FORENSIC COMPUTER SERVICE

phone: 800-655-5245

INSTANT MESSENGER DATA

Adium 

This search with carve out Adium chats, Adium supports the following chat protocols: 

  • Jabber (XMPP)
  • AIM
  • MSN
  • Yahoo
  • GTalk
  • Twitter
  • Facebook
  • IRC
  • ICQ
  • MYspace IM
  • LiveJournal
  • Lotus Sametime
  • StatusNet
  • Novell Groupwise
  • Gadu Gadu
  •  

AOL Instant Messenger (AIM) chat logs.The entire log is searched for, not individual messages. 

 

Chatroulette Chat 

This search recovers the text chat messages left behind when chatting on Chatroulette. The user names and dates/times are not available to be recovered with this artifact.

 

 

GoogleTalk Chat Messages 

Messages sent or received using GoogleTalk® live chat within Gmail® webmail. Information found with the message can include the message ID, the Sender/Recipient email addresses, and the sender/recipient’s ID. Dates and times are not available to recover at this time. This search option may also recover chat left behind from other chat programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will be your clue, containing an abbreviated name of the client used by that person). 

 

iChat 

iChat is a Mac specific chat client that allows users to chat across iOS devices, as well as other protocols such as jabber and AIM. The software will attempt to recover chat messages, date/time stamps, participants and message sender from non-deleted chat logs. 

 

ICQ 

This search will parse ICQ history records from the SQLite files ICQ7 uses to store its data. This includes the date/time, From user, the message, and whether the message was read or unread.


Mail.ru 

This search will recover chat messages left behind when using the Mail.ru chat client as well as web chat.



Messenger Plus Chat logs 

Messenger Plus!® is an add-on for Windows Live Messenger®/MSN Messenger® that adds a number of features to the chat program. The logs it creates are different from the traditional MSN/WLM chat logs and it also provides an option of encrypting the chat logs. Encrypted chat logs can not be recovered at this time, but some of the encrypted chat can be recovered in the MSN/WLM search as MSN protocol fragments.

 

 

mIRC Chat logs 

This search will recover mIRC® chat logs and other logs (e.g. connection logs) saved by mIRC®. Each session located with these log fragments is saved separately into text files.

 

 

MSN/Windows Live Messenger (AIM) Chat messages 

Chat messages sent/received using Windows Live Messenger®. Located messages are exported into text files for MSN protocol fragments or into a report file for regular chat log messages. MSN protocol fragments usually only include a line of chat and sometimes the sender’s email address, immediately prior to the message. 

 

 

Omegle Chat 

This search recovers text chat messages left behind when chatting on Omegle. The user names and dates/times are not available to be recovered with this artifact.

 

 

ooVoo 

This search will recover chat messages, contact list and phonebook left behind when using the ooVoo chat client.

 

 

Paltalk Chat 

This search recovers chat messages left behind by the Paltalk chat client. The user names and dates/times are not available to be recovered with this artifact.

 

 

Pidgin Chat 

This search recovers chat messages, account information, "buddy" information, and user created shortcuts left behind by the Pidgin chat client.

 

 

QQ Chat 

QQ chat is one of the most popular chat clients around the world with over 750 million registered users. While the chat logs are encrypted, the sofware is capable of retrieving chat messages that are saved in RAM, pagefile.sys/hiberfil.sys, and unallocated clusters. 

 

 

Second Life 

This search will carve and parse chat logs left behind by the online virtual world, Second Life. The entire logs are not needed (single records can be recovered) and the Second Life Viewer saves chat logs by default. The software will search the default log location (and carve in the pagefile, hiberfil, unallocated, etc), logs can be saved to a different folder (or turned off) by the user. Also note: the dates/times saved in the logs are in Pacific Standard Time (GMT -8), or Pacific Daylight Time, depending on the time of the year. The time zone used was called Second Life Time (SLT) in the past but this naming was discarded as it caused too much confusion. Linden Lab is planning to move to UTC at some point so this could change down the road.

 

 

Skype 

This search will parse Skype history records from the SQLite files Skype uses to store its data. This includes messages, group chat info, calls, accounts, contacts, file transfers, voicemails, and SMS messages. The software can also carve Skype messages from live RAM captures, unallocated space, etc. and does not need the entire SQLite file data to be present, just the individual records are enough.

 

 

Trillian 

This search will carve and parse chat messages that have been sent or received via Trillian. These messages can include the date/time, From/To usernames, the chat network used (e.g. MSN, AIM, Facebook, etc), and the message itself. Details regarding file transfers are also recovered.

 

 

World of Warcraft

This search will carve and parse World of Warcraft live chat. This is the chat that can occur between users while playing World of Warcraft online. Messages could be public messages (seen by all users in a group) or private (sent from one user to another user only). Information recovered includes whether the message was public or private, the sender/recipient, the channel the message was sent in, player GUIDs, and the text of the message. Dates and times are not left behind in this artifact.

 

 

Yahoo Chat Messages 

Chat messages sent and received using Yahoo!® Messenger. These chat messages are logged in an encrypted format that requires the local username to decrypt the message. The username is usually the first half of the email address used to log-in (e.g. if the log-in email address is jasonho@yahoo.com, then the username is jasonho). The software can decrypt messages that have not been deleted without requiring a username, however.When searching unallocated space or memory dumps, etc., a number of false positives are unavoidable due to the format of these chat logs and because there is no way to determine if a chat log was decrypted successfully or not.The software uses a number of validations to filter out these false positive hits and now with v4 you can specify an acceptable time frame and the filtering strictness to further filter out false hits.

 

 

Non-Encrypted Yahoo Messenger Chat 

Non-encrypted chat messages left behind by Yahoo!® Messenger. These messages are artifacts from the actual Yahoo!® Messenger chat window. No username(s) are required to recover these messages. Messages of this type include the sending user name, the date/time (local time, not UTC), and the message itself. The recipient is not found in these fragments but can usually be ascertained by viewing the chat conversation.

 

 

Yahoo! Messenger Diagnostic Logs 

This search will recover the diagnostic logs saved by Yahoo! Messenger. These logs are created when a user attempts to report a problem with Yahoo! Messenger to Yahoo! Support by selecting the Help menu in Yahoo! Messenger and clicking “Report a Problem to Yahoo!”. They contain a wide variety of information including chat messages, user actions, files transferred, and more. A good number of these events have been tested and are parsed. There are some events that are not parsed at this time, but by checking the “Include unparsed entries” option in IEF, these events will still be included with some info being partially decoded.

 

 

Yahoo Messenger Group Chat Messages 

Sent or received in Yahoo!® Messenger Group chat rooms. Information found within these fragments can include the date/time, the username that sent the message, and the message itself. The name of the Yahoo! Messenger group that the message is sent within is not present in these artifacts for recovery.

 

 

Yahoo! Webmail Chat Messages 

Messages sent or received using the live webmail chat found in Yahoo!® Webmail. Information found with the message can include the Status number, the version number and vendor ID, the session ID, and the Sender/Recipient usernames. Dates and times are not available in this type of artifact to recover at this time.