How to use the product

On this page you can find a video with the small story about how an investigator can use Belkasoft Forensic IM Analyzer. The story is fictitious but the software is real.

The case text

If you did not understand something in the video above, please find the full text in this section.

Hi! I am a computer forensic investigator at Neverland State Police. The case I am investigating now seems to be a difficult one. The problem is that our biggest confectionery has been robbed, and we have a suspect, Mr. Sweetieslover. However, there is no hard evidence that he participated in the robbery, except for his last name, of course. We have checked his computer, his e-mail accounts and documents, and he seems to be completely innocent. My last hope is to investigate his chats. To do that, I am going to use Belkasoft Forensic IM Analyzer.

Let me show you how the software works. I open it. On the left, there are three nodes - Installed IMs, Found IMs and Search results. 'Installed IMs' node is of no use to me now since I am doing what they call 'dead analysis', and the confiscated drive is connected to my computer as a network drive via Encase.

First of all, let's try to figure out which Instant Messengers the suspect has been using. I look into the Program Files folder first. I can see that there is a Yahoo! Messenger installed. Good. Let's see its logs. Hm... I don't think I can make anything out. But that's not a problem because I have a special tool for such cases.

I go back to the software, find 'Yahoo messenger' subnode under 'Found IMs' node. After that, I right click on it and choose 'Open profile of this type'. Then, I browse for the profile in the Program Files folder we just explored, or copy the full path to the text box.

Here we go! Now that we have added the profile, we can read its history by using 'Read history' menu. Well, well! A lot of history! A lot to look at! Can we reduce the number of contacts for us to look through? Yes, we can. We can hide those without history. To do that, I choose 'Hide contacts without history' menu from the context menu of the profile. OK. There are a lot fewer contacts, as you can see, but still a lot. Now... While I am taking a closer look at the extracted history, why don't you have a cup of coffee?

2 hours passed
Bad news! I have found nothing really interesting. Well, I have learned from the suspect's wife's profile that she is not fully honest with her husband: but that is another story, isn't it?

What if the suspect has some other histories which I have not found manually? Let's get Belkasoft Forensic IM Analyzer to search histories for me automatically. I use 'Search IMs' on this computer menu.

The tool provides several search options. I can search hard drives, removable drives, network drives and CDs or DVDs. I need the third option since I want to search the connected Encase drive. I also have a variety of Instant Messengers to look for. I am interested in all types of supported messengers. I click on 'OK' and wait. How long do I have to wait? Depending on the hard drive size, this can take from a few seconds up to twenty or even thirty minutes.

Look at this: the tool has found a profile that I did not find manually. This is a QQ profile. The QQ messenger is very popular in China and some Neverlandiands use it too.

The sly suspect moved his QQ history to an innocent-looking folder, but the software has found that folder. At the bottom of the results dialog, you can see why the folder was considered to be a QQ profile folder. QQ history is always encrypted, so the software of great help here too.

Now let's search the newly profile for anything having to do with sweets. I read the history first. As you can see, the number of contacts is as large as in the Yahoo profile.

First, let's search for the word "cookies". To do that, I use the special item on the 'Search history' menu. This guy seems to love cookies, for there are a lot of results. Next, I search for 'sweets'. Hm... This gives us a lot of results too. For example, we can see his wife saying 'Hi, sweetie'. Well, this is not unnatural to hear something like that from your wife, is it? However, it does not help me with the investigation.

But what if the suspect used some other words about sweets? If so, can I find them? Yes, I can. It is especially for such cases that I have a file with confectionary terms that should contain a synonym for "sweets". The software allows me to search for all the words from this file. All I have to do is choose 'words from the file' radio-button and browse for a file.

Now look at the first result. Quite unexpectedly, we can see that the word 'candies' was used! I do one more search, now for candies. But, again, too much about candies. Maybe, I should try looking for 'steal candies' because that is what the suspect probably did? I click on 'OK' and I see that there is nothing under the latest search node, which means that this phrase has not been found in the history. Oh, what if these two words, 'steal' and 'candies', do not go immediately one after the other? What if they have several words in between, say, four or five words?

What I am going to do now is search for any phrase in which there are 4 or 5 words between 'steal' and 'candies'. We can use a 'search for regular expressions' provided by the software. I enter the regular expression: first goes 'steal', then goes any number of blank symbols, then goes one to four words delimited by blanks. Then, of course, goes "candies".

Great! I can see a chat history event which matches the template. The sender is Mr. Sweetieslover and the recipient is a Mr. Evil. I got you!

So, the game is over, and all I must do now is to export the history of the suspect's chat with Mr. Evil. I am going to burn a CD for a colleague who is not experienced with computers, but experienced with texts. I am going to export the history in the HTML format which is easy to read. I want to choose only the chat with Mr. Evil. I click on 'Selected contacts' and check him on the list. Then I enter the target folder and click on 'Go'. Then, the browser automatically opens the messenger history of the chosen profile and the specified contacts. The message text is accompanied by the message direction and the sending time.

My job is done thanks to the powerful software I have. This software can be found at http://belkasoft.com. Thank you.