What is a good search term that will find chat logs. I am working with EnCase version 6. I tried "lol" and some others, but I am not having any luck. I need something more unique and I am drawing a blank. Thank you.
'lmao' ? how about that?
"lmao" does not bring up anything that helps either. I may be approaching this the wrong way. Is there a better way to find chat logs with EnCase or do I just need to go to FTK.
Are you looking for chat logs generated by a specific application, such as Messenger?
You may have more luck searching for the, for instance, XML code that is saved in the chat logs used by Windows Live Messenger rather than general chat terms unless of course you have a unique word that you know will appear in the chat somewhere or other.
I find "says" works for most IM clients.
Some chat logs are encoded (ex. Yahoo .dat format) so you will miss those if you search for clear text. I usually do a combination of searching the default storage locations followed by keyword searches for usernames. This may take a little background work to find, but you'll get hits in unusual places. Sometimes tiny bits, maybe one or two lines at a time in the pagefile or file slack. You will miss a lot of these relying on common expressions like "lol" for instance; some people still chat in English.
Once you find a couple look for common strings in the message or message header. Each client will be different, but finding a couple will allow you to find many more. In a case I'm working on now involving Yahoo messenger I have found im's throughout the unallocated space. Each one is preceded by the senders username then the characters ^$5^$ then the recipient's username. By searching for this string I've found other's involving completely different usernames that I didn't know about.
Using conditions in Encase allowed me to "search" the preview column to further process the search results. Since the preview column shows something over 100 characters on either side of the hit you can narrow down your search results by creating a custom condition. In building your new condition select the Preview column and use the "find" operator. This will allow you to enter a keyword or list of keywords. Running the condition will cause only the hits containing the keywords to be displayed.
This type of thing is the real strength of Encase in my opinion. I'm not sure how using FTK will benefit you. Fact is many people don't log chats so you'll be reduced to looking for remnants here and there.