RE: irc

From: Artes, Francisco (franciscoat_private)
Date: Tue Jun 18 2002 - 11:17:12 PDT

Next message: Estes, Matt PEO EIS CPR / FCBS: "RE: Imaging a "live" system"

Previous message: H C: "RE: Imaging a "live" system"
Maybe in reply to: Larry Porter: "irc"
Next in thread: Jonathan A. Zdziarski: "RE: irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

excellent points.  But remember that some clients, by default, will log
messages when the client is in "away" mode.  You may get lucky and find that
the person left themselves as "away" and continued to chat with someone.
Although some clients will remove the /away flag as soon as you enter
standard input into the irc client.  It's a crap shoot unless the person
enabled logging... then you have a wonderfully organized set of files broken
down by channel and date.  ;)

-----Original Message-----
From: Peter Kristolaitis [mailto:jesterat_private]
Sent: Tuesday, June 18, 2002 12:13 PM
To: Larry Porter; forensicsat_private
Subject: Re: irc

This depends on the IRC client being used.  mIRC, for example, does not 
store chat logs anywhere but its own log files (if session logging is
enabled).
Windows itself would not make any logs of IRC chat sessions, since that 
would involve intercepting, decoding and logging basically ALL TCP traffic 
into/out of the box.
It would be my guess that not many clients have a 'hidden log' 'feature', 
either... in most environments, there would be little to no point in doing 
this.

- Peter Kristolaitis

At 10:41 AM 6/18/02, Larry Porter wrote:
>I was wondering if anyone can give me a little insight
>into irc forensics. Basically what I am trying to do
>is figure out if there are any pieces of chat sessions
>from IRC left on a windows box.  The only thing I can
>think of is if someone logs their sessions, but I was
>hoping if there maybe another place that windows
>stores the chat sessions?
>
>
>many thanks,
>
>Larry Porter
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Estes, Matt PEO EIS CPR / FCBS: "RE: Imaging a "live" system"
Previous message: H C: "RE: Imaging a "live" system"
Maybe in reply to: Larry Porter: "irc"
Next in thread: Jonathan A. Zdziarski: "RE: irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:00:18 PDT