An examination into Trillian basic 3.x contact identification

https://doi.org/10.1016/j.diin.2007.01.003Get rights and content

Abstract

With the advent of new legislation in the United Kingdom – as well as several high-profile criminal cases – the issue of Internet grooming has been the subject of much recent focus. Of particular interest to the forensic examiner is the ability to trace back from a known suspect's computer system to identify contact with his alleged victims. Specifically, when an allegation of grooming is made, one of the first things the examiner should do is to determine that the suspect's computer system was used to contact the informant's account in the first place. This a strong evidential link between victim and suspect and clearly demonstrates that the suspect was responsible for that contact rather than a third party who may have taken control of the suspect's chat account.

Introduction

This article follows on from the preceding articles which examined the forensic artefacts left behind by MSN Messenger, Yahoo Messenger and AOL Instant Messenger on a suspect's computer to establish contact between that person and his victims. The examinations detailed in this article centre on the Trillian Basic chat program and looks at the ways in which it can be used to make similar identifications.

Trillian is a chat client from Cerulean Studios that supports multiple chat networks – a ‘meta-chat’ application. Users can integrate their chat accounts from MSN Messenger, Yahoo Messenger and AOL Instant Messenger as well as IRC (Internet Relay Chat), ICQ and the Apple iChat favourite Rendezvous. Users can also integrate multiple accounts from each network, thereby unifying all their chat identities into one program. Not only is this a more manageable arrangement for persons with multiple chat user names, but it also means that only one chat client program has to be run, as opposed to many different programs or many different instances of the same program.

In unifying these chat networks into one application some degree of functionality is lost from the previously examined chat applications – for example, file sharing is not (yet) supported – but it also adds chat logging to all chat accounts regardless of their native application's capability. Standard features such as file transfer, group chat, chat rooms, user graphics and mobile device contact are supported for all networks, and AIM users also have the ability to make direct connections and use encrypted messaging.

Trillian users have had occasional problems with Yahoo Messenger when protocol changes to the latter meant that Trillian could no longer negotiate a log-in, thereby effectively barring Trillian users from entering the network. This problem appears to have been resolved in the latest versions of Trillian, although it is of course possible that Yahoo will change the protocol once again with the same effect.

Trillian is now four years old and according to the Cerulean Studios has upwards of five million users worldwide. Two versions of Trillian are available: a free ‘Basic’ version and an inexpensive ‘Pro’ version. The only difference between them is that the ‘Pro’ version supports multiple different ‘user biographies’. This article will only focus on the free version.

One aspect of Trillian's set-up that is of great relevance to forensic examiners is that it uses Windows 3.x-style ‘INI’ text files to store the various program options. In fact, with the exception of registering a couple of file classes, Trillian stores nothing in the Windows registry at all. Not only does this make the settings easier to recover, but it also makes them more readable.

This paper therefore shows the ways in which Trillian Basic artefacts on the suspect's computer can be used to trace back to the victim using all of MSN Messenger, Yahoo Messenger and AOL Instant Messenger.

Section snippets

Method

Two computer systems (nominally the ‘suspect’ and the ‘victim’) were prepared with Windows XP Home Edition and both were installed with Trillian Basic 3.1 build 121. A forensic snapshot was taken of each system allowing them to be restored back to this state after each experiment was carried out. Some software monitoring tools were also installed onto the suspect system, including Ethereal (available at http://www.ethereal.com/) to monitor TCP/IP traffic, Filemon to monitor file activity, and

Experiments

Again, ‘real life’ experiments were carried out to mimic the reality of an investigation linking one party to another, including ‘pre-determined’ text conversations and the exchange of data files. Monitoring software was used at all times on the suspect's system to record the changes being effected to it.

All experiments were carried out several times to ensure that results were repeatable. As before, conversation logging was explicitly disabled prior to carrying out any experiments; by default,

Conversation content and transferred files

Regardless of the fact that overt logging was disabled, numerous instances of the conversation content were located on the suspect's system, notably within the system swap file. All three conversations were located in formats native to the individual chat networks (and described previously in this series of articles) which suggests that the content was not only used by Trillian itself. For example, Yahoo conversations were found without any form of prefix or other data that showed the name of

Conclusions

Unlike other similar applications, Trillian offers the forensic examiner many opportunities to learn about a person's chat activities despite the fact that the user has disabled chat logging. The previous experiments have established the following points about the forensic implications of investigating Trillian:

Even with chat logging disabled, Trillian leaves numerous traces of text conversations within the Windows swap file and the unallocated clusters of the hard disk. These are either

References (0)

Cited by (16)

  • Investigating America Online Instant Messaging Application: Data Remnants on Windows 8.1 Client Machine

    2017, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
  • Contemporary Digital Forensics Investigations of Cloud and Mobile Applications

    2017, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
  • Contemporary Digital Forensics Investigations of Cloud and Mobile Applications

    2016, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
  • Investigating America Online Instant Messaging Application: Data Remnants on Windows 8.1 Client Machine

    2016, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
  • Network and device forensic analysis of Android social-messaging applications

    2015, Digital Investigation
    Citation Excerpt :

    Early work on instant messaging applications on smartphones, such as Husain and Sridhar's study on the iPhone (Husain & Sridhar, 2010), examined platforms which were originally released for the Personal Computer (PC) either as a stand-alone application or via the web. Computer forensic techniques are described in the literature for the examination of artifacts from AOL Instant Messenger (AIM) (Reust, 2006; Dickson, 2006a), Yahoo! Messenger (Dickson, 2006b), other installed instant messaging applications (Dickson, 2006c; Dickson, 2007), web clients for popular instant messaging applications (Kiley et al., 2008), and instant messaging features of social networking websites such as Facebook (Al Mutawa et al., 2011). As these instant messaging platforms from the PC world migrated to the smartphone with their own mobile applications, so did the digital forensics community move on to investigate activity traces left by these applications on mobile devices (Husain & Sridhar, 2010; Al Mutawa et al., Aug. 2012).

  • Network and device forensic analysis of android social-messaging applications

    2015, Proceedings of the Digital Forensic Research Conference, DFRWS 2015 USA
    Citation Excerpt :

    Early work on instant messaging applications on smartphones, such as Husain and Sridhar's study on the iPhone (Husain & Sridhar, 2010), examined platforms which were originally released for the Personal Computer (PC) either as a stand-alone application or via the web. Computer forensic techniques are described in the literature for the examination of artifacts from AOL Instant Messenger (AIM) (Reust, 2006; Dickson, 2006a), Yahoo! Messenger (Dickson, 2006b), other installed instant messaging applications (Dickson, 2006c; Dickson, 2007), web clients for popular instant messaging applications (Kiley et al., 2008), and instant messaging features of social networking websites such as Facebook (Al Mutawa et al., 2011). As these instant messaging platforms from the PC world migrated to the smartphone with their own mobile applications, so did the digital forensics community move on to investigate activity traces left by these applications on mobile devices (Husain & Sridhar, 2010; Al Mutawa et al., Aug. 2012).

View all citing articles on Scopus

This article – the fourth and last in the present series – illustrates some methods of proving such a link where the suspect and victim have been in contact using the Trillian meta-chat program.

View full text