 6:21 am
akaplan0qw9
(@akaplan0qw9)
Member

Dear Bernie,

I'm not able to offer any assistance at this time. But, I'm sure I'm not alone in wanting to see the results of your very worthwhile study.

We currently use FTK (Full Suite), Winhex Forensics (Full Suite), Paraben Chat and e-mail detective (Hot Pepper Technology) all of which might be of interest to you. Time permitting, I will be glad to run tests for you using that software and furnish you with the results.

ReplyQuote
Posted : 24/07/2005 9:40 pm
keydet89
(@keydet89)
Community Legend

…devising a Framework for a Forensic Examiner to use in order to retrive digital evidence left behind by the use of Instant Messengers.

At what point are you trying to get this data?

If the system is still live, there is a lot of info you can retrieve. The most recent edition of the Digital Investigation Journal contains my article on the subject.

If you're looking at an imaged system, your mileage is going to vary. AIM, by default, does not log conversations, while Trillian does.

If you have specific questions, feel free to contact me directly.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 25/07/2005 3:17 am
bernieregans
(@bernieregans)
New Member

Hi,

Thanks Al Kaplan, but i am using EnCase as my University has licences for the use and as it is regarded to be one of the best i was directed to using that. If there is enough time i will be using freeware tools that will allow most investigators to retrieve the reults that i get. I will keep you posted and if i may i would like to contact you to complete an evealuation questionnaire for me.

Thanks Helen, is that the article you sent me in June? I am running it from a shut down system and i will be making an image and as mentioned above using EnCase to do my investigation.

YOu can email me straight to [email protected] for easier correspondence.

Many Thanks

Berniregans

ReplyQuote
Posted : 25/07/2005 5:44 pm
keydet89
(@keydet89)
Community Legend

I don't know who "Helen" is, and what article she sent you (could you send me a copy??) but would be interested in knowing more about the framework project you're working on. What information have you collected thus far?

One thing you may consider doing is documenting your findings with regards to Windows Registry artifacts for each IM client, as well as the artifacts found in the Prefetch directory (if you're using XP as the client system).

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 27/07/2005 4:53 pm
bernieregans
(@bernieregans)
New Member

I do beg your pardon, i ment harlan. at the moment i am currently undertaking the research part. i am currently looking at 6 major IM's, MSN, Yahoo!, ICQ, Trillian, AOL & GCN (using Jabber). I am looking into each of these and how they work using the windows xp professional architecture to enable full use. i will be looking into forensics and pointing the research into digital evidence and what exactly it is.

After this i will be conducting tests on each of the IM's and will then be using encase to analyse the digital evidence. I will also be using freeware tools to enable other examiners to be able to repeat my steps.

if your could offer any additional information to which u think i have missed i would be grateful.

many thanks

bernieregans

ReplyQuote
Posted : 27/07/2005 9:23 pm
keydet89
(@keydet89)
Community Legend

Here's what I suggest…

Start w/ a VMWare image of XP, if you can. Launch the first phase of InControl5, install the software, and then run the second phase of InControl5. You might even run something like the SysInternal's RegMon and FileMon tools during the installation, to catch any files or keys that are created and then deleted during the installation process.

Once this is done, I'd suggest using static analysis tools such as Dependency Walker on the executable image (ie, for AIM, "aim.exe").

i will be looking into forensics and pointing the research into digital evidence and what exactly it is.

I'm not entirely sure what you're looking at here, other than the files and Registry keys that are installed and used by the applications. Are you looking specifically for log files created by the applications? If that's the case, I think part of that has already been documented to some degree.

Good luck.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 28/07/2005 8:42 pm
Share: