Dear all,
I have a bit of a problem and I need some clarification. I am working on a case where I know a suspect has sent out a number of messages from a PC using a website which sends out these messages to mobile phones via Web text. I have analysed the suspect machine and I can find no fragments of the text message. I have built up a timeline of the site being accessed but that proves nothing. I do know the site is not SSL and the browser is IE 8.
I have carried out a rigorous search of the case file using Encase and FTK and again I am finding no fragments of these text messages. Has anyone any advice ? would any experts know if this type of data would be stored/cached on a PC. I have checked all the index.dat files.
Many Thanks for any help or direction
James
?
How do you know the broswer is IE8?
How do you know that a suspect has sent out a number of messages from a pc, and when you say a pc, you mean any pc or the one you have?
I have found numerous times where someone thought it was a text from a site like w**.txt2day.com/ and it ended up just being from outlook or thunderbird. Did you check there.
If you have the verbatim text and cannot find it, I'm not sure you would have the right pc if you are sure that it was IE8 and you're sure that it's this particular pc.
There has to be some event around the time frame you are mentioning or else you need to look at another machine.
If the event in question happened at 1143 and you look on the PC and there is nothing around that time on the internet, but file activity, then I'd think that there was FF running with options-delete everything past hour or maybe a prive session.
Dear all,
I have a bit of a problem and I need some clarification. I am working on a case where I know a suspect has sent out a number of messages from a PC using a website which sends out these messages to mobile phones via Web text. I have analysed the suspect machine and I can find no fragments of the text message. I have built up a timeline of the site being accessed but that proves nothing. I do know the site is not SSL and the browser is IE 8.
I have carried out a rigorous search of the case file using Encase and FTK and again I am finding no fragments of these text messages. Has anyone any advice ? would any experts know if this type of data would be stored/cached on a PC. I have checked all the index.dat files.
Many Thanks for any help or direction
James
?
I've had a couple of cases like this, dont think I have ever managed to actually recover the text messages, however the number they were sent to is often in the URL so at least you can say messages were sent. In my cases the content wasnt actually an issue. Sorry cant help more.
You can't say they were sent though. I can set up a clean IE or FF and type the message, hit send and it goes to the next screen, error, the history will still show a visit to that URL as you mentioned, but you will not have successfully sent the message.
My advice would be to mess with the servers and send out sample messages and then look at the congratulations screen and then do a grep on that message, it will be very vendor or website specific.
cheers
Here is something to think about.
I wrote a paper describing why investigators may not find internet cache when conducting Facebook investigations. What I found while performing my tests was Facebook forces the browser not to store cached pages using Cache-Control headers.
While watching internet traffic using Wireshark, I found the following entry in the HTTP header.
Cache-Controlprivate, no-cache, no-store, must-revalidate
Please refer to http//
You may find that the website/servers may force cache control and you will not find artifacts of the session.
Hope this helps.
Jeromey
You can't say they were sent though. I can set up a clean IE or FF and type the message, hit send and it goes to the next screen, error, the history will still show a visit to that URL as you mentioned, but you will not have successfully sent the message.
cheers
This one had a successfully sent url afterwards )
If the texts came from what appears to be a valid phone number (ie not [email protected]), your best bet may be to try to track the registered owner of the phone number.
Many of these internet text services require the user to register with an email address at minimum. In the past I have been able to track the number to a company, who was then able to provide me with the account that the message was sent from.
Apologies on the delay on re posting. As stated the problem I had was ascertaining details of a message sent via a web based texting facility from a PC I seized. I had a copy of the text message from a person involved with the case and I was also certain that the PC used to send the messages was the one in my possession. After a rigorous forensic search of the machine all I could establish was the owner of the PC did access a particular website which enabled text messages to be sent from it (this of course is fine and no law is broken here) I did not find the content of the text message on the local PC. I could time line the site being accessed from that machine around the time of the text massage being sent which does not really prove anything. The web site used to send the messages was not encrypted i.e HTTPS.
It is worth noting that it is quite difficult to obtain this type of evidence from a forensic analysis. The tools used where FTK 3, Encase 6 and 7 and net analysis.
James
I could time line the site being accessed from that machine around the time of the text massage being sent which does not really prove anything.
More often than not, a forensic examination is not going to "prove" anything. Even if you found the evidence you seek, could it have not been someone else sitting at the keyboard? One has to consider the totality of the circumstances, means, motive, opportunity.
It seems that the index.dat's would have several different entries if he used the machine to send the text; entry for main page, entry for the "send" page, and entry for the "success" page, or something similar. I think someone else mentioned that above. It seems odd that the main page would have been accessed and logged in the index.dat and no subsequent pages.
Do you think that he went to the site (creating the index.dat entry), activated "private" mode to send the message, and deactivated "private" mode after doing the deed?
I did not find the content of the text message on the local PC.
I would not find it odd at all to not find the text from a web form were not found on the hard disk, particularly if some sort of "private" mode was being implemented.