Google talk

Has anyone ever had any involvement with forensics on a PC trying to get any chat logs when the user uses google talk messenger? I have used it breifly and I know past chat logs are saved on googles servers, I just wondered if there would be any logs saved locally on the PC where the tool is installed as a general rule, or not likely?

Also, is there any tool to see where such logs may be written to in real time, i.e. a tool to scan what programs are saving what data locally? So its easy to narrow down where?

The PC is Windows XP.I read a few articles on instant messenger foresnics and it didnt sound to promising that there would be much in terms of past log history locally, but you may have more experience then those writing the posts/blog entries.

Or any specific software you would recommend that is useful to carve / recover any local google talk artifacts.

If you are willing, a general "you wont find any gtalk artifacts locally", "you may find some snippets of logs locally but not a comprehensive history of every chat every taken place", "you will find all previous logs going back X months" type view based on your experience most welcome to help determine if its worth paying someone to investigate.
Who is Participating?
bill_lynchConnect With a Mentor Commented:

It does appear that these get saved in the google account on their servers...
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
google talk (as used by gmail) doesn't log anything locally.
however, if you are using pidgin or similar it *can* log locally. so first question is what the user is using to access it.

for local forensic research, usually if you use the sysinternals tool "procmon" (which you can obtain from it will show each process, registry, file, or network action taken by a program while running.
pma111Author Commented:
I beleive its just the default google talk software.

"C:\Documents and Settings\removed\Application Data\Google\Google Talk\googletalk.exe"
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Dave HoweSoftware and Hardware EngineerCommented:
Ok then, that will *optionally* store a log in the associated gmail account.
It won't log locally.
pma111Author Commented:
Ok thanks dave. As a general rule is that common for most messenger products. No idea which are the most popular now but msn messenger was always well used. Is there typically little locally in terms of forensic evidence when it comes to instant messenger tools?
Dave HoweSoftware and Hardware EngineerCommented:
typically (with some exceptions, see below), unless the IM does local logging, there is little or no state worth having from the local install. Firewall logs can be more productive (typically the traffic is encrypted, but you can do traffic analysis to show who was using an IM when perhaps they shouldn't have been)

Sometimes local state is held in files that are then deleted when the window is closed - typically in the tmp dir, but sometimes in the local filestore - and skype (by contrast) is a goldmine, with almost all the historic traffic stored in a nice, accessable sqlite db :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.