Friday, January 25, 2008

Searching for encrypted keywords in Yahoo Messenger

**UPDATED Version 1.1 - fixes a problem with boomarks in multiple files

The Yahoo Messenger client has the option to save chat conversations to a text file. The default is to save all conversations until the Yahoo Messenger application is closed and then the logs are purged, thus leaving them in unallocated space.

Yahoo Messenger does not store the chat conversations in plain text, but instead uses the low-level XOR encryption technique to obfuscate them. This thwarts the technique of doing a keyword search for something that may have appeared in the chat conversation to find a conversation or fragment of the log in unallocated.

Yahoo Messenger uses the screen name of the person logged in using the Yahoo client as the XOR key. That key is then applied to all chat text and the resulting ciphertext is stored in the logs. If you use the built-in Yahoo archive viewer, the text is decrypted and displayed, but as it sits on disk, it is encrypted.

I have written an EnScript that asks for two primary things, the screen name of the person using the local Yahoo client and then the keyword or phrase you wish to search for. The following is an example of how the chat conversation is encrypted by the Yahoo Messenger client.

For example, lets assume the local user has a screen name of "localuser" and the remote user has the screen name of "remoteuser". The localuser sends the following message to the remoteuser:

"lets meet tomorrow and talk about how we are going to murder her"

If you think about the XOR process similar to doing addition, the localuser screen name is applied to the above text in the following way:

lets meet tomorrow and talk about how we are going to murder her
resulting ciphertext resulting ciphertext resulting ciphertext

The resulting XOR ciphertext would be the result of XORing the top "l" with the bottom "l", then "e" with "o", "t" with "c", and so forth. So from this example you can see that if you were searching for the keyword of "murder" you would have to XOR it with "aluser" in order to search for the correct cipher text (it may not be aligned properly in the above display).

This EnScript basically takes the keyword or phrase you enter and then XOR's it every possible way depending on how long the screen name is. Using the example above, searching for the keyword of "murder", there would be nine possibilities (because the screen name of "localuser" is nine characters long). So this EnScript creates all the possible ciphertext keywords and then searches the selected (blue checked) file for the ciphertext and bookmarks any findings.

Currently, I consider this EnScript in BETA form. It seems to work and find the keywords I have search for, but I have not thoroughly tested it yet. In addition, it simply bookmarks the found ciphertext, but leaves further decoding to you. I may add that in future releases and will most likely add additional information to the bookmark in the near future. I welcome any feedback, comments or feature enhancements.

Download here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles