digital investigation 4 (2007) 138–145

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Forensic artefacts left by Pidgin Messenger 2.0

Wouter S. van Dongen

Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands article info abstract

Article history: Pidgin, formerly known as Gaim, is a multi-protocol instant messaging (IM) client that sup- Received 23 July 2007 ports communication on most of the popular IM networks. Pidgin is chiefly popular under Revised 23 November 2007 Linux, and is available for Windows, BSD and other UNIX versions. This article presents Accepted 21 January 2008 a number of traces that are left behind after the use of Pidgin on Linux, enabling digital in- vestigators to search for and interpret instant messaging activities, including online con- Keywords: versations and file transfers. Specifically, the contents and structures of user settings, log Pidgin files, contact files and the swap partition are discussed. In addition looking for such infor- Gaim mation in active files on a computer, forensic examiners can recover deleted items by Instant messenger searching a hard drive for file signatures and known file structures detailed in this article. Internet chat ª 2008 Elsevier Ltd. All rights reserved. Linux messenger MSN ICQ Yahoo! IRC

1. Introduction Gaim would become Pidgin, libgaim would become libpurple, and gaim-text would become finch. The name Pidgin was cho- This article is a continuation of the series of articles dealing sen as a reference to the term ‘Pidgin’, which describes com- with artefacts left by popular instant messaging clients. Previ- munication between people who do not share a common ous articles in this series covered MSN (Dickson, 2006a), Yahoo language. The name ‘purple’ refers to ‘prpl’, the internal lib- (Dickson, 2006b), AOL (Dickson, 2006c), Trillian (Dickson, gaim name for an instant messaging protocol (Wikipedia.org, 2007), and Windows Live Messenger (van Dongen, 2007). One 2007). popular instant messaging client that has not been described Pidgin users can simultaneously logon to different IM net- yet in this series is Pidgin. works. This means, for example, that it is possible to commu- Pidgin is a multi-protocol instant messaging client avail- nicate with contacts on AOL Instant Messenger, MSN able for Windows, Linux, BSD, and other UNIX versions. Pidgin Messenger and ICQ at the same time. Pidgin is compatible is included in most Linux distributions by default and is there- with the following protocols: fore particularly popular among Linux users. Pidgin was orig- inally known as GTKþ AOL Instant Messenger but, after AOL AIM complained about the use of their name, the project was Bonjour renamed to Gaim. AOL then trademarked the acronym ‘AIM’ Gadu-Gadu of their popular instant messaging client AOL Instant Messen- Groupwise ger which eventually led to a final series of name changes: ICQ

E-mail address: [email protected] 1742-2876/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2008.01.002 digital investigation 4 (2007) 138–145 139

IRC that were associated to findings were carefully checked by us- Jabber ing the following evaluation questions: MSN QQ Are all the experiments which are carried out relevant for SIMPLE the conclusion? Sametime Have sufficient experiments been carried out in order to give XMPP a well-founded conclusion? Yahoo! Are there any counter examples? Zephyr

Pidgin supports the basic functionalities of these IM net- works, such as file transfers, display pictures, messages with 3. Results emotions and notification when a contact is typing a message. Audio and video functionality is not currently supported in 3.1. Which accounts are used? Pidgin. This article explains several traces that are left behind after A question that generally arises in investigations involving in- using Pidgin 2.0 on Linux. The most popular protocols were stant messaging communications is which accounts were examined: MSN, ICQ, IRC and Yahoo!. Although this article used on the subject computer system. There are four ways focuses on Linux, the same artefacts can be found on Windows to determine which accounts are used by Pidgin. The first systems. and most evident way is to check the file ‘accounts.xml’. All This paper first outlines the research methodology used, IM accounts used by Pidgin are stored in the file named and then describes the results in eight sections. Section 3.1 ‘accounts.xml’ in the directory ‘/home//.purple/’. The starts with artefacts that are used to identify the instant mes- ‘accounts.xml’ configuration file is updated instantly when saging accounts used on the computer. Section 3.2 shows the user edits or removes an account, therefore no traces of re- where contact files of Pidgin can be found and what useful in- moved accounts can be found in this file. The standard header formation they contain. Section 3.3 ‘Preferences and user set- and footer of the ‘accounts.xml’ file are shown below and can tings’ details the preferences and settings that can be found in be used to salvage the file from the free space and slack space Pidgin. Section 3.4 ‘Conversation content’ explains how con- after it is removed. versation content can be found on the hard disk. Logging is Header of ‘accounts.xml’ file: explained in Section 3.5 and is followed by Section 3.6 about transmitted files. The result of de-installation of Pidgin is explained in Section 3.7. Finally, a quick reference regarding Pidgin on Microsoft Windows is provided, and the article con- cludes with a summary of results.

Footer of ‘accounts.xml’ file: 2. Methodology

The Pidgin examination was conducted on Linux Ubuntu 6.10, and the observed traces were also confirmed in Linux Fedora 7 and Linux Ubuntu 7.04. In preparation for the actual research, Pidgin was installed Each account is stored within an tag. Within and configured with all of its functionalities. Using these func- this tag an account can be identified by the tags , tionalities, test scenarios were created in VMware (Virtual , and . The tag de- machines, available from http://www.vmware.com). Forensic scribes the protocol of the IM network, the tag holds images were created and analyzed with AccessData Forensic the account, followed by the tag, which holds the Toolkit (available from http://www.accessdata.com) version password of the account in plain text if the user has config- 1.62.1. Each scenario was conducted on a cleancopy of a VMware ured Pidgin to remember the password. An example of this in- image. Furthermore, a live analysis of the VMware images was formation for an ICQ account is provided here performed while the system uses the GNU Project Debugger (available from: http://sourceware.org/gdb/), Strace (available from: http://sourceforge.net/projects/strace/) and Pidgin’s inter- nal debug function to monitor file and system activity, Winhex (available from http://www.x-ways.net) for the examination of the virtual memory and files, and Wireshark (available from http://www.wireshark.org) to monitor TCP/IP traffic. prpl-icq Before analyzing the test scenarios, the ‘basic’ scenarios in- 392207942 stallation and first login attempt were investigated. After ana- 123456 lyzing all the test scenarios, the result of the de-installation of Pidgin was examined. The plausibility of all the conclusions Download English Version: https://daneshyari.com/en/article/456572

Download Persian Version:

https://daneshyari.com/article/456572

Daneshyari.com