1 / 19

Chat Forensics

Chat Forensics. Presented By: Manpreet Singh Randhawa CSc 253. Agenda. Chat Forensics Traditional Chat Forensics Web-based Chat Forensics IM Comparison Skype Security Skype Communication Framework Skype As A Threat To Enterprise Network Security Skype Forensics – Tools

stephencoleman
Download Presentation

Chat Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chat Forensics Presented By: Manpreet Singh Randhawa CSc 253

  2. Agenda • Chat Forensics • Traditional Chat Forensics • Web-based Chat Forensics • IM Comparison • Skype Security • Skype Communication Framework • Skype As A Threat To Enterprise Network Security • Skype Forensics – Tools • Paraben Chat Examiner • Belkasoft Forensic IM Analyzer • Legal Issues

  3. Chat Forensics • More and more people are communicating through chat. • Popularity and purported privacy of instant messaging exploited by criminals, especially online predators. • Loads of digital evidence. • Digital forensic examiners need to perform a thorough analysis of chat logs, registry keys and other artifacts. • Several chat programs - ICQ, Yahoo, MSN, Trillian, AIM, Hello, Skype, Miranda, Google Talk, and more. • Chat rooms where people from across the world can communicate using various methods: • Text Messaging, Pictures, Audio, Video, Webcam, File Sharing, etc.

  4. Traditional Chat Forensics • Instant messaging is the process of exchange of text messages, etc in real-time between two or more people logged into a particular instant messaging service. • Client-based messaging programs such as AIM, MSN Messenger, Yahoo Messenger, etc. • Require some form of installation on client machine. • Users need to authenticate. • Messaging server can archive the IP address of the user – pinpoint a user to a specific computer or geographical location. • Conversations are not logged by messaging servers. • Information can be recovered from suspect’s machine.

  5. Traditional Chat Forensics Cont... • Chat logs saved on user machine as per user specification or at default location such as Program Files. • Several evidentiary artifacts: • Chat logs • Registry keys • File transfers • Configuration files • Archived/Deleted messages • Stored “buddy” lists

  6. Some Traditional Chat Programs

  7. Web-based Chat Forensics • Traditional messaging clients that can be accessed using only a web browser viz. AIM Express, Google Talk, Meebo, E-Buddy, etc. • Real-time messaging between two or more people using a web interface (without access to a traditional client). • Volatile nature of the data and artifacts created. • After web browser is closed or machine is shut down, no records of user activity or chat log archives are retained. • Programs do not write to registry keys or leave configuration files on client machine. • Investigators can only look at remnants of whole or partial conversations dumped to page files or unallocated space on hard disk.

  8. Web-based Chat Forensics Cont... • Artifacts partially recovered include time estimate, conversation details, screen names, and buddy list details. • Browser forensics come in handy. • Valuable information found in: • Internet cache files • History.IE5 • Index.dat file • Temporary Internet Files\Content.IE5 • Cookies • Pagefile.sys

  9. Web-based Chat With Google Talk

  10. IM Comparison [6] Skype was the only IM company that said it could not perform a live interception if presented with a wiretap request: "Because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."

  11. Skype Security • Skype provides transport-layer security to ensure that message content traveling over Skype cannot be tapped or intercepted. • Skype's encryption is always on and cannot be turned off. • Skype employs strong end-to-end encryption using 256-bit AES, which is then authenticated by PKI cryptography, to guarantee authenticity, secrecy, and integrity of communication over Skype. • Only username, version, and IP address are stored at servers. • Skype does not record any content from communications.

  12. Skype Communication Framework Skype HTTP Server – HS; Skype Client – SC; Super Node – SN; Registration Super Node – RSN; Authentication Super Node – ASN; Location Super Node – LSN; Neighbour Super Node – NSN;

  13. Skype As A Threat To Enterprise Network Security • Peer-to-peer (P2P) voice over IP (VoIP) technology. • Skype’s super node (SN) mechanism threatens network availability. • Ability to traverse network address translation (NAT) mechanism. • Ability to bypass corporate firewalls. • Skype’s payload is encrypted end to end. • Skype seems flawless but has one loophole – allows multiple logins for the same account.

  14. Skype Forensics - SkypeLogView

  15. Skype Forensics – Skype Recorders

  16. Paraben Chat Examiner • Supports ICQ 1999-2003b, Yahoo, MSN 6.1, 6.2, 7.0, & 7.5, Trillian, Hello, Skype, & Miranda Chat Logs • Auto-search function helps locate Chat Logs • Complete bookmarking and reporting functionality • Advanced filtering and searching options • Open multiple chat databases in one workspace

  17. Belkasoft Forensic IM Analyzer • Support for ICQ (all versions from 97a to ICQ6), Microsoft MSN/LiveMessenger, Skype, Yahoo! Messenger, MySpace IM, &RQ, Miranda, SIM, QIP, QIP Infium, Google Hello, Trillian, QQ and AIM. • Intellectual search for history files in folders other than default IM history folders. Search can be performed on all computer's drives as well as on mapped network drives (including Encase mapped drives).

  18. Legal Issues • United States v. Jackson, 2007 WL 1381772 (D. Neb. May 8, 2007). In a criminal case, the defendant filed a motion in limine to exclude evidence of chat room conversations. • At the conclusion of each chat room session, an undercover police officer conducting the chat room conversation would cut-and-paste the entire conversation into a word document for later review. However, a computer forensics expert testified that this cut-and-paste method created several errors and that several portions of the defendant’s conversations were omitted. The defendant argued the omitted portions of the transcript contained evidence relating directly to his intent and should not be admitted as evidence. • The court found that the cut-and-paste document was not admissible evidence at trial because it was not authentic under the Federal Rules of Evidence.

  19. Thank You!

More Related