Methodology

Forensic Investigation of Instant Messenger Histories

First published July 2009

by Belkasoft
http://www.belkasoft.com

What is an Instant Messenger?

According to Wikipedia, “instant messaging (IM) is a form of real-time communication between two or more people based on typed text. The text is conveyed via devices connected over a network such as the Internet”.

Nowadays, Instant Messengers are widely used not only by teenagers, but by people of any age and computer skills. Instant messengers are very convenient when you want real-time conversation, but cannot or do not want to call using the phone or Skype. Many IMs store conversation history; therefore, given that instant messengers are widely used, history investigation is of keen interest for forensic professionals.

Which IMs are the most popular?

If you ask the average computer user (well, we all know that average people do not exist), he or she is likely to give you a list like this: AIM, Skype, Yahoo! Messenger, ICQ, MSN (now known as Live Messenger). This is a good list to start. However, the most preferred instant messenger varies from country to country. For example, ICQ is very popular in Germany and Russia, while AIM is used mostly in the United States. The most interesting thing, however, is that there is a messenger which is hardly known by the average users, but has the largest audience in the world. I am talking about the QQ messenger which is extremely popular in China and has a total of over a billion user accounts. A few other widely used Instant Messengers are Miranda, QIP, SIM, MySpace IM, Digsby, Google Hello, Trillian, Jabber, Meebo. In Wikipedia you can find many more IM clients, compared here.

The problem with IMs investigation now becomes obvious. They are simply too many! All of them store their information in different places, and a forensic investigator should know all those places: Registry, AppData folders, Program Files, Documents and Settings (which may be spelled in another language) and so on. Moreover, the suspect may move his history to a folder other than the default one, so that you can not find it in those well-known places. If forensic investigators do not have a special tool at their disposal, they will spend an enormous amount of time on only searching for messenger histories. What is more, after extracting messages, forensic investigators are supposed to create a readable report of chat contents, which could also be a problem.Let us look in greater detail at the difficulties involved in investigating instant messenger histories. First of all, many messengers have an unreadable or hardly readable format. Some IMs (e.g. Digsby and AIM) store messages in the good old HTML format; others even use plain text (e.g. QIP). However, most instant messengers ‘pretend’ to be secure. For example, an older ICQ used to keep messages in binary .dat files, which made it possible to read some text. What was hard to understand is who sent the message, who the message was sent to, and at what time. The same is true for Skype: You can read chat message texts and you even know who participated in the chat, but you cannot figure out whether the given message was sent or received, and what the time was.

Time – an important issue

Every messenger has its own unique way of indicating time. Some IMs store local time; others use UTC. ICQ, for example, uses a very strange time shift (Here is a quotation from Miranda source code: “Only God and Mirabilis knows why”). Finally, Skype wants 5 bytes to store message time!

History format

Messengers evolve and naturally change the way they store histories. Skype, for example, has had two history formats. The record breaker here is obviously ICQ with at least 5 known history formats. Therefore, a helpful tool for forensic investigation should support every format that has ever existed.

Storage

We keep receiving the question: Can your software retrieve messages if I did not set the option to store the history? That is a funny question! Our software is not a magic wand. Where can it get history if it has not been stored? Some people believe it is possible to go to some central server and take history from there. Unfortunately, this is not technically possible. What is more, it would be illegal to do something like that. So, if the history has not been saved, the war is lost. There is one interesting exception, though. An older ICQ version (2003b) had a bug, and the program was still storing outgoing messages, even if you had set history saving off. As a result, half of the history was still available to read. However, it is the only known bug, and all other messengers keep their promise not to store history if this option is switched off.

A question that inevitably arises is whether or not it is possible to deal with messengers that do not store histories. AIM, for instance, does not store its history by default. The only way to have access to its histories is to have special software called ‘sniffer’. The software of this kind can intercept the network packages in the real time. However, there are two major difficulties. First, the software works in the real time and it has to be installed before a chat between suspects is conducted. Second, the sniffer is supposed to be work in the same local network as a suspect’s one (the same hub or the same switch). All that is hard to arrange, isn’t it?

Is IM analysis worthwhile?

Another frequently asked question is this: “Guys, do you really believe such kind of tool is of any use? If I were a criminal, I would definitely switch messenger history off or delete it afterwards”. To respond, we can use the question: “Do you think fingerprint analysis is of any use? If I were a criminal, I would definitely wipe off all my fingerprints at the crime scene (or just would use gloves)”. This is the same logic, and we know that fingerprints analysis is widely used in forensic investigation. The same is true for IM history: Some people are aware of chat recording; others are not; some may forget to delete the history or be in hurry; others may delete their history, but not permanently, and a recovery tool is able to recover history files. Thus, there are obviously a lot of cases when there ARE some histories available.

What must a forensic investigator know about instant messengers?

The following is some helpful information about some of the most common instant messengers.

1. AIM has good and bad things about it at the same time. What is good is that it stores history in the readable HTML format. What is bad about this messenger is that it does not store history by default. Since it is very popular in the USA with a lot of computer users, it is a pity.

2. Skype is now the leading software for making calls. Many people prefer Skype to usual and mobile phones. Personally, I sometimes prefer a paid call via Skype to a free phone call when I am at home. Why? Using the ordinary phone means getting up and going to another room! Also, Skype has support for chats, although it is extremely unreliable, and messages are sometimes delivered days after they were sent. Chats are stored in dbb files in a readable format, but without a good indication of whether the message in question was sent or received, and what the time was. What is good about Skype is that the message history is stored by default.

3. Yahoo! Messenger stores messages in encrypted files, which can frighten you a little. Do not despair: this is just XOR with the key of profile owner account name!

4. ICQ writers are very peculiar guys. They have tried every way of storing messages: binary format one, binary format two, and XML. Now it is Access database, and expected are MySQL and SQL Server Express in the next versions! ICQ 6 format is very easy to investigate because it is readable by eyes in Microsoft Access. The same is true for XML. Binary formats, on the other hand, require special tools. Interestingly enough, some people still use old ICQ versions (ICQ 2003b), so those tools are still useful. In some rare cases, you can come across a very old history (sometimes even made by ICQ 1997 version). Very few tools support this ICQ version.

5. QQ messenger is probably the worst for investigators to deal with. It stores history in OLE containers, which are viewable by DocFile Viewer, but the data inside is encrypted with Blowfish algorithm! It sounds formidable, doesn’t it? We have good news! The key to decrypt is the QQ owner account number. Although QQ allows encrypting with a custom key, a limited number of people use this strong protective option.

6. Miranda utilizes a binary format. Since it is an open-source project, there are a lot of tools for extracting its history.

7. SIM, MSN, Trillian, QIP, MySpace IM and Digsby have very simple formats. These are plain text, XML or html. However, you still need a tool which could gather messages in one report, look for something in particular, filter particular contacts or dates and so on.

8. Google Hello is an interesting messenger which is used especially for pictures exchange. As a forensic professional, you are interested not only in texts, but also in pictures sent or received. Fortunately, the history contains preview (thumbnail) of a picture, so it is available even if a suspect deleted the full-size picture. The format of Google Hello history is binary.

9. &RQ messenger is not very popular now. However, it was probably the first messenger which had all conversations (active chats) in one window. It also has some other handy features, which is why it was more or less popular several years ago. The history format is binary.


Belkasoft’s Forensic IM Analyzer is a powerful tool for investigating Instant Messengers histories. Full details available at the Belkasoft website.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 959 other followers

%d bloggers like this: