Forensic Instant Messenger Investigation
This article deals with the subject of forensic investigation of
Instant Messenger histories: why it is needed, what messenger types there are, what
difficulties are involved in investigating histories and what tools can help overcome
What is an Instant Messenger?
Wikipedia, "instant messaging (IM) is a form of real-time communication
between two or more people based on typed text. The text is conveyed via
devices connected over a network such as the Internet".
Instant Messengers are widely used not only by teenagers,
but by people of any age and computer skills. Instant messengers are very
convenient when you want real-time conversation, but cannot or do not want
to call using the phone or Skype. Many IMs store conversation history; therefore,
given that instant messengers are widely used, history investigation is
of keen interest to forensic professionals.
Which IMs are the most popular?
If you ask the average computer user (well, we all know that average people
do not exist), he or she is likely to give you a list like this: AIM, Skype,
Yahoo! Messenger, ICQ, MSN (now known as Live Messenger). This is a good
list to start. However, the most preferred instant messenger varies from
country to country. For example, ICQ is very popular in Germany and Russia,
while AIM is used mostly in the United States. The most interesting thing,
however, is that there is a messenger which is hardly known by the average
users, but has the largest audience in the world. I am talking about the
QQ messenger which is extremely popular in China and has a total of over
a billion user accounts. A few other widely used Instant Messengers are
Miranda, QIP, SIM, MySpace IM, Digsby, Google Hello, Trillian, Jabber, Meebo.
In Wikipedia you can find many more IM clients, compared
The problem with IMs investigation
now becomes obvious. They are simply too many! All of them store
their information in different places, and a forensic investigator should know all
those places: Registry, AppData folders, Program Files, Documents and Settings (which
may be spelled in another language) and so on. Moreover, the suspect may move their
history to a folder other than the default one, so that you can not find it in those
well-known places. If forensic investigators do not have a special tool at their
disposal, they will spend an enormous amount of time on only searching for messenger
histories. What is more, after extracting messages, forensic investigators are supposed
to create a readable report of chat contents, which could also be a problem.
Let us look in greater
detail at the difficulties involved in investigating instant messenger histories.
First of all, many messengers have an unreadable or hardly readable format.
Some IMs (e.g. Digsby and AIM) store messages in the good old HTML format;
others even use plain text (e.g. QIP). However, most instant messengers
'pretend' to be secure. For example, an older ICQ used to keep messages
in binary .dat files, which made it possible to read some text. What was
hard to understand is who sent the message, who the message was sent to,
and at what time. The same is true for Skype: You can read chat message
texts and you even know who participated in the chat, but you cannot figure
out whether the given message was sent or received, and what the time was.
important issue is time. Every messenger has its own unique
way of indicating time. Some IMs store local time; others use UTC. ICQ,
for example, uses a very strange time shift (Here is a quotation from Miranda
source code: "Only God and Mirabilis knows why"). Finally, Skype wants 5
bytes to store message time!
issue is changing the history format. Messengers evolve
and naturally change the way they store histories. Skype, for example, has
had two history formats. The record breaker here is obviously ICQ with at
least 5 known history formats. Therefore, a helpful tool for forensic investigation
should support every format that has ever existed.
issue is the fact of storing messages itself. We keep receiving
the question: Can your software retrieve messages if I did not set the option
to store the history? That is a funny question! Our software is not a magic
wand. Where can it get history if it has not been stored? Some people believe
it is possible to go to some central server and take history from there.
Unfortunately, this is not technically possible. What is more, it would
be illegal to do something like that. So, if the history has not been saved,
the war is lost. There is one interesting exception, though. An older ICQ
version (2003b) had a bug, and the program was still storing outgoing messages,
even if you had set history saving off. As a result, half of the history
was still available to read. However, it is the only known bug, and all
other messengers keep their promise not to store history if this option
is switched off.
||A question that inevitably arises is whether or not it is possible to
deal with messengers that do not store histories. AIM, for instance, does
not store its history by default.
way to have access to its histories is to have special software called 'sniffer'.
The software of this kind can intercept the network packages in the real
time. However, there are two major difficulties. First, the software works
in the real time and it has to be installed before a chat between suspects
is conducted. Second, the sniffer is supposed to be work in the same local
network as a suspect's one (the same hub or the same switch). All that is
hard to arrange, isn't it?
|Another frequently asked question is this: "Guys, do you really
believe such kind of tool is of any use? If I were a criminal, I would definitely
switch messenger history off or delete it afterwards". To respond,
we can use the question: "Do you think fingerprint analysis is of any
use? If I were a criminal, I would definitely wipe off all my fingerprints
at the crime scene (or just would use gloves)". This is the same logic,
and we know that fingerprints analysis is widely used in forensic investigation.
The same is true for IM history: Some people are aware of chat recording;
others are not; some may forget to delete the history or be in hurry; others
may delete their history, but not permanently, and a recovery tool is able
to recover history files. Thus, there are obviously a lot of cases when
there ARE some histories available.
What must a forensic investigator
know about instant messengers? The following is some helpful information
about some of the most common instant messengers.
has good and bad things about it at the same time. What is good is that it stores
history in the readable HTML format. What is bad about this messenger is that
it does not store history by default. Since it is very popular in the USA with
a lot of computer users, it is a pity.
is now the leading software for making calls. Many people prefer Skype to usual
and mobile phones. Personally, I sometimes prefer a paid call via Skype to a
free phone call when I am at home. Why? Using the ordinary phone means getting
up and going to another room! Also, Skype has support for chats, although it
is extremely unreliable, and messages are sometimes delivered days after they
were sent. Chats are stored in dbb files in a readable format, but without a
good indication of whether the message in question was sent or received, and
what the time was. What is good about Skype is that the message history is stored
stores messages in encrypted files, which can frighten you a little. Do not
despair: this is just XOR with the key of profile owner account name!
writers are very peculiar guys. They have tried every way of storing messages:
binary format one, binary format two, and XML. Now it is Access database, and
expected are MySQL and SQL Server Express in the next versions! ICQ 6 format
is very easy to investigate because it is readable by eyes in Microsoft Access.
The same is true for XML. Binary formats, on the other hand, require special
tools. Interestingly enough, some people still use old ICQ versions (ICQ 2003b),
so those tools are still useful. In some rare cases, you can come across a very
old history (sometimes even made by ICQ 1997 version). Very few tools support
this ICQ version.
is probably the worst for investigators to deal with. It stores history in OLE
containers, which are viewable by DocFile Viewer, but the data inside is encrypted
with Blowfish algorithm! It sounds formidable, doesn't it? We have good news!
The key to decrypt is the QQ owner account number. Although QQ allows encrypting
with a custom key, a limited number of people use this strong protective option.
utilizes a binary format. Since it is an open-source project, there are a lot
of tools for extracting its history.
SIM, MSN, Trillian,
QIP, MySpace IM and Digsby have very simple formats. These are
plain text, XML or html. However, you still need a tool which could gather messages
in one report, look for something in particular, filter particular contacts
or dates, and so on.
is an interesting messenger which is used especially for pictures exchange.
As a forensic professional, you are interested not only in texts, but also in
pictures sent or received. Fortunately, the history contains preview (thumbnail)
of a picture, so it is available even if a suspect deleted the full-size picture.
The format of Google Hello history is binary.
is not very popular now. However, it was probably the first messenger which
had all conversations (active chats) in one window. It also has some other handy
features, which is why it was more or less popular several years ago. The history
format is binary.
What is the best tool for dealing
with the above mentioned instant messengers? Generally speaking,
there are few tools supporting all these messengers. You can find individual analyzers
for one or another messenger, but we know only one tool, except ours, which supports
all formats. It is Paraben's one. Individual extractors also often do not respect
'forensic rules': They may require write access to a disk drive, cannot work with
Encase drives, and so on. What makes our software special?
tool is called Belkasoft Forensic IM Analyzer. It supports all ICQ
versions (even pre-98), Yahoo! Messenger, Miranda, &RQ, QIP, SIM, Skype, MySpace
IM, MSN/Live Messenger, Google Hello, Trillian, AIM and QQ. The tool allows an intellectual
search for messenger histories on computer disk drives, including CD/DVD, removable
drives and Encase drives. Once a history is extracted, you can navigate through
chats, look at particular contacts, read conversations and bookmark interesting
chat messages (with an option of navigating between bookmarks even if they are in
different histories). Of course, you can extract messages into text, XML or HTML
formats. The latter format is most frequently used one and it allows you to burn
a CD with a full colorful record of analyzed histories.
Our software allows several kinds of search. First, it is a regular search for
a word or a part of a word. Another is a search against a predefined set of words,
which is especially useful if you do not know a specific word, but have a file with
suspicious words or phrases. Finally, the tool allows you to look for regular expressions
when you want to find phrases with fuzzy structure, for example, when you want to
find two particular words delimited by no more than 4 other words, one of which
is a credit card number.
We do not
claim that our software can do anything. We want to emphasize
that no software is a magic wand. Ours is not, either, so if something has
not been stored locally, it cannot be extracted. We regularly issue refunds
for our customers looking for their lost MSN or AIM histories. They write
us letters expressing their disappointment and say that they will look for
alternative software. Will they find any software that works wonders? We
doubt it very much. Our software does not do it, and no other software will.
like to explicitly say what our software cannot do:
- It cannot extract messages if they have not been stored locally. This is
true for any existing instant messenger.
- It cannot extract sent sms if a messenger supports this. The only exception
is an older ICQ.
- It cannot extract files, whether sent or received. This applies to all messengers.
What is possible is case of many messengers, however, is to show the fact of
file exchange, but the file may have already been deleted or saved to an unusual
place. The only exception is thumbnails for Google Hello images, although, strictly
speaking, those are not what was sent or received.
- It cannot extract deleted messages. Most messengers overwrite their history
files right after you change the history (for example, you delete a message),
so it is impossible to extract it. The only exception is an older ICQ that stored
deleted message in the history. The extraction of deleted messages is supported
in this case.
|Instant Messengers have become an important means of communication.
A forensic investigator should know as much as possible about IMs and be
ready to investigate chats. Given the variety of instant messengers used
worldwide, it is a big advantage to have one tool which is able to locate
histories, analyze them without any passwords, search and filter chats and,
of course, produce a report in a printable and easily readable format.
Our tool is available at
(the demo is free).
The video of how an investigator works with the software is available
What do other policemen think about our software? Find out about it at
Finally, you can share your ideas and feedback with us at