TelBoy

Hi all,

Does anybody know with 100% certainty, whether a message sent on a home PC, running Home Vista if that's relevant, via MSN Instant Messenger to another private pc, with both computers set to "don't-save" chat logs, is forensically recoverable, using any means available? It was from about 6 months ago. There is no evidence that either pc was being externally monitored.


Many thanks.

boxst

You can ask Burr on here as he deals with recovering things from hard drives / phones etc..

My played with computers for a long time and recovers lots of stuff for people opinion is 'no'.

Steve

jura11

iTrader: (7)

Hi matey try this http://computerforensics.parsonage.c...versations.pdf

TelBoy

Cheers for that jura. Just wondered what the real world situation is, whether in reality all the methods outlined there do actually produce accurate results.

MDS_WRX

iTrader: (1)

There's no "100% certainty" answer without actually trying. If the block that stored the information has been overwritten several times, then probably not no, however you won't know whether it has or not until someone tries for you.

My guess would be "probably not" but that's all it is, a guess and you won't be able to get a "100% certainty" answer from anyone just replying to a forum post.

mart360

Prehaps a quick refresher in File storage is required.


When you save a file on a computer, its saved on the hard drive in any location that available - due do space & file size.

A record of the file / name / size and start position on the disk is stored in a master data table.

When you load / delete or change the file, the file & the master data table are ammended.

if you dlete the file, rather than delete the whole file, the OS just deletes a a set of values from the master data table, effectivly allowing the OS to overwrite the residual data on the drive. (its quicker than individually deleting each block)

If i recall it used to be a hash value of C5 (it's been some time ) this value releates to the position of the bolck of data on the hard drive.

All the recovery stuff does, is change the hash value back to make the file / location visible, and from that they can recover the residual block of data

Over write the file with new data, and it becomes difficult.

However you cant always guarantee any files written over the top will completly fit the footprint the original file had

brings back the days of sector editors


Mart

hodgy0_2

the OP states that " both computers are set to "don't-save" chat logs" so is the data even persistent on the machine (written to disk), I would have thought not

TelBoy

Yes, no chat logs have ever been "deleted" on either computer - they were never saved in the first place. But does that mean they never hit the hard drive?

boxst

They may have hit some temporary file, but as above after 6 months it is unlikely that they have survived.

I assume you know what you are looking for? If so you can do a sector-scan for that (hopefully unique) word.

Steve

hodgy0_2

they might have been included in the system page file that writes temporary information to disk -- but this is cleared and recreated during a reboot and I doubt the information in the page file is "readable" anyway

I think the chances of recovery are very very small

most data recovery companies would tell you whether you have any hope over the phone, and most will even examine the disk for free and tell you what can be recovered.

SwissTony

iTrader: (19)

why is no one asking Tel what the message read

GlesgaKiss

Just what I was thinking.

If in doubt and it's essential the data isn't found there's dban or even physical destruction, but that would be a last resort. Probs not necessary unless you're a secret agent.

boomer

Microsoft? Analyse MSN communications? Who would have thought?

Six degrees of separation in instant messaging

mb

TelBoy

Thanks for all the replies online and off. I think the group consensus is "extremely unlikely", but i'll update the thread as and when i have a definitive answer. Cheers.