RE: irc

From: Jonathan A. Zdziarski (jonathanat_private)
Date: Tue Jun 18 2002 - 11:55:59 PDT

Next message: Jonathan Bloomquist: "RE: Imaging a "live" system"

Previous message: Estes, Matt PEO EIS CPR / FCBS: "RE: Imaging a "live" system"
In reply to: Larry Porter: "irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I hope you're scanning memory, as it's unlikely that anyone would store
their chat sessions to disk unless they had some specific reason to.
Either way, if you look for the [case insensitive] key word "PRIVMSG",
this is one of the primary commands used extensively in RFC 1459 to send
both channel and private messages.  If you find it anywhere, it's likely
that you'll find some correspondence.

If you can determine what channel/server they used, you may be able to
convince one of the channel operators to give you the transcripts of the
entire room as many channels run bots that log the room.

Finally, as a shot in the dark, if you can find out (firewall logs,
etc.) what server they connected to, you can check with the server
admins to see if a k-line ban was performed by any chance (if this was
the case of a hacker launching some kind of DoS attack from your
machine).  If it was, then the admins likely put together a log.

-----Original Message-----
From: Larry Porter [mailto:larry1porterat_private] 
Sent: Tuesday, June 18, 2002 10:41 AM
To: forensicsat_private
Subject: irc


I was wondering if anyone can give me a little insight
into irc forensics. Basically what I am trying to do
is figure out if there are any pieces of chat sessions
from IRC left on a windows box.  The only thing I can
think of is if someone logs their sessions, but I was
hoping if there maybe another place that windows
stores the chat sessions?  


many thanks,

Larry Porter

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan Bloomquist: "RE: Imaging a "live" system"
Previous message: Estes, Matt PEO EIS CPR / FCBS: "RE: Imaging a "live" system"
In reply to: Larry Porter: "irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:02:50 PDT