Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

GigaTribe V3 Chat Parser

Locates and parses chat records originating from GigaTribe V3 chat-log files.

The script can either treat the entries being parsed as GigaTribe chat-log files; alternatively it can search said entries for chat messages using a keyword search.

If the examiner chooses the first option then any entry being parsed will be checked for the proper chat-log signature, which is currently the characters 'ch' followed by the value 0x0a (stored as a 4-byte Big-Endian integer value) and then the version string '1.0.1'.

Keyword searching can be used to search areas such as unallocated clusters but this is much more difficult than parsing a complete chat-file.

The reason for this is that individual chat records don't have a static signature - they consist almost entirely of variable data.

Taking this into account, the script needs to know the IDs of the GigaTribe users that have sent the messages that the examiner is interested in. Without this information, the script would encounter many false hits and most likely crash whilst attempting to parse them.

The requirement to provide the sender ID may prove tricky when trying to locate messages both sent-from and received-by the local user.

It should be fairly easy to identify the GigaTribe ID of the local user by examining his/her Gigatribe Registry settings and then using the script to identify messages that he/she sent, it's the identification of messages sent to the local user that is the difficult bit.

To overcome this problem it may be necessary to run the script once in order to determine the recipient IDs of GigaTribe users to which the local user has sent messages. The script can then be run again using those recipient IDs as sender IDs.

In order to make this process a little easier, the script provides the option of generating a list of unique recipient IDs, which it will gather at the time of processing and write to a note bookmark in the root bookmark folder. This list can be copied and pasted into the sender-ID list-box the next time the script is executed.

Output is by way of bookmarking and a tab-delimted spreadsheet-file.

Note that the timestamp of an offline message relates to when that message was received by the GigaTribe server; it is stored as local-time and presented as such by the script. At the time of writing this the GigaTribe servers are located in France; the timestamps of offline message should reflect this.

Download Now



Version: 2
Tested with:
EnCase Forensic 7.06
Developer: Simon Key
Category: Artifact

3692 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9092 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
745 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
555 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
454 Downloads
App