Forums
Main Category
General (Technical,...
Trying to gather ev...
 
Notifications
Clear all

Trying to gather evidence from chat fragments in pagefile

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Belkasoft 12 years ago
6 Posts
4 Users
0 Reactions
1,050 Views
RSS
 Dewald
(@dewald)
New Member
Joined: 12 years ago
Posts: 2
Topic starter 05/05/2013 11:40 pm  

Hi!

I'm trying to find evidence from conversations that were held with either Windows Live Messenger or Pidgin using the windows live protocoll. There are no logs on allocated or unallocated space.

I was able to find some larger text fragments in the pagefile.sys that might be useful - but the non sequential nature of the data structure in the pagefile.sys lands me in difficulties. I'm using x-ways Winhex and used the "get text" option.

My questions

1. Is it possible to find out if the messages were either received or sent?

2. I need to find out information of the remote user, especially his email address. There are e-mail addresses in the context of the strings, but there seems to be no clear logic that makes it possible to assign them to what was written and find out who wrote it.

3. Is there any way to find out WHEN a particular string was stored in the file?

My last question is a bit more general

As the storage locations in the paging file are not consecutive, isn't it nearly impossble to find clear evidence for things like who chatted with whom or who was the auther of a string? Let's assume the suspect chatted with 2 or 3 persons at the same time. Isn't it possible that a string from one conversations ends up in the structure of the fragments from the other conversation?


   
Quote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
06/05/2013 2:55 am  

Yes, nearly impossible.

The paging file is made up of memory pages copies from active applications and the operating system. The pages from different applications are mixed up, so pages might not be sequential. Even within a page the data might not be sequential in time or encoded, depending on the application and how it stores the data.

Also don't expect the paging file to contain a full record of anything. It will be a few fragments at best.


   
ReplyQuote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
06/05/2013 3:30 pm  

You might be better off by using a specialized tool like ours. Belkasoft Evidence Center (Pro and Ultimate editions) include the ability to carve page and hibernation files as well as live memory dumps for chat remnants in many IM formats including Windows Live Messenger. You're welcome to try it; the download is here http//forensic.belkasoft.com/en/bfs/en/download.asp

And here's the "how-to" http//forensic.belkasoft.com/en/bec/en/Carving.asp


   
ReplyQuote
 Dewald
(@dewald)
New Member
Joined: 12 years ago
Posts: 2
Topic starter 11/05/2013 5:01 pm  

You might be better off by using a specialized tool like ours. Belkasoft Evidence Center (Pro and Ultimate editions) include the ability to carve page and hibernation files as well as live memory dumps for chat remnants in many IM formats including Windows Live Messenger. You're welcome to try it; the download is here http//forensic.belkasoft.com/en/bfs/en/download.asp

And here's the "how-to" http//forensic.belkasoft.com/en/bec/en/Carving.asp

Can you tell me what the usual results you get from that software look like? Will there be any reference to the account-email or time reference for the chat fragments?


   
ReplyQuote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
12/05/2013 9:40 pm  

If you have EnCase then I wrote an EnScript to do this very thing, the version 6 one is available here
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=819
and the version 7 spin is available in the App Store (for free).

Have a look at this document
http//computerforensics.parsonage.co.uk/downloads/MSNandLiveMessengerArtefactsOfConversations.pdf
which gives a fair bit of info about the older Messenger versions and the search for protocol messages.

Basically you need to search the whole of the drive for the pitch and format flag "PF=[number]" (if memory serves me correctly) the message (if there are any, and there are usually a fair few false positives) will follow soon afterwards in plain ASCII text.

These protocol messages have no embedded time stamps. The messages received from the remote machine contain the email address of the sender in the header, the one's sent from the local machine do not. I have seen these protocol messages in stand-alone 'gateway.txt' files which of course have a time stamp but it is much more common to find the messages in the page/swap file or in unallocated space where there is no time/date information. After extensive use I can say that sometimes you can find oceans of messages, sometimes a few, and occasionally nothing. That is my experience anyway.

Read the document and do a grep search or spend money on the Belkasoft solution, its up to you 😉

Good hunting,

Paul


   
ReplyQuote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
13/05/2013 2:35 pm  

Can you tell me what the usual results you get from that software look like? Will there be any reference to the account-email or time reference for the chat fragments?

The result is a list of extracted fragments with timestamp and some other info, depending on the chat type. Something like this


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: