Please (not plz, this is not an SMS) help us help you by providing at least a little bit of information.
iMesh looks like it is supported on several platforms including Windows, Android, iOS and more. What OS are you examining?
Does iMesh save chats by default? What indications do you have that there would be any remnants of the chats saved on the local machine? Do you know what setting were used on the subject machine?
Just a tiny bit of Googling (you did try Google or Bing or something, right?) turned up the following about iMesh file transfers on Windows:
iMesh uses the FastTrack protocol, developed by what is now Sharman Networks, and is based on the older Gnutella protocol.
FastTrack clients send files over HTML using standard HTTP headers with a few extensions. The custom HTTP headers added by the protocol generally begin with X-Kazaa-, making this a good search string for drive searches to detect the presence of these clients, even after removal.
Of key importance to investigators is the ContentHash. This is an MD5-based hash of the file's content, and it is how FastTrack uniquely identifies files on its network, even those with different names. By searching for that hash function in another FastTrack client, the true content of a deleted file can be obtained from elsewhere (the forensic examiner's dream: an endless supply of offsite backup copies that are readily accessible and provable to be the same as the shared file).
The FastTrack clients have two areas of interest: the DAT files and the DBB files.
DAT files. These files represent actual content in the process of being downloaded. The files are generally named download-XXXXXXXXXXXXXXXXXX.dat, where the Xs represent a unique local file name. In the case of partial downloads, file repair techniques can be used to view the current portion of the content that has been downloaded. Since FastTrack clients rely on a pull model, these files have been actively selected and downloaded by the user of the machine or an application running locally. Searching for strings within the file will yield the file name and some basic file details. A full analysis can be performed using a tool called KaZALyser. Full details on the DAT format are at http :// www . home . hetnet . nl/mr_6/237/frejon55/ft/KazaaFileFormats.html.
DBB files. These files contain the metadata regarding files that are currently or have previously been shared by the local machine. The content in DBB files is broken up based on record length:
data256.dbb holds meta records that fit in 8+256 bytes.
data1024.dbb holds meta records that fit in 8+1024 bytes.
data2048.dbb holds meta records that fit in 8+2048 bytes.
data4096.dbb holds meta records that fit in 8+4096 bytes.
Each record can be viewed with a hex editor, but KaZALyser, noted previously, is highly recommended. Individual file names, last shared times, and other specifics on files made available on the client machine can be obtained from these files. To view them in hex, each record will be the size dictated by the preceding file (for example, a record in data1024.dbb will be 8+1024 or 1032 bytes in size).
In the case of Kazaa, the file is shared only if the shared bit is set globally as well in the registry (that is, if HKCU\Software\Kazaa\LocalContent\ DisableSharing is set to 00h sharing is enabled globally; if it is set to 00h it is disabled).
Have you looked in the directory where downloaded files are saved to see if there are any chats saved there?
On the off chance that there is some remnant of a chat left behind, do you have some sort of verbiage to use in a search?
Have you looked for HTML fragments to see if there is some remnant of the chats there?
So really without some additional input, your question is vague at best.
Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Tue Jan 15, 2013 8:21 pm Post subject:
First, you need to find out if iMesh saves a log by default? If it doesn't then you may be chasing a ghost. You also need to know if it does save them by default, does it allow the user to disable it? If it does then, again, you may be chasing a ghost.
I think the best advice anyone could give you would be to install the program on a computer running the same OS as your target OS and do some testing. That would give you all of the answers you are seeking.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum