Chat, email and internet artefacts

Introduction to Digital Forensics
Chat, email and internet artefacts

One of the main areas of evidential interest is that of internet artefacts, which can be used to identify communication amongst individuals, prove who accessed a computer or show which websites they have viewed. Prior to the growth of internet usage this information, particularly communication such as email or chat, was often stored within locally installed programs (for example, a mail program). The databases and log files for these programs usually consisted of a known file format and information could easily be extracted from their known locations. Much of this activity has recently moved online, making recovery of such information more complicated.

This section details some of the considerations when looking for browser related artefacts, internet history and chat.

Web browsersEdit

Google Chrome stores small screenshots of commonly visited websites, many of which can be recovered

When activity is conducted through an internet browser much of the information is stored in a local cache associated with the program. This is often subject to a high level of "churn", and is regularly deleted and overwritten. Other stored information can include internet history (i.e. which sites were visited) and bookmarks. The major browsers (Internet Explorer, Mozilla Firefox, Opera and Google Chrome) all store cache, history and bookmarks in different file formats.

Cached web pagesEdit

The web cache is often a wealth of information, containing stored copies of web pages the user has visited (often along with images on those pages). Different browsers can cache different types of data. Pretty much every modern offering will temporarily cache all text and images of visited sites, often for several weeks or longer. In addition most will "cache" entries into form fields (to provide auto-complete features).

The Google Chrome browser stores thumbnail images of visited websites, an unusual form of cached file that can have a lot of evidential value; it proves exactly what a computer user saw on their screen when viewing the site.

Cached files tend to be volatile, sometimes they are stored for lengthy amounts of time. On other occasions they are deleted within hours, sometimes manually by the computer user. Luckily the web cache tends to contain a very large number of files, and it is usually possible to recover or search for all or parts of deleted material. This can be a "hit or miss" process, it is not always possible to recover entire deleted web pages, but keyword searches often turn up large portions of them.

Internet historyEdit

All browsers store some form of internet history by default (and users usually forget to turn this off) and the contents can have a large amount of evidential value. In particular because most browsers also store a timestamp with each entry, useful in constructing a timeline of any activity.

All browsers store internet history in different ways. For example Internet Explorer stores history in proprietary .dat files within each users application data folder. Firefox stores data in a similar place, but in SQLite database form.

As with cache files history tends to be subject to significant churn. Sometimes you might get lucky and find a full 6 months of history saved, other times you might end up with sporadic entries for just the last week. However, unlike cache files, history (at least Internet Explorer files) tends to be in a known format which can be searched for within the deleted disk space. Several freeware and commercial tools exist to run across evidence and extract internet history data from deleted space.

ChatEdit

Internet chat is ubiquitous amongst computer users, particularly the younger generation. The evidential value of such communication is huge because it can help to prove the intent of any actions. Apart from confessions to others the most common uses of chat in relation to crime are:

  • Grooming minors
  • Organising criminal activities
  • Harrassment/Cyberstalking

In previous years MSN Live Messenger was the foremost chat program in use, more recently this has been replaced by Facebook Live Chat. A distant third, today at list, is Yahoo chat. Recovering chat transcript, particularly from MSN, is a hit and miss endeavour. Often they are not stored for any length of time (if at all).

Outside of actual transcripts, chat programs store other logs that may be of use. Status updates, for example, can help to prove when the computer was online. And most chat programs store readable contact lists.

MSN Live MessengerEdit

MSN does not store chat logs by default, however a reasonable number of users do turn on the feature. There is an addon called Messenger Plus which is often installed, which does log communications to HTML files. Both the program itself and Messenger Plus create logs in known locations, with specific headers, and can often be recovered if deleted. However, with no logging turned on it is uncommon to recover MSN chat.

Facebook Live ChatEdit

Facebook Chat works entirely through the web browser, on the Facebook website. Whilst there is no actual local logging chat messages sent and received by the browser are usually cached for a reasonable length of time. The messages are also transmitted in a very specific format which is easily searched for in deleted space.

Most computers today have at least some cached Facebook chat messages to recover!

EmailEdit

Introduction to Digital Forensics
Chat, email and internet artefacts
Last modified on 2 March 2011, at 16:43