Академический Документы
Профессиональный Документы
Культура Документы
CONTENTS
Purpose............................................................................................................................................................ 1
Note................................................................................................................................................................. 1
Tools Used ....................................................................................................................................................... 1
File Structure.................................................................................................................................................... 1
Carving Parameters .......................................................................................................................................... 2
Testing the Carve.............................................................................................................................................. 2
Test 1 ........................................................................................................................................................... 2
Test 2 ........................................................................................................................................................... 2
Getting the Script ............................................................................................................................................. 3
Contact ............................................................................................................................................................ 3
PURPOSE
The purpose of this document is to provide an explanation of the structure of the start of chat logs generated
by GigaTribe 2.5 in order that such files may be carved from disk. Specifically, the intention is to be able to
carve the files from areas such as Unallocated Clusters or System Volume Information.
NOTE
The chat files for GigaTribe version 3 are very different therefore this information does not apply to chat logs
from GigaTribe version 3.
TOOLS USED
¬ EnCase 6.18.0.59
¬ GigaTribe 2.52
¬ WinHex 13.8 SR-4
FILE STRUCTURE
Following is the breakdown of the start of a chat log and the first message:
Parts C to G (inclusive) are then repeated for each further message. There is no file footer.
CARVING PARAMETERS
It is simple enough to search for the header (0xCHAO), but there is no footer to stop the carve. It would be
possible to process the whole log and determine the validity of the file but this would rely on the log being
complete which may not always be the case.
1. Find header.
2. Read next four bytes as little-endian Int32 which is number of messages in log. Check is sane value, for
example between 1 and 100,000 (inclusive). If not sane, reject.
3. Read next four bytes as little-endian Int32 which is Unix timestamp in seconds. Check is sane value, for
example between 01-January-1995 and 31-December-2010. If not sane, reject.
4. Read next four bytes as little-endian Int32 which is number of characters in first chat log message. Check is
sane value, for example, between 1 and 65536 (64k). If not sane, reject.
5. Declare possible chat log.
TEST 1
The source image was a 500GB drive which was known to contain one live chat log (live as in ‘not deleted’).
Over the 500GB image, the header was found 353 times.
Of those 353:
All 11 were valid chat logs. They were in fact duplicates of the one known chat log in places such as the
Unallocated Cluster and the System Volume Information.
TEST 2
The source image was a 8GB drive also known to contain one live chat log.
Of those 12:
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=1137
CONTACT
forensicgeekinthecorner@gmail.com