Join Us!

Research Developmen...
 
Notifications
Clear all

Research Developments in the Working Sector  

  RSS
bernieregans
(@bernieregans)
New Member

Hi,

I am currently starting my MSc Project and I will be investigating the Digital Evidence that is left behind by the use of Instant Messengers. I am currently doing a literature review and am wondering if anyone knows of any similar research that is being undertaken. I would be grateful of any replies to this post.

Bernieregans

Quote
Posted : 02/06/2005 1:49 pm
Andy
 Andy
(@andy)
Active Member

You may find some info on the MSN messenger protocol here: http://www.hypothetic.org/docs/msn/notification/miscellaneous.php
(it might be a bit outdated)
Difficult subject really, as most IM services do not leave much in the way of any artifacts unless the user chooses to do so. By default most (MSN, Yahoo etc) have no logging enabled. You can find some artefacts in the registry (buddy or contacts), or swap file (messages). We have done a little work on recovering yahoo encrypted messages from the unallcated clusters, but its still a work in progress. If you want to pursue it further info drop me a PM and i'll run it by you.

Andy

ReplyQuote
Posted : 02/06/2005 2:46 pm
keydet89
(@keydet89)
Community Legend

I wrote an article about conducting IM investigations on live XP systems for the Digital Investigation Journal…it appeared in Vol 1, issue 4. I may still have a copy of it around, if you're interested.

Andy, I saw your comment about Registry artifacts left behind by IM clients, and was curious about it…which clients leave lists of buddies and contacts in the Registry? Also, do you know the locations in the Registry of these artifacts? I think it would be a great idea to document these.

Andy, you also make two statements in your post that I'm a little confused about…first, you say "By default most (MSN, Yahoo etc) have no logging enabled.", but then you say "We have done a little work on recovering yahoo encrypted messages from the unallcated clusters..."

I'm confused by this…if Yahoo isn't logging, then how do messages (even encrypted ones) make it into unallocated clusters? I think this information may be useful to some of the issues I'm trying to deal with.

With regards to the specific issues of artifacts, Windows XP does application prefetching by default. What this means is that code pages and other information are stored in .pf files in the Prefetch directory whenever an application is launched…this has the effect of speeding up application load times in the future. Each of these files has MAC times to indicate when the files themselves have been modified or accessed, which (further testing needs to be done to verify this) may indicate when the user last ran the application. When I've uninstalled some software utilities, the .pf files have remained.

Most software that requires an installer (ie, Yahoo, AIM, etc) also leave Registry artifacts behind, using within the HKLM\Software hive. However, your mileage may vary on this, depending upon the particular product and version. Also some of these clients will also autostart, so you've got telltale signs in the HKLM\..\Run key to look for, as well.

I hope you find some of this information to be useful.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 02/06/2005 8:01 pm
Andy
 Andy
(@andy)
Active Member

Sorry for the confusion. The gist of what I meant was…. if someone saves their Yahoo IM conversations (saves as a .dat file), they are obviously easy to recover, but if they are deleted (and flushed from the recycle bin), they occupy unallocated clusters, but still possibly recoverable, but as the .dat files are encrypted (not in plain text), they are difficult to identify.

The Yahoo .dat files do have a header, and it’s possible to search for these, carve out the data and perform a reconstruction.

Going back to registry artefacts, I know I said ‘buddy’ entries, I didn’t mean AOL IM buddies, etc – I was doing a US translation for ‘contacts’. Even though no messaged are saved, some useful information can be found in the Windows registry.

For MSN (depending on the version) some information can be found in the : 'HKEY_CURRENT_USER\Software\Microsoft\MessengerService\ListCache

And Yahoo: HKEY_CURRENT_USER\Software\Yahoo\Pager\profiles

It’s certainly an interesting subject for a MSc dissertation.

Andy

ReplyQuote
Posted : 03/06/2005 10:35 pm
keydet89
(@keydet89)
Community Legend

…I know I said ‘buddy’ entries, I didn’t mean AOL IM buddies, etc – I was doing a US translation for ‘contacts’.

Contacts, in what sense? Which messaging program are you referring to?

Even though no messaged are saved, some useful information can be found in the Windows registry.

Agreed. However, I don't think that a MSc thesis is necessary for it…I did some pretty thorough research on it and had it published. All that's really required is to figure out what questions you want to answer, define your testing methodology, and away you go. It's actually pretty easy.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 04/06/2005 2:55 pm
Andy
 Andy
(@andy)
Active Member

Agreed. However, I don't think that a MSc thesis is necessary for it…

I disagree, this thesis idea sounds good to me. Research in this area is worthwhile, especially in light of the relatively new ‘grooming’ offences in the UK. IM programs such as Yahoo and MSN, Windows Messengers are ideal vehicles for this type of offence. Once you start writing your project you will probably end up with too much information and have to edit it substantially to fit the word limit.

…I did some pretty thorough research on it and had it published

Perhaps you would good enough to post a link, or send him your write up? This sounds like the type of literature he is looking for.

Andy

ReplyQuote
Posted : 04/06/2005 6:02 pm
keydet89
(@keydet89)
Community Legend

I disagree, this thesis idea sounds good to me.

I agree, I think it would be a good thesis…I never said that it wouldn't be. All I said was that I didn't think that someone had to wait until they were doing an MSc thesis if they wanted to do the research on their own.

Perhaps you would good enough to post a link, or send him your write up? This sounds like the type of literature he is looking for.

Sure. Already told him where to look…he can always contact me on his own if he wants a copy of the actual paper.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 05/06/2005 12:30 am
bernieregans
(@bernieregans)
New Member

hi,

my first point of call is to investage the different ypes of instant messengers and how they interoperate with the operating system. i was wondering if anyone knew, if i contacted the vendor, e.g. Yahoo, etc, if they would assist me in any way. I will also be studying into the way encryption is used and what affect it has on any evidence left behind. As with most software things are normally plaintext to allow for the programmers the option to recover certain attributes for their desired reasons.

bernieregans

ReplyQuote
Posted : 18/06/2005 5:07 pm
keydet89
(@keydet89)
Community Legend

i was wondering if anyone knew, if i contacted the vendor, e.g. Yahoo, etc, if they would assist me in any way.

Well, you haven't said what you mean by "how they interoperate with the operating system"…so to be honest, I don't know what questions you'd ask. Besides, there are enough monitoring tools available to you for free that you don't really need to go to the vendor.

Another option is to look into one of the open source versions. I know that there are Perl modules for interacting with AIM, etc…if you didn't want to run your own experiments, you could read those.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 19/06/2005 1:23 pm
bernieregans
(@bernieregans)
New Member

hi,

To monitor the way that these IMs work and to see what evidence is left you mention some tools that are available. Please could you ellaborate on this or give me the links to them.

thanks

ReplyQuote
Posted : 21/06/2005 7:02 pm
Share: