digital investigation 4 (2007) 138–145
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/diin
Forensic artefacts left by Pidgin Messenger 2.0
Wouter S. van Dongen
Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands article info abstract
Article history: Pidgin, formerly known as Gaim, is a multi-protocol instant messaging (IM) client that sup- Received 23 July 2007 ports communication on most of the popular IM networks. Pidgin is chiefly popular under Revised 23 November 2007 Linux, and is available for Windows, BSD and other UNIX versions. This article presents Accepted 21 January 2008 a number of traces that are left behind after the use of Pidgin on Linux, enabling digital in- vestigators to search for and interpret instant messaging activities, including online con- Keywords: versations and file transfers. Specifically, the contents and structures of user settings, log Pidgin files, contact files and the swap partition are discussed. In addition looking for such infor- Gaim mation in active files on a computer, forensic examiners can recover deleted items by Instant messenger searching a hard drive for file signatures and known file structures detailed in this article. Internet chat ª 2008 Elsevier Ltd. All rights reserved. Linux messenger MSN ICQ Yahoo! IRC
1. Introduction Gaim would become Pidgin, libgaim would become libpurple, and gaim-text would become finch. The name Pidgin was cho- This article is a continuation of the series of articles dealing sen as a reference to the term ‘Pidgin’, which describes com- with artefacts left by popular instant messaging clients. Previ- munication between people who do not share a common ous articles in this series covered MSN (Dickson, 2006a), Yahoo language. The name ‘purple’ refers to ‘prpl’, the internal lib- (Dickson, 2006b), AOL (Dickson, 2006c), Trillian (Dickson, gaim name for an instant messaging protocol (Wikipedia.org, 2007), and Windows Live Messenger (van Dongen, 2007). One 2007). popular instant messaging client that has not been described Pidgin users can simultaneously logon to different IM net- yet in this series is Pidgin. works. This means, for example, that it is possible to commu- Pidgin is a multi-protocol instant messaging client avail- nicate with contacts on AOL Instant Messenger, MSN able for Windows, Linux, BSD, and other UNIX versions. Pidgin Messenger and ICQ at the same time. Pidgin is compatible is included in most Linux distributions by default and is there- with the following protocols: fore particularly popular among Linux users. Pidgin was orig- inally known as GTKþ AOL Instant Messenger but, after AOL AIM complained about the use of their name, the project was Bonjour renamed to Gaim. AOL then trademarked the acronym ‘AIM’ Gadu-Gadu of their popular instant messaging client AOL Instant Messen- Groupwise ger which eventually led to a final series of name changes: ICQ
E-mail address: [email protected] 1742-2876/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2008.01.002 digital investigation 4 (2007) 138–145 139
IRC that were associated to findings were carefully checked by us- Jabber ing the following evaluation questions: MSN QQ Are all the experiments which are carried out relevant for SIMPLE the conclusion? Sametime Have sufficient experiments been carried out in order to give XMPP a well-founded conclusion? Yahoo! Are there any counter examples? Zephyr
Pidgin supports the basic functionalities of these IM net- works, such as file transfers, display pictures, messages with 3. Results emotions and notification when a contact is typing a message. Audio and video functionality is not currently supported in 3.1. Which accounts are used? Pidgin. This article explains several traces that are left behind after A question that generally arises in investigations involving in- using Pidgin 2.0 on Linux. The most popular protocols were stant messaging communications is which accounts were examined: MSN, ICQ, IRC and Yahoo!. Although this article used on the subject computer system. There are four ways focuses on Linux, the same artefacts can be found on Windows to determine which accounts are used by Pidgin. The first systems. and most evident way is to check the file ‘accounts.xml’. All This paper first outlines the research methodology used, IM accounts used by Pidgin are stored in the file named and then describes the results in eight sections. Section 3.1 ‘accounts.xml’ in the directory ‘/home/
Footer of ‘accounts.xml’ file: 2. Methodology
The Pidgin examination was conducted on Linux Ubuntu 6.10, and the observed traces were also confirmed in Linux Fedora 7 and Linux Ubuntu 7.04. In preparation for the actual research, Pidgin was installed Each account is stored within an
Download Persian Version:
https://daneshyari.com/article/456572
Daneshyari.com