| Author | Message | ||
     Glenn Dardick |
More and more, I have clients that want to view the long list of potential evidence items to perhaps catch something that the Forensics examiner might miss. Often the examiner is not given all the facts that might be pertinent, or the facts given might be overly broad and produce volumes of information that might be better (cheaper) searched by a paralegal or a party to a civil suit. So I wrote scripts to capture Yahoo Mail snipets and save them to a file after removing the Yahoo "login" javascript from the snipet. I use a filename with the offset to the partition as part of the name. Now the file can be easily viewed and determined if relevant by the lawyer, party to the suit, or whoever. Then,I wrote a second pass filter for Yahoo Mail which assumes that the HTML header was overwritten. Then, I wrote one for MSN Hotmail. Then, I wrote one for a second pass for MSN Hotmail assuming that the HTML header was overwritten. Which finally brings me to my questions. Does anyone have other similar filters and suggestions. I am now trying to create one for AOL. Does anyone want to share? Can we post all such filters in a section so there is one "living script" to be enhanced and built upon for a general webmail search and retrieve. (a similar feature exists in another product, but I think we can do more here) Thanks for any suggestions and/or feedback. ...and sorry for the length of the post. | ||
| Glenn Dardick |
I misspoke. In the Yahoo snipet, I updated a META tag section instead of removing a section of javascript. The META tag was requiring the user to be logged in to view the message in the HTML. Example is as follows with certain HTML elements rplace by desciption in parens because of positng limitations (or my own ignorance): ========================================= Goto 0 (left brace) Find 0x3C68746D6C3E0A3C686561643E0A3C7469746C653E0A5961686F6F21204D61696C202D Down IfFound Block1 CurrentPos IntToStr MyVariable CurrentPos Move 100000 Block2 CurrentPos CopyIntoNewFile "c:\found\Yahoo Mail\File - Yahoo Mail - +MyVariable+.htm" Open "c:\found\Yahoo Mail\File - Yahoo Mail - +MyVariable+.htm" ReplaceAll "META HTTP-EQUIV=Refresh" "META HTTP-EQUIV=xxxxxxx" Save Close Else ExitLoop EndIf (right brace)[5000] Terminate ========================================= The HEX string above is for the following (taking into account the line feed): (left tag)html> (left tag)head> (left tag)title> Yahoo! Mail - | ||
| howard@apextechnology.co.uk |
Hi Glenn The AOL email store files are quite complex. However I know Ross at Winpro has spent a lot of time researching the structure and can extract emails beyond the ability of most commercially available software packages. You might like to contact him Ross@winpro.net or see his postings in the forensic forum on AOL Good luck H | ||
| Jimmy Weg (Jw) |
Regarding Yahoo related items, I use NavRoad or Universal Explorer as my viewer. Neither of those tools choke on the META tag. If you extract Yahoo HTMLs or copy out such files, you can review them very quickly by opening the target directpry with Universal Explorer and using its viewer. Of coure, you can also search the files and only view those of potential relevance. |