Sie sind auf Seite 1von 3

CARVING CHAT LOGS FOR GIGATRIBE VERSION 2.

CONTENTS
Purpose............................................................................................................................................................ 1
Note................................................................................................................................................................. 1
Tools Used ....................................................................................................................................................... 1
File Structure.................................................................................................................................................... 1
Carving Parameters .......................................................................................................................................... 2
Testing the Carve.............................................................................................................................................. 2
Test 1 ........................................................................................................................................................... 2
Test 2 ........................................................................................................................................................... 2
Getting the Script ............................................................................................................................................. 3
Contact ............................................................................................................................................................ 3

PURPOSE
The purpose of this document is to provide an explanation of the structure of the start of chat logs generated
by GigaTribe 2.5 in order that such files may be carved from disk. Specifically, the intention is to be able to
carve the files from areas such as Unallocated Clusters or System Volume Information.

NOTE
The chat files for GigaTribe version 3 are very different therefore this information does not apply to chat logs
from GigaTribe version 3.

TOOLS USED
¬ EnCase 6.18.0.59
¬ GigaTribe 2.52
¬ WinHex 13.8 SR-4

FILE STRUCTURE
Following is the breakdown of the start of a chat log and the first message:

FIGURE 1: BREAKDOWN OF CHAT MESSAGE


Part Offset Data Type Relevance
A 0x00 Int32 Signature, always seen as 0xCHAO.
B 0x04 Int32 Number of messages in this log.
C 0x08 Int32 Unix timestamp for the message that follows.
D 0x0C Int32 Number of characters in the message that follows.
E 0x10 ASCII The actual message in ASCII.
F 0x2B Int32 ID of the sender of the message.
G 0x2F Int32 Private message flag.

Parts C to G (inclusive) are then repeated for each further message. There is no file footer.

CARVING PARAMETERS
It is simple enough to search for the header (0xCHAO), but there is no footer to stop the carve. It would be
possible to process the whole log and determine the validity of the file but this would rely on the log being
complete which may not always be the case.

Consequently the carve takes place as follows:

1. Find header.
2. Read next four bytes as little-endian Int32 which is number of messages in log. Check is sane value, for
example between 1 and 100,000 (inclusive). If not sane, reject.
3. Read next four bytes as little-endian Int32 which is Unix timestamp in seconds. Check is sane value, for
example between 01-January-1995 and 31-December-2010. If not sane, reject.
4. Read next four bytes as little-endian Int32 which is number of characters in first chat log message. Check is
sane value, for example, between 1 and 65536 (64k). If not sane, reject.
5. Declare possible chat log.

TESTING THE CARVE


A EnScript was written to search for chats within the parameters above.

TEST 1
The source image was a 500GB drive which was known to contain one live chat log (live as in ‘not deleted’).

Over the 500GB image, the header was found 353 times.

Of those 353:

¬ 342 were rejected on the first sanity check - record count.


¬ 11 were declared a possible chat log.

All 11 were valid chat logs. They were in fact duplicates of the one known chat log in places such as the
Unallocated Cluster and the System Volume Information.

TEST 2
The source image was a 8GB drive also known to contain one live chat log.

Over the 8GB image, the header was found 12 times.

Of those 12:

¬ 3 were rejected on the first sanity check - record count.


¬ 9 were declared a possible chat log.
All 9 were indeed valid chat logs. One was the known live file, one was a duplicate of the known live in System
Volume Information and interestingly, the other seven were in the NTFS $LogFile showing the known chat
log in different stages.

GETTING THE SCRIPT


GigaTribe 2.5 Chat Log Identifier.EnScript

The EnScript is available from the Guidance Support Forum:

https://support.guidancesoftware.com/forum/downloads.php?do=file&id=1137

It is also available upon request by email.

CONTACT
forensicgeekinthecorner@gmail.com

Das könnte Ihnen auch gefallen