Re: irc

From: InfoEmergencias - Luis Gómez (lgomezat_private)
Date: Tue Jun 18 2002 - 18:34:39 PDT

Next message: Hudson, Ed (ISS San Francisco): "RE: Audit Logs as submissible evidence."

Previous message: Jonathan A. Zdziarski: "RE: Audit Logs as submissible evidence."
In reply to: Peter Kristolaitis: "Re: irc"
Next in thread: Remko Lodder: "Re: irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El mar, 18-06-2002 a las 19:13, Peter Kristolaitis escribió:
> This depends on the IRC client being used.  mIRC, for example, does not 
> store chat logs anywhere but its own log files (if session logging is enabled).
> Windows itself would not make any logs of IRC chat sessions, since that 
> would involve intercepting, decoding and logging basically ALL TCP traffic 
> into/out of the box.
> It would be my guess that not many clients have a 'hidden log' 'feature', 
> either... in most environments, there would be little to no point in doing 
> this.

Just a detail, I may be wrong with this but let's try...

IRC windows are usually kept in memory for a while so that you can, for
instance, see what JohnSmith said 20 minutes ago.

In case the machine ran out of RAM during the execution of the IRC
client, it might swap the process to disk, along with all its data
(which in the case of IRC client is exactly what we're looking for). The
only thing you need to know is the format in which those data are stored
in memory, and I guess you may expect the same format to be found in the
disk.

If (and only if) all this I've said is right, then you just have to run
lazarus (TCT is great!) on the disk, and skim through the whole of
the disk looking for some data pattern, codified in whatever manner.

The data pattern could be, for instance, the characters '<' and '>'
sepparated by some other chars, 'cause if I'm OK the conversation is
always displayed in the way:
<Donald> Hi Mickey
<Mickey> Hìya!
<Donald> How about me visiting you tonight?
<Mickey> Great!!

Well :) Now seriously, can anybody get the point of what I'm saying?
Maybe it's all nonsense, but at least I gave it a try! :)

As usual, comments are welcome

Regards,

	Pope
 
-- 
Luis Gómez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
lgomezat_private

PGP Public Key available at http://www.infoemergencias.com/lgomez.asc


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hudson, Ed (ISS San Francisco): "RE: Audit Logs as submissible evidence."
Previous message: Jonathan A. Zdziarski: "RE: Audit Logs as submissible evidence."
In reply to: Peter Kristolaitis: "Re: irc"
Next in thread: Remko Lodder: "Re: irc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 03:09:48 PDT