Join Us!

Yahoo ID - Yahoo Ph...
 
Notifications
Clear all

Yahoo ID - Yahoo PhotoSharing  

  RSS
oreo
 oreo
(@oreo)
New Member

Hello, I’ve located IIoC in

ProgramData\Yahoo!\Messenger\PhotoSharing\S2a23

however I am unable to locate the Yahoo ID this folder refers to. Using keyword searches in EnCase, I have found 5 Yahoo IDs so used IEF to decrypt the chat logs, however there is nothing of note in the chat logs that helps in determining which Yahoo ID made the images available for sharing.

Thank you if you are able to assist me

Quote
Posted : 14/02/2013 3:00 pm
Chris_Ed
(@chris_ed)
Active Member

From research within the office we found the following

– When the other user shared images with me, all the images appeared in my PhotoSharing folder with blahblah_m.jpg - this was a large version of the image

– When I shared images with the other user, all the images appeared in my PhotoSharing folder in 2 formats - large version yaddyyadda_m.jpg and then a wee thumbnail version yaddyyadda_t.jpg

– The presence in the folder of an _m and _t pairing indicates that the computer that this pairing appears on shared (distributed) with another user.

Doesn't really help with WHO shared the items, although can you date them to the time of active chats?

Also, I take it you don't have a network_user.log? Or at least, a useful one?

Edit (further thoughts)

We actually found that Y!Messenger was pretty good at deleting this folder when the chat session was closed. Further investigation showed a Report.wer file for Yahoo Messenger created shortly after these images - indicating that Y!Msg crashed and so didn't delete the folder as normal. Is this the case for you?

ALSO the reason I ask about network_user.log is that it can be extremely valuable - it stores base 64 thumbnails of shared images, including both the sender and receiver IDs.

ReplyQuote
Posted : 14/02/2013 7:28 pm
novadonuk
(@novadonuk)
Junior Member

Hi Chris,

Further to this thread, I've noticed that using Yahoo v. 10.0.0.1102, the option to Save Out picutres is available within Yahoo.

As you say there are two files to look out for –_m.jpg and –_t.jpg within the respective "PhotoSharing" folders.

When these files are in the user's cache they can be saved out to say "My Pictures", perhaps while the chat is still active. In doing so, the random file name is converted to the original file name to the users "My Pictures" folder.

The MD5 hash value should match that of the –_m.jpg version (as stored within the cache folders) and the "My Pictures" version. Therefore, you could perform a hash test over all files to see if the user saved these elsewhere.

My question Chris, have you been able to find a decent log parser for this log file - or did you have much sucsess in decoding the BASE64 images.

I have keyword searched this file (network_user.log) for the headers documented in Steve Buntins post and had no hits;

http//www.stevebunting.org/udpd4n6/forensics/base64.htm

I just want to make sure I haven't missed something. Can you confirm that the headers Steve has documented are the ones you saw?

I can see file references to potential IIOC so I am keen in confirming this as the OC wants to know who shared what - and I haven't got any chat logs for Yahoo around the d+t in question when IIOC was created within the PhotoSharing folders.

Cheers, Ian.

ReplyQuote
Posted : 08/03/2013 4:25 am
Chris_Ed
(@chris_ed)
Active Member

Hi,

As mentioned in the link you provided, the base64 header for JPEGs is "/9j/" - have you checked for PNGs or GIFS? If you can't find a hit for any of these in the network_user.log then it looks like it hasn't saved any thumbnails, I'm afraid!

I do have a parser - I wrote one myself in Python, but it is a bit "raw" )

Happy to share the link if you want it.

Thanks,

Chris

ReplyQuote
Posted : 08/03/2013 1:33 pm
novadonuk
(@novadonuk)
Junior Member

Hi Chris.

Yeah checked for common headers and used Steven Buntings post as a ref point. Looks like no thumbs.

The script would be very useful thanks.

Cheers. Ian.

ReplyQuote
Posted : 08/03/2013 2:07 pm
Share: