Internet Forensics by 5v6zowo

VIEWS: 6 PAGES: 72

									Internet Forensics
7. Yahoo Instant Messenger
Items of Interest

   Registry keys
    – What and where
   Distinguish between different kinds of
    Registry evidence
    – Some are global and apply to all users
    – Some are user-specific
   File structures
    – What and where
Registry – Global Items

   Registry keys track who logs in
    – Successful logins generate a dozen or
      more sub-keys under the screen name
    – Unsuccessful attempts generate fewer
      sub-keys
   Unsuccessful attempts also create a
    key with the screen name
    – Includes misspelled screen names
Registry – Global Items

Login information found at:
NTUSER.DAT\
 Software\
   Yahoo\
     Pager\
        profiles\
          profilename
Registry – Global Items

   The Alerts key shows number of login
    tries
    – Successful or not
Flubbyfingers has only three sub-keys

Spazzyja007 has many more
Registry – Global Items

   The IMVironment key indicates
    client-wide usage of IMVironments
    – A kind of “wallpaper” for IM windows
   When a used IMV is selected
    – Name and Key sub-keys are shown
   Unused IMVs do not have these values
Registry – Global Items

Found at:
NTUSER.DAT\
 Software\
   Yahoo\
     Pager\
       IMVironments
The apprentice IMV has been used
The chapstick IMV has not been used
Registry – Global Items

   More about IMVironments under user-
    specific registry keys later
Registry – Login Values

 The Registry changes as each user
  logs in to the client
 Found at:

NTUSER.DAT\
  Software\
     Yahoo\
        Pager\
Registry – Login Values

   Auto Login
    – 1 (Yes) means user is automatically
      signed in when the client is launched
    – 0 (No) means the user must manually
      enter information to sign in
Registry – Login Values

   Yahoo! User ID
    – The Yahoo screenname of the last
      logged-in user
Registry – Login Values

   Save Password
    – 1 (Yes) means that
       The sign-on password is saved on the local
        machine
       It appears as ***** in the client

    – 0 (No) means that the password isn’t
      saved
Registry – Login Values

   EOptions String
    – The encrypted password for the last
      logged-in user
    – If a subsequent user (or the same user)
      logs in again and doesn’t store the
      password, the old value from the
      previous user is deleted
Registry – Profiles

All user profiles are stored in
NTUSER.DAT\
 Software\
    Yahoo\
       Pager\
          profiles\
             profilename
Registry- User-Specific Values

   Yahoo users may create and register
    identities
    – Alternate screen names (aka aliases)
    – Officially associated with the base screen
      name
Registry- User-Specific Values

   When the screen name is created, two
    keys are also created
    – All Identities
    – Selected Identities
Registry- User-Specific Values

   Newly created identity displayed under
    Selected Identities
    – Regardless of whether it has been used in
      a conversation or not
    – Deleted identities are not displayed here
   The Registry entry is refreshed when
    the user logs in again.
Registry- User-Specific Values

   IMVironments are used as
    advertisements for movies or
    commercial products
   They can be interactive
   Two keys track an individual’s usage
    of IMVironments
Registry- User-Specific Values

 The 1st (Recent – an MRU list) is found at
NTUSER.DAT\
  Software\
     Yahoo\
       Pager\
           profiles\
              profilename\
                  IMVironments
Registry- User-Specific Values

   The last IMVironment used appears as
    the first entry at the beginning of the
    list
Registry- User-Specific Values

   Under IMVironments, the Recent key
    shows the screen names of
    – Remote User
    – Local user
    – IMVironment in use during the session
   If multiple IMVs are used in the same
    session, only the latest is shown here
    – Still, all IMVs that have been used are recorded
      on the Recent key in the IMVironments key
                      Means no IMV
         Local user     was used


Remote
 user
Registry- User-Specific Values

   regedit sorts this information in
    alphabetical order
   Thus, the “last used” information is
    lost when viewed by that method
Registry- User-Specific Values

   By default, IMs are saved for the
    duration of the session then deleted at
    sign-off
   Users can opt to
    – Save messages permanently
    – Not save messages at all
Registry- User-Specific Values

 Determined by Archive key found at:
NTUSER.DAT\
  Software\
     Yahoo\
       Pager\
          profiles\
             profilename\
                 Archive
Registry- User-Specific Values

   Settings for message archiving
    determined by two keys:
    – Enabled
    – AutoDelete
   Both = 1 (default)
    – Messages saved during session but
      cleared when Yahoo is closed
Registry- User-Specific Values

   Enabled = 1, AutoDelete = 0
    – Messages are permanently saved
   Both = 0
    – Messages are never saved
Registry- User-Specific Values

   Implications for pulling the plug
    – If archiving is set to the default
    – Any messages generated during that
      session should still exist in the usual .DAT
      files
    – Because the client did not close the
      session before the power was terminated
   More on DAT files later
Registry- User-Specific Values

 Information on chat rooms found at:
NTUSER.DAT\
  Software\
     Yahoo\
        Pager\
          profiles\
             profilename\
                 Chat
      Base identify of the
      user when visiting
       an existing room

General category of
 the room visited
Registry- User-Specific Values

 Bookmarked favorite chat rooms found at:
NTUSER.DAT\
  Software\
     Yahoo\
       Pager\
          profiles\
             profilename\
                 Chat\
                    Favorite Rooms
Registry- User-Specific Values

   Each room name followed by a 10-
    digit number
   Uniquely identifies the room
Registry- User-Specific Values

 File transfer information found at
NTUSER.DAT\
  Software\
      Yahoo\
         Pager\
            profiles\
               profilename\
                   FT
                       Folder from which the
                          last outgoing file
                      transfer was sent (also
                        includes file name)


Folder to which the
 last incoming file
transfer was saved
Registry- User-Specific Values

   For investigation purposes, might have to
    prove or disprove that a suspect knew a
    specific file was being transferred to his/her
    computer
   Yahoo 7.0 requires approval for each file
    received.
    – Feature cannot be turned off as in previous
      versions
   Popup window includes thumbnail;
    – User cannot claim not to have known nature of
      file received
Registry- File Structures

   ystats_A.dat
    – Tracks outgoing posts per session
          Type a line and hit Enter – that’s a post
    – Session file so it’s deleted when user signs off
 Found at:
Program Files\
  Yahoo!\
     Messenger
     Total outgoing posts



Total posts with this IMV
Registry- File Structures

   ystats_B.dat
    – Tracks outgoing file transfers per IM session
    – Session file so it’s deleted when user signs off
 Found at:
Program Files\
  Yahoo!\
     Messenger
  Total outgoing file
transfers this session
Registry- File Structures

   ypager.log
    – Logs communications of different types
    – Can be used to find traces of
      communications between two parties
 Found at:
Program Files\
  Yahoo!\
    Messenger
NOTE: On the real
FTK screen, scroll
down from here to
see the action codes
Registry- File Structures

   IP addresses
    resolve to Yahoo
    servers             Code Explanation

   Action codes have    0   Connection initiated
                         1   Connect succeeded
    specific meanings
                         2   Connect failed
                         3   Connection failed on retry
                         4   Returned command (not used)
                         5   Ping initiate (check connection)
                         6   Ping response (connection is OK)
                         7   Ping (keep connection)
Registry- File Structures

   IMVcache folder
    – Contains folders for each IMVironment
      that has been used by the Yahoo client
    – Contents include the individual graphics
      components that make up the individual
      IMVs
         GIF and Shockwave files, for example
Registry- File Structures

   Incoming file transfers
    – May leave traces in unexpected places
    – Creates a link (shortcut) in the logged-in
      Windows user’s Recent folder
    – The file does not have to be opened to
      create this shortcut
Registry- File Structures

   When an incoming file is saved on the
    local machine, an entry is craeted in
    the INDEX.DAT file that tracks browser
    history
   This entry remains even if the
    corresponding file is later deleted
Can see this picture
in the Graphics tab
Registry- File Structures

   Incoming files are saved in the
    directory specified by the user
   Absent intervention by the user the file
    is saved in the default location
    specified by the Yahoo client
   There may also be a registry entry
    indicating the last location to which a
    file was saved
Registry- File Structures

 Outgoing files cause an entry in
Program Files\
  Yahoo!\
      Messenger\
        Data
 File has a JPG extension
    – Really contains information about the transfer
    – Usually deleted upon completion of the transfer
                                     Original filename &
                                       path of the file




           Filename
        Transfer time in Unix Numerical format

Recipient’s screen name
Registry- File Structures

   Archiving instant messages
    – Default setting is all messages are saved
      during session but deleted after sign-off
    – Archive settings themselves remain until
      changed by the user
    – Settings can be configured to each
      individual user
Registry- File Structures

   AOL IM doesn’t let you send a
    message to a Buddy who’s offline but
    Yahoo IM does
   When the Yahoo user is online again
    any stored messages are sent
   Yahoo says that read offline messages
    will be deleted but they’re still in the
    archive
Registry- File Structures

   Archived messages are stored in a
    folder
    – Named for the screen name of the user
Found in
Messenger\
 Profiles\
      screenname
Registry- File Structures
Registry- File Structures

								
To top