I hope you're scanning memory, as it's unlikely that anyone would store their chat sessions to disk unless they had some specific reason to. Either way, if you look for the [case insensitive] key word "PRIVMSG", this is one of the primary commands used extensively in RFC 1459 to send both channel and private messages. If you find it anywhere, it's likely that you'll find some correspondence. If you can determine what channel/server they used, you may be able to convince one of the channel operators to give you the transcripts of the entire room as many channels run bots that log the room. Finally, as a shot in the dark, if you can find out (firewall logs, etc.) what server they connected to, you can check with the server admins to see if a k-line ban was performed by any chance (if this was the case of a hacker launching some kind of DoS attack from your machine). If it was, then the admins likely put together a log. -----Original Message----- From: Larry Porter [mailto:larry1porterat_private] Sent: Tuesday, June 18, 2002 10:41 AM To: forensicsat_private Subject: irc I was wondering if anyone can give me a little insight into irc forensics. Basically what I am trying to do is figure out if there are any pieces of chat sessions from IRC left on a windows box. The only thing I can think of is if someone logs their sessions, but I was hoping if there maybe another place that windows stores the chat sessions? many thanks, Larry Porter __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:02:50 PDT