This search with carve out Adium
chats, Adium supports the following chat protocols:
- Jabber (XMPP)
- MYspace IM
- Lotus Sametime
- Novell Groupwise
- Gadu Gadu
AOL Instant Messenger (AIM) chat logs.The entire log is searched for, not
This search recovers the text chat
messages left behind when chatting on Chatroulette. The user names and
dates/times are not available to be recovered with this artifact.
GoogleTalk Chat Messages
Messages sent or received using
GoogleTalk® live chat within Gmail® webmail. Information found with the message
can include the message ID, the Sender/Recipient email addresses, and the
sender/recipient’s ID. Dates and times are not available to recover at this
time. This search option may also recover chat left behind from other chat
programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will
be your clue, containing an abbreviated name of the client used by that
iChat is a Mac specific chat client
that allows users to chat across iOS devices, as well as other protocols such
as jabber and AIM. The software will attempt to recover chat messages,
date/time stamps, participants and message sender from non-deleted chat logs.
This search will parse ICQ history
records from the SQLite files ICQ7 uses to store its data. This includes the
date/time, From user, the message, and whether the message was read or unread.
This search will recover chat messages
left behind when using the Mail.ru chat client as well as web chat.
Messenger Plus Chat logs
Messenger Plus!® is an add-on for
Windows Live Messenger®/MSN Messenger® that adds a number of features to the
chat program. The logs it creates are different from the traditional MSN/WLM
chat logs and it also provides an option of encrypting the chat logs. Encrypted
chat logs can not be recovered at this time, but some of the encrypted chat can
be recovered in the MSN/WLM search as MSN protocol fragments.
mIRC Chat logs
This search will recover mIRC® chat
logs and other logs (e.g. connection logs) saved by mIRC®. Each session located
with these log fragments is saved separately into text files.
MSN/Windows Live Messenger (AIM) Chat
Chat messages sent/received using
Windows Live Messenger®. Located messages are exported into text files for MSN
protocol fragments or into a report file for regular chat log messages. MSN
protocol fragments usually only include a line of chat and sometimes the
sender’s email address, immediately prior to the message.
This search recovers text chat
messages left behind when chatting on Omegle. The user names and dates/times
are not available to be recovered with this artifact.
This search will recover chat
messages, contact list and phonebook left behind when using the ooVoo chat
This search recovers chat messages
left behind by the Paltalk chat client. The user names and dates/times are not
available to be recovered with this artifact.
This search recovers chat messages,
account information, "buddy" information, and user created shortcuts
left behind by the Pidgin chat client.
QQ chat is one of the most popular
chat clients around the world with over 750 million registered users. While the
chat logs are encrypted, the sofware is capable of retrieving chat messages
that are saved in RAM, pagefile.sys/hiberfil.sys, and unallocated clusters.
This search will carve and parse chat
logs left behind by the online virtual world, Second Life. The entire logs are
not needed (single records can be recovered) and the Second Life Viewer saves
chat logs by default. The software will search the default log location (and
carve in the pagefile, hiberfil, unallocated, etc), logs can be saved to a
different folder (or turned off) by the user. Also note: the dates/times saved
in the logs are in Pacific Standard Time (GMT -8), or Pacific Daylight Time,
depending on the time of the year. The time zone used was called Second Life
Time (SLT) in the past but this naming was discarded as it caused too much
confusion. Linden Lab is planning to move to UTC at some point so this could
change down the road.
This search will parse Skype history
records from the SQLite files Skype uses to store its data. This includes
messages, group chat info, calls, accounts, contacts, file transfers,
voicemails, and SMS messages. The software can also carve Skype messages from
live RAM captures, unallocated space, etc. and does not need the entire SQLite
file data to be present, just the individual records are enough.
This search will carve and parse chat
messages that have been sent or received via Trillian. These messages can
include the date/time, From/To usernames, the chat network used (e.g. MSN, AIM,
Facebook, etc), and the message itself. Details regarding file transfers are
World of Warcraft
This search will carve and parse World
of Warcraft live chat. This is the chat that can occur between users while
playing World of Warcraft online. Messages could be public messages (seen by
all users in a group) or private (sent from one user to another user only).
Information recovered includes whether the message was public or private, the
sender/recipient, the channel the message was sent in, player GUIDs, and the
text of the message. Dates and times are not left behind in this artifact.
Yahoo Chat Messages
Chat messages sent and received using
Yahoo!® Messenger. These chat messages are logged in an encrypted format that
requires the local username to decrypt the message. The username is usually the
first half of the email address used to log-in (e.g. if the log-in email address
is email@example.com, then the username is jasonho). The software can decrypt
messages that have not been deleted without requiring a username, however.When
searching unallocated space or memory dumps, etc., a number of false positives
are unavoidable due to the format of these chat logs and because there is no
way to determine if a chat log was decrypted successfully or not.The software
uses a number of validations to filter out these false positive hits and now
with v4 you can specify an acceptable time frame and the filtering strictness
to further filter out false hits.
Non-Encrypted Yahoo Messenger Chat
Non-encrypted chat messages left
behind by Yahoo!® Messenger. These messages are artifacts from the actual
Yahoo!® Messenger chat window. No username(s) are required to recover these
messages. Messages of this type include the sending user name, the date/time
(local time, not UTC), and the message itself. The recipient is not found in
these fragments but can usually be ascertained by viewing the chat
Yahoo! Messenger Diagnostic Logs
This search will recover the
diagnostic logs saved by Yahoo! Messenger. These logs are created when a user
attempts to report a problem with Yahoo! Messenger to Yahoo! Support by
selecting the Help menu in Yahoo! Messenger and clicking “Report a Problem to
Yahoo!”. They contain a wide variety of information including chat messages,
user actions, files transferred, and more. A good number of these events have
been tested and are parsed. There are some events that are not parsed at this
time, but by checking the “Include unparsed entries” option in IEF, these
events will still be included with some info being partially decoded.
Yahoo Messenger Group Chat Messages
Sent or received in Yahoo!® Messenger
Group chat rooms. Information found within these fragments can include the
date/time, the username that sent the message, and the message itself. The name
of the Yahoo! Messenger group that the message is sent within is not present in
these artifacts for recovery.
Yahoo! Webmail Chat Messages
Messages sent or received using the
live webmail chat found in Yahoo!® Webmail. Information found with the message
can include the Status number, the version number and vendor ID, the session
ID, and the Sender/Recipient usernames. Dates and times are not available in
this type of artifact to recover at this time.