Internet Evidence Finder (IEF)

Facebook® related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page in its original format.

Estimated Likelihood of Recovery: Low to Medium

Facebook Status Updates and Wall Posts

This search will recover Facebook® Status Updates and Wall Posts. These can be from the local user or from other users on Facebook. Recovered items can include the User ID and Name of the person making the status update or wall post, and the text of the update/post itself. This artifact does not contain the date/time that the update or post was made.

Estimated Likelihood of Recovery: High

Facebook Chat Messages

Messages sent and received using the Facebook® live chat feature. Information found with the message can include the Facebook® profile ID used to send/receive the message, the from/to names and ID’s, and the date/time (in UTC) that the message was sent. However, there are a few different formats of Facebook chat and not all formats include all this data.

Estimated Likelihood of Recovery: High

Facebook Emails

This search will recover emails sent or received on Facebook®. Recovered items can include the Logged In User ID (the ID of the person logged in to Facebook when the email was sent/received), the subject of the email, the recipients of the email, the Last Updated Time (last time a message in the thread was added), the Original Author, the Thread ID#, the Time Rendered (local time), the Author’s User ID and Name, whether or not it was sent from a mobile device, any attachments, and the message.

Estimated Likelihood of Recovery: Medium

Facebook Email Snippets

This search will recover Facebook® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing their Inbox or Sent Messages folder in their Facebook® account. It can include the Subject line, Original Author user ID, Recent Authors user IDs (the participants of the email conversation), Time Last Updated (the last time a message was posted in the thread), thread ID (ID# of the message in the user’s mailbox), and the “snippet” itself.

Estimated Likelihood of Recovery: Medium

This search will recover Twitter® status updates. This artifact is left behind in several formats when a user is updating their status or viewing another person’s status update. It can include the Name of the user, the screen name, created time, status ID#, where the status was updated from, geo-tags, if the update is a “retweet”, the profile image URL of the user, and the text of the status update.

Estimated Likelihood of Recovery: Medium

Messages sent or received in Bebo® live chat. Information found within these fragments can include the status of the message, the date/time, the sender username, target username, and the message itself.

Estimated Likelihood of Recovery: Low to Medium

Messages sent or received in MySpace® live chat. Information found within these fragments can include the status of the message, the date/time, the sender ID, target ID, and the message itself. Some user info is also recoverable, such as the real name/username associated to a MySpace ID, image URL, and other information. This information is saved to a ‘User Info’ report.

Estimated Likelihood of Recovery: Low to Medium

This search will carve and parse Google+ live chat. This is the chat that can occur between users while logged into the Google+ social networking website. Information recovered includes whether the message was sent or received, the email address of the sender/recipient, the date/time, and the text of the message.

Estimated Likelihood of Recovery: Medium to Low

This search will locate and carve emails that have been sent or received on LinkedIn. These email fragments can include the from/to names, subject, date/time, and full message. Please note that, depending on the browser, these emails will be in a compressed gzipped form which IEF decompresses on-the-fly.

Estimated Likelihood of Recovery: High

Messages sent or received using GoogleTalk® live chat within Gmail® webmail. Information found with the message can include the message ID, the Sender/Recipient email addresses, and the sender/recipient’s ID. Dates and times are not available to recover at this time. This search option may also recover chat left behind from other chat programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will be your clue, containing an abbreviated name of the client used by that person).

Estimated Likelihood of Recovery: Low

Chat messages sent and received using Yahoo!® Messenger. These chat messages are logged in an encrypted format that requires the local username to decrypt the message. The username is usually the first half of the email address used to log-in (e.g. if the log-in email address is jasonho@yahoo.com, then the username is jasonho). IEF v4 can decrypt messages that have not been deleted without requiring a username, however.When searching unallocated space or memory dumps, etc., a number of false positives are unavoidable due to the format of these chat logs and because there is no way to determine if a chat log was decrypted successfully or not.IEF uses a number of validations to filter out these false positive hits and now with v4 you can specify an acceptable time frame and the filtering strictness to further filter out false hits.

Estimated Likelihood of Recovery: Medium to High

Yahoo! Webmail Chat Messages

Messages sent or received using the live webmail chat found in Yahoo!® Webmail. Information found with the message can include the Status number, the version number and vendor ID, the session ID, and the Sender/Recipient usernames. Dates and times are not available in this type of artifact to recover at this time.

Estimated Likelihood of Recovery: Low

Yahoo Messenger Group Chat

Messages sent or received in Yahoo!® Messenger Group chat rooms. Information found within these fragments can include the date/time, the username that sent the message, and the message itself. The name of the Yahoo! Messenger group that the message is sent within is not present in these artifacts for recovery.

Estimated Likelihood of Recovery: Low to Medium

Yahoo! Messenger Diagnostic Logs

This search will recover the diagnostic logs saved by Yahoo! Messenger. These logs are created when a user attempts to report a problem with Yahoo! Messenger to Yahoo! Support by selecting the Help menu in Yahoo! Messenger and clicking “Report a Problem to Yahoo!”. They contain a wide variety of information including chat messages, user actions, files transferred, and more. A good number of these events have been tested and are parsed by IEF v4. There are some events that are not parsed at this time, but by checking the “Include unparsed entries” option in IEF, these events will still be included with some info being partially decoded.

Estimated Likelihood of Recovery: High

Non-Encrypted Yahoo Messenger Chat

Non-encrypted chat messages left behind by Yahoo!® Messenger. These messages are artifacts from the actual Yahoo!® Messenger chat window. No username(s) are required to recover these messages. Messages of this type include the sending user name, the date/time (local time, not UTC), and the message itself. The recipient is not found in these fragments but can usually be ascertained by viewing the chat conversation.

Estimated Likelihood of Recovery: Low to Medium

Chat messages sent/received using Windows Live Messenger®. Located messages are exported into text files for MSN protocol fragments or into a report file for regular chat log messages. MSN protocol fragments usually only include a line of chat and sometimes the sender’s email address, immediately prior to the message.

Prior versions of IEF attempted to recreate the original log files but the new method of searching for individual messages enables much more chat to be recovered.

(Note: The Windows Live Messenger® search option is backwards compatible with MSN Messenger®, and these two program names are used interchangeably in IEF.)

Estimated Likelihood of Recovery: High

Messenger Plus!® is an add-on for Windows Live Messenger®/MSN Messenger® that adds a number of features to the chat program. The logs it creates are different from the traditional MSN/WLM chat logs and it also provides an option of encrypting the chat logs. Encrypted chat logs can not be recovered at this time, but some of the encrypted chat can be recovered in the MSN/WLM search as MSN protocol fragments.

Estimated Likelihood of Recovery: Medium

The entire log is searched for, not individual messages.

Estimated Likelihood of Recovery: Medium

This search will recover mIRC® chat logs and other logs (e.g. connection logs) saved by mIRC®. Each session located with these log fragments is saved separately into text files.

Estimated Likelihood of Recovery: Low to Medium

This search will parse Skype history records from the SQLite files Skype uses to store its data. This includes messages, group chat info, calls, accounts, contacts, file transfers, voicemails, and SMS messages. IEF can also carve Skype messages from live RAM captures, unallocated space, etc. and does not need the entire SQLite file data to be present, just the individual records are enough.

Estimated Likelihood of Recovery: High

This search will parse ICQ history records from the SQLite files ICQ7 uses to store its data. This includes the date/time, From user, the message, and whether the message was read or unread.

Estimated Likelihood of Recovery: High

This search will carve and parse World of Warcraft live chat. This is the chat that can occur between users while playing World of Warcraft online. Messages could be public messages (seen by all users in a group) or private (sent from one user to another user only). Information recovered includes whether the message was public or private, the sender/recipient, the channel the message was sent in, player GUIDs, and the text of the message. Dates and times are not left behind in this artifact.

Estimated Likelihood of Recovery: Medium to Low

This search will carve and parse chat logs left behind by the online virtual world, Second Life. The entire logs are not needed (single records can be recovered) and the Second Life Viewer saves chat logs by default. Please note that while IEF will search the default log location (and carve in the pagefile, hiberfil, unallocated, etc), logs can be saved to a different folder (or turned off) by the user. Also note: the dates/times saved in the logs are in Pacific Standard Time (GMT -8), or Pacific Daylight Time, depending on the time of the year. The time zone used was called Second Life Time (SLT) in the past but this naming was discarded as it caused too much confusion. Linden Lab is planning to move to UTC at some point so this could change down the road.

Estimated Likelihood of Recovery: High

This search will carve and parse chat messages that have been sent or received via Trillian. These messages can include the date/time, From/To usernames, the chat network used (e.g. MSN, AIM, Facebook, etc), and the message itself. Details regarding file transfers are also recovered.

Estimated Likelihood of Recovery: High

This search will recover Gmail® email fragments left behind in live memory. Information found will vary and this search does not parse any information out. IEF will do its best to clean up the located fragment and convert encodings into a more readable format. Some fragments will be of the folder view with the sender name/address, subject, and first segment of the body of the email.

Please see the “Gmail Parsed Email Snippets” search for a parsed version of this search.

Estimated Likelihood of Recovery: Low to Medium

Gmail Email Snippets

This search will recover Gmail® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing the Inbox folder in their Gmail® webmail account. It can contain the email addresses included in the message, the subject, file names of attachments, the date/time (in local time), read/unread status, and the “snippet” itself.

Estimated Likelihood of Recovery: Medium

Email messages, email compose pages, and folder views from Yahoo!® webmail fragments. Multiple types of Yahoo!® webmail interfaces are supported, including ‘Classic view’ and the newer Yahoo!® Webmail view. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments.

Estimated Likelihood of Recovery: Medium to High

Email messages, contact listings, and folder views from Hotmail® webmail fragments. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments.

Estimated Likelihood of Recovery: Medium to High

Limewire Search History (v5.2.8 – v5.5.16)

Search keywords left behind in live memory by Limewire® (tested with Limewire® v5.2.8 – v5.5.16). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered.

Estimated Likelihood of Recovery: Low

Limewire.props files

This search finds fragments of Limewire.props files. These files contain configuration data for the Limewire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items.

Estimated Likelihood of Recovery: Medium to High

Limewire and Frostwire Search Keywords

Search keywords left behind in live memory by version 4 of Limewire® and Frostwire® (tested with most Limewire/Frostwire v4 clients). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered.

Estimated Likelihood of Recovery: Low

This search finds fragments of Frostwire.props files. These files contain configuration data for the Frostwire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items.

Estimated Likelihood of Recovery: Medium to High

This search will recover Gigatribe chat messages saved by Gigatribe® (versions 2 and 3). These logs are created when a user uses the chat feature of Gigatribe. Due to the way IEF searches for these chat messages, they can be recovered even if the log file has been deleted or a portion of the log file has been corrupted or overwritten. The chat messages can also be recovered from live memory dumps.

Estimated Likelihood of Recovery: Medium to High

This search will carve and parse search keywords entered by a user in the P2P file sharing application called Ares. These keywords are stored in the Windows registry but can be found in other locations even after being deleted. Just the keywords are stored without any other metadata by Ares.

Estimated Likelihood of Recovery: High

This search will carve and parse search keywords entered by a user in the P2P file sharing application called Shareaza. These searches are stored in a file called “Searches.dat” but can be carved from live RAM captures and unallocated clusters, etc.

Estimated Likelihood of Recovery: High

This search will parse files used by the P2P file sharing application Emule. It will parse the following files: known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat, shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file to file, but all fields available in each file format are recovered. Of particular evidential interest are the known.met, emfriends.met, StoredSearches.met, and AC_SearchStrings.dat files.

Estimated Likelihood of Recovery: High

This search will carve and parse data from .torrent files used to download “torrents” on various networks on the Internet. The data can be parsed from live files or carved from live memory captures, unallocated space, etc. Information recovered includes the name of the Torrent, the date/time the torrent file was originally created, and the names of the files included in the torrent.

Estimated Likelihood of Recovery: High

This search will carve and parse Internet Explorer web history from the index.dat files IE uses to store its data. This includes the new IE9 Downloads history records which are stored in a different format than other index.dat files. All of the history IE saves can be carved using this search, and the entire index.dat file is not required, only the individual data for each history record.

InPrivate/Recovery URLs: These artifacts are URLs visited during “InPrivate” browsing in IE v7-10 and URLs that are saved in Internet Explorer recovery files (used to recover tabs in the event of a crash). At this time, there is no known method of distinguishing between these two types of URL artifacts, but if the location of the artifact is in an IE8/9 recovery file, it is not from InPrivate browsing. Also found with the URLs is a page title or description, but this is not always present.

Estimated Likelihood of Recovery: High

Firefox Places.Sqlite History Artifacts

This is a first-of-its-kind search that recovers browsing history URLs from the places.sqlite files Firefox® uses to store browsing history and other information. The entire SQLite file is not required, only the individual entries. Due to the format and nature of this artifact, some parsing must be done to separate the URL and web page title items. Sometimes this parsing will be incorrect, in this case please see the unparsed column for the original data. Recovered items include the parsed URL, parsed web page title, visit count, whether or not the URL was typed by the user, last visited time (in UTC), and the unparsed URL/web page title. Note 1: Parsing live (undeleted) places.sqlite files is better done with other Firefox history parsing software as there is more information to be found in these files and the URL/title can be parsed more accurately, but this search is very useful for live memory dumps and deleted records, records in the pagefile.sys/hiberfil.sys files, etc.

Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit.

Note 3: This search recovers artifacts from Firefox v3.5 to v5.0b5. It does not recover artifacts from Firefox v3.0.x as those older versions use a different database format. Firefox v1-2 do not use the places.sqlite file and therefore are not supported in this search.

Estimated Likelihood of Recovery: High

Firefox Formhistory.Sqlite Artifacts

This is a first-of-its-kind search that recovers query history from the formhistory.sqlite files Firefox® uses to store web page form entry history (e.g. a search entered into Google or other search engine). The entire SQLite file is not required, only the individual entries. Recovered items include the fieldname (the name of the textbox the where the query was made), the value (the text that was entered into the textbox on the web page, e.g. the search term entered), number of times used, the date/time (UTC) the query was first made, and the date/time (UTC) was last made.

Note 1: At this time, IEF only recovers the fieldnames “q” and “query” (commonly used in search engines such as Google) and “searchbar-history”/”searchText” (searches made from the Google toolbar). Other fieldnames may be added in the future.

Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit.

Note 3: This search recovers artifacts from Firefox v3.0.x to v5.0b5. Firefox v1-2 do not use the formhistory.sqlite file and therefore are not supported in this search.

Estimated Likelihood of Recovery: High

Firefox Sessionstore.Js Artifacts

This search will recover URLs from the sessionstore.js file Firefox® uses to store URLs to facilitate recovering from a web browser crash. The entire sessionstore.js file is not required, only the individual entries. Recovered items can include the URL, the web page title, and the referring URL. Some items will have the web page title while some will only have the referring URL.

Estimated Likelihood of Recovery: High

This search will parse Chrome web history from the SQLite files Chrome uses to store its data. This includes website visits, downloads, keyword search terms, top sites, autofill, autofill profiles, saved credit cards, logins, archived web history, archived keyword search terms, and favicons data.
In a separate search, IEF also can carve the SQLite records from the History files Chrome uses – no other tool can do this. Both the carving and non-carving searches are performed when Chrome is checked.

Estimated Likelihood of Recovery: High

This search will parse Safari web history from the Plist/Binary Plist files Safari uses to store its data. This includes website visits, bookmarks, cookies, last session, and “Top Sites” (including thumbnails). IEF can also carve Safari web history from live RAM, unallocated space, etc. and does not need the entire Binary Plist file to be present for recovery.

Estimated Likelihood of Recovery: High

This search will carve and parse web history from the Opera web browser, including carving/parsing the “typed” history (URLs or search terms entered by the user). The entire history file is not required, single records can be carved from live RAM captures and unallocated clusters, etc.

Estimated Likelihood of Recovery: High