Uncovering the Covered Tracks: Finding What's Left Behind

Home , Kik Messenger, Windows Live Messenger

Uncovering the Covered Tracks: Finding What’s Left Behind

JAD SALIBA – FOUNDER & CTO Background

• Teenage geek - IT/Software industry

• Police officer for 7 years

• Worked in Tech Crime Unit

• Started JADsoftware (now Magnet Forensics) as a part-time side project – now a team of developers

Overview

• Recovering artifacts from multiple devices: • PCs: • Skype • Facebook • Google Maps • Mobile: • Kik Messenger • Facebook • Snapchat • Chromebooks: • Getting to unencrypted data • Using timelines to find out what happened • Tools that can help PC Artifacts Skype

• Voice over IP service (with video and text chat options) • Started in 2003 • Over 633 million registered users • 65 million people sign in to Skype every day • 700 million minutes spent in Skype-to-Skype calls every day

• Microsoft has retired Windows Live Messenger in favor of its Skype service, although Messenger will continue in mainland China. Microsoft began the transition for all users on April 8, 2013. Skype Skype Skype – “chatsync” IP Addresses Skype

• main.db file – SQLite database • Contains majority of interesting data • Account info, Calls, Contacts, Messages, SMS messages, Video session info, Voicemail info Skype Skype

(“POSTED_TEXT”) Skype

(“Sent”) Skype

Sender username / display name Skype

Date/time (Unix time, in UTC) Skype

• Voicemails require a premium account • Only get saved to this folder after being played • Filename can be found in the Voicemails table in the main.db file - filename contains the date/time • Audio is in a proprietary Skype format • BUT – there is a way! Facebook

• Leading social networking site • Started in 2004 • Over 950 million Facebook users worldwide (Source: Facebook) • 500 million people log onto Facebook daily (Source: The Social Skinny 2012) • There are 83 million fake profiles. (Source: CNN) • Photo uploads total 300 million per day (Source: Gizmodo)

Facebook Chat

• Not like the good o’l days • Still left behind, but mainly in live RAM, pagefile, hibernation file • Multiple formats • Live chat and messages essentially the same

Facebook Chat

{\"msg\":{\"text\":\"lol i love facebook, it's so awesome. chatting is fun!!\"},\"from\":1000000555,\" to\":1100000066,\"time\":1257 370809956,\"type\":\"msg\"} More chat:

{"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me ssages\/read\/?tid=mid.1368112514305\u00253Ad61a480cfa3 a140d91","author_fbid":100004396603890,"author_name": "Wendy Manford","thread_name":“Bourne","snippet":"Hey have you seen the new...","message":"Hey have you seen the new Bourne movie?","time":"Just now","image":{"__html": "\u003Cimg src=\"https:\/\/fbcdn-profile- a.akamaihd.net\/hprofile-ak- ash1\/t5\/s43x43\/211578_100004396603890_405447609_q.j pg\" alt=\“Wendy Manford\" class=\"img profpic\" height=\"43\" width=\"43\" \/> Wall post: fbid":"646173788763494","legacyid":"646173788763 494","body":{"text":"can see y dem would a call afta u...... ","ranges":[],"aggregatedranges":[],"hasTranslat ableContent":true},"author":"100001790397816","ften tidentifier":"646151518765721","likecount":0,"hasvie werliked":false,"canremove":false,"canreport":true,"ca nedit":false,"source":1,"istranslatable":false,"timesta mp":{"time":1396761880,"text":"April 6 at 2:24am" Facebook – Decoding photo URLs

Recovered photo view URL:

https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater Facebook – Decoding photo URLs