iOS  Applica*on  Forensics  Sarah  Edwards    

oompa@csh.rit.edu  @iamevltwin  

CEIC  -­‐  May  2011  

© 2011 Harris Corporation

About  Me  �  Digital  Forensic  Analyst  with  Harris  Corpora*on  

�  Computer  Intrusions  

�  Free  *me  is  used  for  iOS/Mac  forensic  research  

© 2011 Harris Corporation

Objec*ves  �  If  you  sit  through  this,  you’ll  get:  

�  Contacts  �  Pictures  �  Documents  �  Usernames  �  Passwords    �  Loca*onal  Data  �  …much  more.  

�  It  is  so  easy,  almost  too  easy.  

�  iOS  Applica*on  Security  Awareness  �  What  about  Android/Blackberry/Windows?  

© 2011 Harris Corporation

iOS  Apps  �  Prevalence  

�  iPhone  �  iPad  �  iPod  Touch  

�  How  many  Apps?  �  10  Billion  downloads  �  ~350,000  Apps    

�  [hZp://www.buzzbiznews.com/035133/apple’s-­‐app-­‐store-­‐hits-­‐10-­‐billion-­‐downloads/]  

© 2011 Harris Corporation

Caveats  �  Third-­‐party  applica*ons  only.  �  Redac*on…lots  of  personal  informa*on  in  Apps.  

�  Lots  of  pictures  �  So^ware  Verifica*on  and  Valida*on  �  Evidence  Admissibility  

�  Detailed  acquisi*on  techniques  �  Applica*ons  Versions    

© 2011 Harris Corporation

ACCESSING  THE  DATA  

© 2011 Harris Corporation

State  of  Forensic  So^ware  �  There  are  many  tools.  

�  Some  are  beZer  than  others.  

�  Some  get  only  logical  data.  

�  Some  require  the  passcode.  

�  Most  are  expensive.  

�  Most  do  not  auto-­‐magically  parse  3rd  party  applica*on  data.  

�  Proprietary  data  formats  

© 2011 Harris Corporation

Backups  vs.  Physical  vs.  Logical  

© 2011 Harris Corporation

Backups  

• Easy  Access  • Historical  Context  

• Encryp*on  • Must  have  HDD  • Limited  Data  

Physical  

• Difficult  to  capture  

• Up-­‐to-­‐date  • Access  to  physical  device  

• Poten*al  to  get  EVERYTHING  

• Encryp*on  

Logical  

• Easy  Access  • Up-­‐to-­‐date  • Access  to  physical  device  

• Limited  to  logical  data  

Backup  Files  

© 2011 Harris Corporation

Backup  File  Loca*ons  �  Windows  

�  <APPDATA>\Apple  Computer\MobileSync\Backup  �  \Users\<user>\AppData\Roaming\Apple  Computer

\MobileSync\Backup  

�  Mac  �  ~/Library/Applica*on  Support/MobileSync/Backup/  

© 2011 Harris Corporation

Backup  Files  (iOS  4.x)  �  Info.plist  

�  Manifest.mbdb  

�  Manifest.mbdx  

�  Manifest.plist  

�  Status.plist  

© 2011 Harris Corporation

Backup  Files  (iOS  4.x)  –  Info.plist  �  Build  Version  �  Device  Name  �  Last  Backup  Date  �  Serial  Number  �  Device  Iden*fier  �  Device  Type  �  iOS  Version  �  ICCID  �  IMEI  �  Phone  Number  �  List  of  applica*ons:  

�  In  Library  �  Synced  

© 2011 Harris Corporation

Backup  Files  (iOS  4.x)  –  Manifest.plist  

�  Contains  applica*on  versions.  

© 2011 Harris Corporation

Backup  Files  (iOS  4.x)  �  Manifest.mbdb  &  Manifest.mbdx  

�  Database  files  of  the  backup  contents.  

© 2011 Harris Corporation http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat

Backup  Files  (iOS  3.x)  �  *.mddata  

�  *.mdinfo  

�  Info.plist  

�  Manifest.plist  

�  Status.plist  

© 2011 Harris Corporation

Backup  Files  (iOS  3.x)  �  *.mddata  

�  *.mdinfo  

© 2011 Harris Corporation

So^ware  for  Backups  •  iPhone  Backup  Extractor  

–  Mac  only  –  Available  at  supercrazyawesome.com  –  Free!  (Dona*ons  are  welcome.)  

© 2011 Harris Corporation

So^ware  for  Backups  �  iPhone  Backup  Extractor  

�  Windows,  Linux  &  Mac  �  Available  at:    

�  iphonebackupextractor.com  

�  Free  &  Paid  Versions  

© 2011 Harris Corporation

So^ware  for  Backups  �  iBackupBot  

�  Windows  Only  �  Available  at:  

�  icopybot.com  

�  Free  Trial  ($35)  

© 2011 Harris Corporation

So^ware  to  Access  Physical  Device  �  Forensic  So^ware  �  Jailbreak  

�  SSH/DD/SCP  

�  "Zdziarski"  Method  �  NIST  Approved  �  LE/Military  Only  

�  Commercial  Non-­‐Forensic  So^ware  (For  Research  Purposes)  �  PhoneDisk  �  PhoneView  

© 2011 Harris Corporation

So^ware  to  Access  Physical  Device  �  PhoneDisk  

�  Mac  &  Windows  �  Available  at:  macroplant.com/phonedisk/  �  $20    

© 2011 Harris Corporation

So^ware  to  Access  Physical  Device  �  PhoneView  

�  Mac  �  Available  at:  ecamm.com/mac/phoneview/  �  $20  

© 2011 Harris Corporation

What  am  I  looking  at?  

© 2011 Harris Corporation

/User/Applica*ons  Directory  

© 2011 Harris Corporation

Applica*on  Directory  

© 2011 Harris Corporation

Applica*on  Directories  �  /private/var/mobile/Applica6on    

�  (Actual  Path,  linked  to  /User/Applica6on)  

�  /User/Applica6ons/########-­‐####-­‐####-­‐####-­‐############  �  Universally  Unique  ID  

�  <Applica6on_Home>/AppName.app  �  Applica*on  Bundle  (Not  Backed  Up)  

�  <Applica6on_Home>/Documents/  �  Contains  user  documents  and  data  files.  (Backed  Up)  

�  <Applica6on_Home>/Library/  �   Contains  applica*on  specific  files.  (Backed  Up)  

�  <Applica6on_Home>/Library/Preferences  �  Applica*on  Preference  Files  (Backed  Up)  

�  <Applica6on_Home>/Library/Caches    �  Applica*on  specific  support  files.  Persistent  between  applica*on  launches.  (Not  Backed  Up)  

�  <Applica6on_Home>/tmp/  �  Temporary  files,  not  persistent  between  applica*on  launches.  (Not  Backed  Up)  

© 2011 Harris Corporation

iTunesMetadata.plist  �  Contains  informa*on  such  as:  

�  Product  Informa*on  �  Purchase  Data  �  Apple  Account  Data  

© 2011 Harris Corporation

iTunesMetadata.plist  

 

© 2011 Harris Corporation

hZp://itunes.apple.com/app/id321506742    

/Library/Caches/Snapshots/  •  Might  get  lucky.    •  This  directory  may  

contain  a  screenshot  of  the  screen  when  the  device  was  screen  locked.  

 

© 2011 Harris Corporation

Other  System  Files  •  /var/mobile/Library/Caches/com.apple.mobile.installa5on.plist  

•  Useful  to  map  applica*on  GUIDs  to  specific  apps  •  47328AE1-­‐CB56-­‐4FE4-­‐8EEE-­‐2A771109DC55  =  com.aol.aim  

•  Contains  App  Specific  data  

•  /var/mobile/Library/Preferences/com.apple.appstore.plist  •  App  Store  –  Last  Search  entry  

•  /var/mobile/Library/Preferences/com.apple.loca5ond.plist  •  List  of  Apps  that  use  the  Loca*on  Services  •  Binary  seyng  show  if  Loca*on  Services  are  enabled  

•  /var/mobile/Library/Preferences/com.apple.springboard.plist  •  Contains  the  order  of  Applica*ons  on  each  “screen”  

 

© 2011 Harris Corporation

com.apple.mobile.installa*on.plist  

© 2011 Harris Corporation

 

com.apple.appstore.plist  

© 2011 Harris Corporation

 

com.apple.loca*ond.plist  

© 2011 Harris Corporation

 

com.apple.springboard.plist  

© 2011 Harris Corporation

 

GOOD  THINGS  TO  KNOW  

© 2011 Harris Corporation

Dates  �  Many  use  Absolute  Time  

�  Seconds  from  1/1/2001  00:00:00  GMT  

�  Tools:  �  Mac:  CFAbsoluteTimeConverter    

�  (hsoi.com/hsoishop/so^ware/)  �  Windows:  Dcode    

�  (digital-­‐detec*ve.co.uk/freetools/decode.asp)  �  BlackBag’s  Epoch  Converter  

�  (blackbagtech.com/resources/freetools/epochconverter.html)  

�  …or  add  978307200  and  use  date -ur

© 2011 Harris Corporation

Blackbag’s  Epoch  Converter  

© 2011 Harris Corporation

Popular  File  Formats  -­‐  Plist  �  Property  List  

�  XML  or  Binary  

�  Tools  �  Property  List  Editor  

�  Mac  Only  �  Xcode  �  Free!  (w/  Mac  OS)  

�  Ibackupbot  Plist  Editor  �  Windows  Only  �  icopybot.com/download.htm  �  Free!  

© 2011 Harris Corporation

Popular  File  Formats  -­‐  SQLite  �  SQL-­‐based  rela*onal  database  �  SQLite  Database  Browser  �  Tools  

�  Mac  &  Windows  �  sqlitebrowser.sourceforge.net  �  Free!  

© 2011 Harris Corporation

NOW  TO  THE  GOOD  STUFF…  

© 2011 Harris Corporation

SOCIAL  NETWORKING  

© 2011 Harris Corporation

Facebook  v.3.4  

© 2011 Harris Corporation

com.facebook.Facebook.plist  

© 2011 Harris Corporation

com.facebook.Facebook.plist  

© 2011 Harris Corporation

/Documents/friends.db  

© 2011 Harris Corporation

Facebook  Profile  �  hZp://www.facebook.com/profile.php?id=<UID>  

© 2011 Harris Corporation

User  Picture  (pic_square)  

© 2011 Harris Corporation

/Documents/analy*cs_buffer  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  May  contain:  

�  Profile  Icons  �  XML  Text  Files  �  Album  Photos  �  Miscellaneous  Pictures  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <fql_result>  

�  <name>checkins_ac*vity<name>  �  Contains  User  IDs  &  coordinates  �  Lots  of  other  data  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <profile_response><user      

�  Contains  profile  data.  �  User  ID  �  Last  Load  Time  �  Birthday  �  Name  �  Hometown  �  Rela*onship  Status  �  Friend  Count  �  Email  �  Link  to  user  picture  �  Etc.  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <fql_result>  

�  <name>event<name>  �  Contains  Event  data  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <stream_post>  

�  Contains  “Wall”  pos*ngs  for  a  par*cular  user  in  <source_id>  

�  Includes    �  Message  �  Client  post  came  from  (Web,  TwiZer,  etc.)  �  User  comments  that  include  who  and  when.  �  Links  to  photo  aZachments  �  Link  to  permalink  

�  hZp://www.facebook.com/<uid>/posts/<post_id>  �  <post_id>  is  aZached  to  the  User  ID  by  an  underscore.  

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <stream_post>  

 

© 2011 Harris Corporation

/Library/Caches/Three20/  �  <photos_response>  

�  Contains  links  to  photos,  including  descrip*ons,  comments  and  user  data.  

�  <profile_response><album    �  Contains  photo  album  informa*on.  

© 2011 Harris Corporation

/Library/Caches/SDURLCache/  �  Another  cache  directory.  

May  contain:  �  Javascript  �  Pictures,  complete  with  

origina*ng  URL.  

© 2011 Harris Corporation

LinkedIn  v.3.6  

© 2011 Harris Corporation

com.linkedin.LinkedIn.plist  

© 2011 Harris Corporation

“user”  Field  (com.linkedin.LinkedIn.plist)  

© 2011 Harris Corporation

/Documents/connec*ons_<memberid>.plist  

© 2011 Harris Corporation

/Documents/LinkedIn/  

© 2011 Harris Corporation

/Documents/LinkedIn/member_<memberid>.plist  

© 2011 Harris Corporation

/Documents/LinkedIn/member_<memberid>.plist  

© 2011 Harris Corporation

/Documents/LinkedIn/network_update_*  

© 2011 Harris Corporation

/Documents/LinkedIn<GUID>.sqlite  

�  ZBUZZTOPICOBJECT  

© 2011 Harris Corporation

/Documents/LinkedIn<GUID>.sqlite  

�  ZLIMESSAGE  

© 2011 Harris Corporation

/Documents/LinkedIn<GUID>.sqlite  

�  ZLIMESSAGEMEMBER  

© 2011 Harris Corporation

/Library/Caches/Three20/  

© 2011 Harris Corporation

SHOPPING  &  FINANCIAL  

© 2011 Harris Corporation

Amazon  v1.4  

© 2011 Harris Corporation

com.amazon.Amazon.plist  

© 2011 Harris Corporation

Chase  v.2.8.1202  

© 2011 Harris Corporation

User  IDs  

© 2011 Harris Corporation

com.chase.plist

/Documents/localcache.dat

Mint  v1.7.2  

© 2011 Harris Corporation

/Documents/mint_gala.db  

© 2011 Harris Corporation

“transaction_bankcc” Table

“account” Table

E*Trade  v1.8.4  

© 2011 Harris Corporation

User  ID  

© 2011 Harris Corporation

Ebay  v2.1.1  

© 2011 Harris Corporation

com.ebay.iphone.plist  

© 2011 Harris Corporation

/Library/Caches/Seyngs/<userid>-­‐X-­‐0-­‐user.cache  

�  Contains  User  Informa*on  �  Full  Address  �  Email  Address  �  Account  Name  �  Phone  Number  

© 2011 Harris Corporation

Paypal  v3.2  

© 2011 Harris Corporation

com.yourcompany.PPClient.plist  

© 2011 Harris Corporation

/Documents/PayPalUserDetailsCache  

© 2011 Harris Corporation

Street Address

Secure Merchant ID

PageOnce  –  Personal  Finance    v3.84  &  v4.01  

© 2011 Harris Corporation

Difference  between  v3.84  &  4.01  

© 2011 Harris Corporation

Version 3.84

Difference  between  v3.84  &  4.01  

© 2011 Harris Corporation Version 4.01

GOOGLE  

© 2011 Harris Corporation

iGmail  v5.6.8  

© 2011 Harris Corporation

com.idemfactor.iGmail.plist  

© 2011 Harris Corporation

/Library/WebKit/Databases/hZps_mail.google.com_0/0000000000000001.db  

© 2011 Harris Corporation

Mul*G  v1.3  

© 2011 Harris Corporation

/Documents/Mul*G/People.sqlite  

© 2011 Harris Corporation

La*tude  v2.1.2  

© 2011 Harris Corporation

/Documents/loca*on.plist      Library/Preferences/com.google.GoogleLa*tude.plist  

© 2011 Harris Corporation

CalenGoo  v1.5.11  

© 2011 Harris Corporation

/Documents/gca.sqlite  “DbProperty”  Table  

© 2011 Harris Corporation

/Documents/gca.sqlite  “Event”  Table  

© 2011 Harris Corporation

/Documents/gca.sqlite  “Times”  Table  

© 2011 Harris Corporation

1305432000 = Sun May 15 00:00:00 EDT 2011 1305777600 = Thu May 19 00:00:00 EDT 2011

/Documents/gca.sqlite  “GTasksTask”  Table  

© 2011 Harris Corporation

CEIC q  Check on hotel Reservation q Make Changes to Presentation

UTILITIES  

© 2011 Harris Corporation

TouchTerm  v2.4.2  

© 2011 Harris Corporation

net.jbrink.mobile.TouchTerm.plist  

© 2011 Harris Corporation

“connec*ons”  Field  

© 2011 Harris Corporation

Item  1  &  3  =  Hostname  Item  4  =  Username  Item  6  =  Password  

/Documents/pinchmedia/*.sql  

© 2011 Harris Corporation

Anonymous  Web  Browser  v2.0  

© 2011 Harris Corporation

/Documents/Cookies.plist  

© 2011 Harris Corporation

/Library/WebKit/LocalStorage/hZp_www.google.com_0.localstorage  

© 2011 Harris Corporation

Quick  Password  Manager  v2.2  

© 2011 Harris Corporation

com.yourcompany.passwd.plist  

© 2011 Harris Corporation

Passwords  

© 2011 Harris Corporation

MobileRSS  HD  Free  v3.2.1  

© 2011 Harris Corporation

/Documents/<username>@gmail.com.seyng  

© 2011 Harris Corporation

/Documents/<username>@gmail.com.sqlite  

�  Unencrypted  password!  

�  VERY  large  SQLite  database  �  Text  of  RSS  Feeds  �  Metadata  about  feeds  

© 2011 Harris Corporation

com.nibirutech.MobileRSSHDFree.plist  

© 2011 Harris Corporation

/Library/Caches/download/images/<username>@gmail.com  

© 2011 Harris Corporation

OpenTable  v3.2  

© 2011 Harris Corporation

com.contextop*onal.OpenTable.plist  

© 2011 Harris Corporation

BLOGGING  

© 2011 Harris Corporation

Tumblr  v1.2.2  

© 2011 Harris Corporation

/Documents/userData.mxdata  

© 2011 Harris Corporation

Unencrypted Password

Email

/Documents/textPost.details  

© 2011 Harris Corporation

WordPress  v2.6.4  

© 2011 Harris Corporation

/Documents/wordpress/blogs.archive  

© 2011 Harris Corporation

Item  21  =  Username  Item  22  =  BlogID  Item  23  =  Blog  URL  Item  24  =  Blog  name  Item  25  =  Blog  URL  

/Documents/wordpress/<blog>.wordpress.com/<blogid>/comment.1.archive  

© 2011 Harris Corporation

/Documents/wordpress/<blog>.wordpress.com/<blogid>/post.1.archive  

© 2011 Harris Corporation

org.wordpress.plist  

© 2011 Harris Corporation

Bing  for  iPad  v1.0  

© 2011 Harris Corporation

/Library/Preferences/com.microso^.binghd.plist  

© 2011 Harris Corporation

/Documents/BingTab.sqlite  

© 2011 Harris Corporation

/Documents/weatherSearch  

© 2011 Harris Corporation

/Documents/MapsCache  

© 2011 Harris Corporation

/Documents/MapsCache  

© 2011 Harris Corporation

TRAVEL  

© 2011 Harris Corporation

TripIt  v2.4    

© 2011 Harris Corporation

/Documents/TripIt.sqlite  

© 2011 Harris Corporation

/Documents/TripIt.sqlite  

© 2011 Harris Corporation

/Documents/TripIt.sqlite  

© 2011 Harris Corporation

“ZTRAVELER” Table

/Documents/TripIt.sqlite  

© 2011 Harris Corporation

“ZTRIPITOBJECT” Table

Navigon  v1.7  

© 2011 Harris Corporation

com.navigon.NavigonNorthAmerica.plist  �  Program  Preferences  

�  Audio  �  Terrain  �  POIs  �  Speed  Warnings  �  Traffic  �  Etc.    

© 2011 Harris Corporation

/Library/Preferences/com.navigon.NavigonNorthAmerica.plist  

© 2011 Harris Corporation

Last  Posi*on  &  Angle  

Metadata

/Documents/LastSearchResult.dat  

© 2011 Harris Corporation

/Documents/Favourite.targets  

© 2011 Harris Corporation

/Documents/Recent.targets  

© 2011 Harris Corporation

FourSquare  v2.2.2    

© 2011 Harris Corporation

/Documents/foursquare.sqlite  

© 2011 Harris Corporation

“ZFSVENUE” Table

/Documents/foursquare.sqlite  

© 2011 Harris Corporation

http://foursquare.com/user/<userid>

“ZFSNOTIFICATIONOBJECT” Table

DOCUMENTS  &  FILES  

© 2011 Harris Corporation

Evernote  v4.0.2  

© 2011 Harris Corporation

com.evernote.iPhone.Evernote.plist  

© 2011 Harris Corporation

Evernote2.sqlite.md  

© 2011 Harris Corporation

<IncomingEmail>@m.evernote.com

Library/Caches/www.evernote.com  

© 2011 Harris Corporation

applog.txt  

© 2011 Harris Corporation

Evernote2.sqlite  ZENSERVICEENTITY  Table  

© 2011 Harris Corporation

Evernote2.sqlite  

© 2011 Harris Corporation

“LOCALFILE”  Table  

Dropbox  v1.3.1  

© 2011 Harris Corporation

/Documents/Dropbox.sqlite  

© 2011 Harris Corporation

“ZCACHEDFILE”  Table  

/Library/Caches/Dropbox/  

com.getdropbox.Dropbox.plist  

© 2011 Harris Corporation

com.getdropbox.Dropbox.plist  �  Content  from  “DefaultsAccountInfoKey”  in  bplist  format,  

can  be  viewed  by  extrac*ng  into  separate  file  –  shown  below.  

