Home > Articles

Forensic Instant Messenger Investigation

This article deals with the subject of forensic investigation of Instant Messenger histories: why it is needed, what messenger types there are, what difficulties are involved in investigating histories and what tools can help overcome those difficulties.

What is an Instant Messenger?

According to Wikipedia, "instant messaging (IM) is a form of real-time communication between two or more people based on typed text. The text is conveyed via devices connected over a network such as the Internet". Nowadays, Instant Messengers are widely used not only by teenagers, but by people of any age and computer skills. Instant messengers are very convenient when you want real-time conversation, but cannot or do not want to call using the phone or Skype. Many IMs store conversation history; therefore, given that instant messengers are widely used, history investigation is of keen interest to forensic professionals.
Which IMs are the most popular? If you ask the average computer user (well, we all know that average people do not exist), he or she is likely to give you a list like this: AIM, Skype, Yahoo! Messenger, ICQ, MSN (now known as Live Messenger). This is a good list to start. However, the most preferred instant messenger varies from country to country. For example, ICQ is very popular in Germany and Russia, while AIM is used mostly in the United States. The most interesting thing, however, is that there is a messenger which is hardly known by the average users, but has the largest audience in the world. I am talking about the QQ messenger which is extremely popular in China and has a total of over a billion user accounts. A few other widely used Instant Messengers are Miranda, QIP, SIM, MySpace IM, Digsby, Google Hello, Trillian, Jabber, Meebo. In Wikipedia you can find many more IM clients, compared here.

The problem with IMs investigation now becomes obvious. They are simply too many! All of them store their information in different places, and a forensic investigator should know all those places: Registry, AppData folders, Program Files, Documents and Settings (which may be spelled in another language) and so on. Moreover, the suspect may move their history to a folder other than the default one, so that you can not find it in those well-known places. If forensic investigators do not have a special tool at their disposal, they will spend an enormous amount of time on only searching for messenger histories. What is more, after extracting messages, forensic investigators are supposed to create a readable report of chat contents, which could also be a problem.

Let us look in greater detail at the difficulties involved in investigating instant messenger histories. First of all, many messengers have an unreadable or hardly readable format. Some IMs (e.g. Digsby and AIM) store messages in the good old HTML format; others even use plain text (e.g. QIP). However, most instant messengers 'pretend' to be secure. For example, an older ICQ used to keep messages in binary .dat files, which made it possible to read some text. What was hard to understand is who sent the message, who the message was sent to, and at what time. The same is true for Skype: You can read chat message texts and you even know who participated in the chat, but you cannot figure out whether the given message was sent or received, and what the time was.
Another important issue is time. Every messenger has its own unique way of indicating time. Some IMs store local time; others use UTC. ICQ, for example, uses a very strange time shift (Here is a quotation from Miranda source code: "Only God and Mirabilis knows why"). Finally, Skype wants 5 bytes to store message time! One more issue is changing the history format. Messengers evolve and naturally change the way they store histories. Skype, for example, has had two history formats. The record breaker here is obviously ICQ with at least 5 known history formats. Therefore, a helpful tool for forensic investigation should support every format that has ever existed.
Another issue is the fact of storing messages itself. We keep receiving the question: Can your software retrieve messages if I did not set the option to store the history? That is a funny question! Our software is not a magic wand. Where can it get history if it has not been stored? Some people believe it is possible to go to some central server and take history from there. Unfortunately, this is not technically possible. What is more, it would be illegal to do something like that. So, if the history has not been saved, the war is lost. There is one interesting exception, though. An older ICQ version (2003b) had a bug, and the program was still storing outgoing messages, even if you had set history saving off. As a result, half of the history was still available to read. However, it is the only known bug, and all other messengers keep their promise not to store history if this option is switched off.
A question that inevitably arises is whether or not it is possible to deal with messengers that do not store histories. AIM, for instance, does not store its history by default. The only way to have access to its histories is to have special software called 'sniffer'. The software of this kind can intercept the network packages in the real time. However, there are two major difficulties. First, the software works in the real time and it has to be installed before a chat between suspects is conducted. Second, the sniffer is supposed to be work in the same local network as a suspect's one (the same hub or the same switch). All that is hard to arrange, isn't it?
Another frequently asked question is this: "Guys, do you really believe such kind of tool is of any use? If I were a criminal, I would definitely switch messenger history off or delete it afterwards". To respond, we can use the question: "Do you think fingerprint analysis is of any use? If I were a criminal, I would definitely wipe off all my fingerprints at the crime scene (or just would use gloves)". This is the same logic, and we know that fingerprints analysis is widely used in forensic investigation. The same is true for IM history: Some people are aware of chat recording; others are not; some may forget to delete the history or be in hurry; others may delete their history, but not permanently, and a recovery tool is able to recover history files. Thus, there are obviously a lot of cases when there ARE some histories available.

What must a forensic investigator know about instant messengers? The following is some helpful information about some of the most common instant messengers.

  1. AIM has good and bad things about it at the same time. What is good is that it stores history in the readable HTML format. What is bad about this messenger is that it does not store history by default. Since it is very popular in the USA with a lot of computer users, it is a pity.
  2. Skype is now the leading software for making calls. Many people prefer Skype to usual and mobile phones. Personally, I sometimes prefer a paid call via Skype to a free phone call when I am at home. Why? Using the ordinary phone means getting up and going to another room! Also, Skype has support for chats, although it is extremely unreliable, and messages are sometimes delivered days after they were sent. Chats are stored in dbb files in a readable format, but without a good indication of whether the message in question was sent or received, and what the time was. What is good about Skype is that the message history is stored by default.
  3. Yahoo! Messenger stores messages in encrypted files, which can frighten you a little. Do not despair: this is just XOR with the key of profile owner account name!
  4. ICQ writers are very peculiar guys. They have tried every way of storing messages: binary format one, binary format two, and XML. Now it is Access database, and expected are MySQL and SQL Server Express in the next versions! ICQ 6 format is very easy to investigate because it is readable by eyes in Microsoft Access. The same is true for XML. Binary formats, on the other hand, require special tools. Interestingly enough, some people still use old ICQ versions (ICQ 2003b), so those tools are still useful. In some rare cases, you can come across a very old history (sometimes even made by ICQ 1997 version). Very few tools support this ICQ version.
  5. QQ messenger is probably the worst for investigators to deal with. It stores history in OLE containers, which are viewable by DocFile Viewer, but the data inside is encrypted with Blowfish algorithm! It sounds formidable, doesn't it? We have good news! The key to decrypt is the QQ owner account number. Although QQ allows encrypting with a custom key, a limited number of people use this strong protective option.

  6. Miranda utilizes a binary format. Since it is an open-source project, there are a lot of tools for extracting its history.
  7. SIM, MSN, Trillian, QIP, MySpace IM and Digsby have very simple formats. These are plain text, XML or html. However, you still need a tool which could gather messages in one report, look for something in particular, filter particular contacts or dates, and so on.
  8. Google Hello is an interesting messenger which is used especially for pictures exchange. As a forensic professional, you are interested not only in texts, but also in pictures sent or received. Fortunately, the history contains preview (thumbnail) of a picture, so it is available even if a suspect deleted the full-size picture. The format of Google Hello history is binary.
  9. &RQ messenger is not very popular now. However, it was probably the first messenger which had all conversations (active chats) in one window. It also has some other handy features, which is why it was more or less popular several years ago. The history format is binary.

What is the best tool for dealing with the above mentioned instant messengers? Generally speaking, there are few tools supporting all these messengers. You can find individual analyzers for one or another messenger, but we know only one tool, except ours, which supports all formats. It is Paraben's one. Individual extractors also often do not respect 'forensic rules': They may require write access to a disk drive, cannot work with Encase drives, and so on. What makes our software special?

Our tool is called Belkasoft Forensic IM Analyzer. It supports all ICQ versions (even pre-98), Yahoo! Messenger, Miranda, &RQ, QIP, SIM, Skype, MySpace IM, MSN/Live Messenger, Google Hello, Trillian, AIM and QQ. The tool allows an intellectual search for messenger histories on computer disk drives, including CD/DVD, removable drives and Encase drives. Once a history is extracted, you can navigate through chats, look at particular contacts, read conversations and bookmark interesting chat messages (with an option of navigating between bookmarks even if they are in different histories). Of course, you can extract messages into text, XML or HTML formats. The latter format is most frequently used one and it allows you to burn a CD with a full colorful record of analyzed histories.

Our software allows several kinds of search. First, it is a regular search for a word or a part of a word. Another is a search against a predefined set of words, which is especially useful if you do not know a specific word, but have a file with suspicious words or phrases. Finally, the tool allows you to look for regular expressions when you want to find phrases with fuzzy structure, for example, when you want to find two particular words delimited by no more than 4 other words, one of which is a credit card number.

We do not claim that our software can do anything. We want to emphasize that no software is a magic wand. Ours is not, either, so if something has not been stored locally, it cannot be extracted. We regularly issue refunds for our customers looking for their lost MSN or AIM histories. They write us letters expressing their disappointment and say that they will look for alternative software. Will they find any software that works wonders? We doubt it very much. Our software does not do it, and no other software will.

We would like to explicitly say what our software cannot do:

  1. It cannot extract messages if they have not been stored locally. This is true for any existing instant messenger.
  2. It cannot extract sent sms if a messenger supports this. The only exception is an older ICQ.
  3. It cannot extract files, whether sent or received. This applies to all messengers. What is possible is case of many messengers, however, is to show the fact of file exchange, but the file may have already been deleted or saved to an unusual place. The only exception is thumbnails for Google Hello images, although, strictly speaking, those are not what was sent or received.
  4. It cannot extract deleted messages. Most messengers overwrite their history files right after you change the history (for example, you delete a message), so it is impossible to extract it. The only exception is an older ICQ that stored deleted message in the history. The extraction of deleted messages is supported in this case.

Conclusion

Instant Messengers have become an important means of communication. A forensic investigator should know as much as possible about IMs and be ready to investigate chats. Given the variety of instant messengers used worldwide, it is a big advantage to have one tool which is able to locate histories, analyze them without any passwords, search and filter chats and, of course, produce a report in a printable and easily readable format.

Our tool is available at http://belkasoft.com (the demo is free).

The video of how an investigator works with the software is available at http://belkasoft.com/bfia/en/How_To_Use_Product.asp.

What do other policemen think about our software? Find out about it at http://belkasoft.com/bfia/en/Testimonials.asp.

Finally, you can share your ideas and feedback with us at contact@belkasoft.com.