Chat Sniper 1.17 User Manual

• Introduction
• General Setup
• Chat Sniper: AIM
• Chat Sniper: MSN (Live)
• Chat Sniper: Yahoo
• Common Problems
• Contact Information

Introduction

Thank you for using Chat Sniper. Chat sniper is a tool designed to simplify the retrieval and forensic analysis of data left by the usage of AOL Instant Messenger, MSN Live Messenger, and Yahoo Instant messenger. With this tool, you will be able to automatically retrieve chat logs, search those logs, and perform other tasks to discover information about the instant messaging account being investigated. For problems not covered in this manual, please contact chatsniper@alexbarnett.com.

General Setup

Chat Sniper requires the .NET Framework to run. After verifying your license file, Chat Sniper is ready to use. Please make sure that your license file is in the same directory as the Chat Sniper executable.

Begin by opening Chat Sniper. Chat Sniper will prompt you to select a directory to save your case data. This directory will store all of your case information as well as any files retrieved by Chat Sniper. After loading, Chat Sniper will request a case number and create a directory with that case number in the directory you selected earlier. All information relevant to that case will be stored in the new case directory.

If you're doing a live system analysis, begin by running Chat Sniper from your external drive. Chat Sniper will automatically detect the drives present on the suspect computer and poulate the dropdown box. Select the appropriate drive for analysis.

If you're analyzing a seized drive, connect the drive to your analysis computer and make sure that Windows assigns it a drive letter. After this, run Chat Sniper and select the appropriate drive from the dropdown box.

Chat Sniper: AIM

Start by clicking the 'Search for AIM Logs' button. Chat Sniper will prompt you to select a Windows user account to search. Select the relevant account, and Chat Sniper will scan it for AIM logs. If logs are found, the AIM icon and status text will change to indicate that logs have been found. If no logs are found, Chat Sniper will inform you that it was unable to locate any records.

After the AIM logs are located, Chat Sniper will provide you with a number of options:

• Get Username(s): Retreives AIM usernames used on the target drive.
• Copy Chat Logs: Copies AIM chat logs from the target drive to your case folder.
• Show Original Chat Logs: Shows the original location of the AIM chat logs on the target drive.
• Search Chat Logs: Allows you to search the AIM chat logs for words or phrases. Also allows you to view specific logs containing your search terms and export selected logs to your case directory. Logs exported this way will be stored in a folder named after your search terms.
• Generate Buddy List: Generates a buddy list for the user based on chat logs. AIM does not store its buddy list on the local machine, so Chat Sniper creates the list based on existing chat logs.

Chat Sniper: MSN (Live)

Start by clicking the 'Search for MSN Logs' button. Chat Sniper will prompt you to select a Windows user account to search. Select the relevant account, and Chat Sniper will scan it for MSN logs. If logs are found, the MSN icon and status text will change to indicate that logs have been found. If no logs are found, Chat Sniper will inform you that it was unable to locate any records.

After the MSN logs are located, Chat Sniper will provide you with a number of options:

• Get Username(s): Retreives MSN usernames used on the target drive.
• Copy Chat Logs: Copies MSN chat logs from the target drive to your case folder.
• Show Original Chat Logs: Shows the original location of the MSN chat logs on the target drive.
• Search Chat Logs: Allows you to search the MSN chat logs for words or phrases. Also allows you to view specific logs containing your search terms and export selected logs to your case directory. Logs exported this way will be stored in a folder named after your search terms.
• Check Photoshare Cache: Checks the defined account for a Photoshare cache.

Chat Sniper: Yahoo

Start by clicking the 'Search for Yahoo Logs' button. Chat Sniper will scan the selected drive for Yahoo logs. If logs are found, the Yahoo icon and status text will change to indicate that logs have been found. If no logs are found, Chat Sniper will inform you that it was unable to locate any records.

After the Yahoo logs are located, Chat Sniper will provide you with a number of options:

• Get Username(s): Retreives Yahoo usernames used on the target drive.
• Copy Chat Logs: Copies Yahoo chat logs from the target drive to your case folder and decrypts them into a readable format.
• Show Original Chat Logs: Shows the original location of the Yahoo chat logs on the target drive.
• Search Chat Logs: Allows you to search the Yahoo chat logs for words or phrases. Also allows you to view specific logs containing your search terms and export selected logs to your case directory. Logs exported this way will be stored in a folder named after your search terms.
• Check Photoshare Cache: Checks the defined account for a Photoshare cache.

Common Problems

Problem: Chat Sniper has not found any logs on a system thought/known to have active chat accounts associated with it.

Reason: Some versions of AIM, MSN, and Yahoo messengers are set to purge chat logs when the user logs off, or not to keep them at all by default. Chat Sniper cannot recover deleted logs, however you may be able to view them using tools that can recover files from free space (FTK, etc).

Problem: Chat Sniper found fewer chat logs/Photoshare records than another forensic utility.

Reason: Some forensic utilities can recover purged records from drive free space. Chat Sniper only looks for data currently present in the file system.

Contact Information

All information regarding Chat Sniper including updates and bug fixes can be found on the product page. Questions about Chat Sniper can be sent via the contact page or directly to chatsniper@alexbarnett.com.

Change Log

Version 1.17

• Fixed a minor bug that sometimes caused the main form to disappear behind other applications on startup.

Version 1.16

• The license.dat file is no longer required to be present in the same directory as chatsniper.exe. If the license file is not in the same directory, the user will be prompted with a file select dialog.

Version 1.15

• Fixed a bug that caused the program to crash if the host computer's date format was in DD/MM/YYYY instead of MM/DD/YYYY

Version 1.1

• The .NET framework is no longer required on the host system.