© 2011 Harris Corporation

/Library/Caches/FavoriteFiles.plist  

© 2011 Harris Corporation

/Library/Caches/cache.db  

© 2011 Harris Corporation

/Library/Caches/cache.db  

© 2011 Harris Corporation

/Library/Caches/cache.db  

© 2011 Harris Corporation

/Library/Caches/cache.db  

© 2011 Harris Corporation

Private  Photo  Lite  v1.3  

© 2011 Harris Corporation

/Documents/  

© 2011 Harris Corporation

/Documents/photodb.sqlite  

© 2011 Harris Corporation

cn.mmxd.privatephotoslite.plist  

© 2011 Harris Corporation

TWITTER  

© 2011 Harris Corporation

Echofon  v3.1.8  

© 2011 Harris Corporation

/Preferences/net.naan.TwiZerFon.plist  

© 2011 Harris Corporation

db3.1.5.db    �  “users”  Table  

�  Contains  user  details:  �  TwiZer  User  ID  �  Name  &  Screen  Name  �  User  entered  loca*on,  descrip*on  and  website.  �  Count  of  followers/friends/favorites/tweets  �  Is  the  account  protected  or  verified?  �  Link  to  profile  icon  (hZp://a2.twimg.com/profile_images/647123757/Muppet-­‐Beaker_normal.jpg)  

 

© 2011 Harris Corporation

/Library/profile_images  �  hZp://a2.twimg.com/profile_images/647123757/Muppet-­‐Beaker_normal.jpg  

© 2011 Harris Corporation

db3.1.5.db  �  hZp://twiZer.com/statuses/user_*meline/105533433.rss  

© 2011 Harris Corporation

Fill in the twitter user ID to get their latest tweets

db3.1.5.db  

© 2011 Harris Corporation

“queries”  Table:  

“saved_search”  Table:  

db3.1.5.db    �  “direct_messages”  Table  

�  Contains  direct  messages.  �  To  &  From  (TwiZer  IDs  and  Screen  

Names)  �  Dates  

 

© 2011 Harris Corporation

Library/Cookies/Cookies.plist  

© 2011 Harris Corporation

HootSuite  v2.1.0  

© 2011 Harris Corporation

com.hootsuite.hootsuitelite.plist  

© 2011 Harris Corporation

com.hootsuite.hootsuitelite.plist  

© 2011 Harris Corporation

com.hootsuite.hootsuitelite.plist  

© 2011 Harris Corporation

TwiZeriffic  v3.0.2  

© 2011 Harris Corporation

/Documents/accounts.plist  

© 2011 Harris Corporation

Timeline  

© 2011 Harris Corporation

/Documents/searches.plist  

© 2011 Harris Corporation

Search  Databases  

© 2011 Harris Corporation

Tweetdeck  v1.4.1    

© 2011 Harris Corporation

/Documents/tddb.0.2.sqlite3  

© 2011 Harris Corporation

/Documents/column_cache_1  

© 2011 Harris Corporation

/Documents/tddb.0.2.sqlite3  

© 2011 Harris Corporation

COMMUNICATION  

© 2011 Harris Corporation

Skype  v3.0.1  

© 2011 Harris Corporation

/Library/Preferences/com.skype.skype.plist  

© 2011 Harris Corporation

Skype  Logs  

© 2011 Harris Corporation

Skype  Logs  

© 2011 Harris Corporation

Skype  Logs  

© 2011 Harris Corporation

Skype  Logs  

© 2011 Harris Corporation

Skype  Logs  (Windows)  �  Skype  Parsing  So^ware  

�  SkypeLogView  �  Nirso^    

�  Available  at:  nirso^.net/u*ls/skype_log_view.html  �  Free!  

�  Skype  Parser  �  Redwolf  Computer  Forensics  �  Available  at:  redwolfcomputerforensics.com/downloads/skype-­‐

log-­‐installer-­‐1.7.exe  

© 2011 Harris Corporation

AIM  (Free)  v4.5.2  

© 2011 Harris Corporation

com.aol.aim.plist  

© 2011 Harris Corporation

/Documents/userAccounts/<GUID>.account  

© 2011 Harris Corporation

/Documents/userAccounts/<GUID>.buddylist  

© 2011 Harris Corporation

/Documents/userAccounts/<GUID>.history  

© 2011 Harris Corporation

WRAPPING  UP  

© 2011 Harris Corporation