• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1551
  • Last Modified:

Location of MSN Live Messenger Temporary Chat Cache?

Hi there! I have a question regarding the MSN Live Messenger temporary chat logs cache. The reason for the cache location is for forensics purposes.

The "cache" should not be the logs that are saved but maybe a small amount of chat logs awaiting to be deleted after the computer restarts or after a period of time?

If possible is there any C# codes that you may advise on retrieving the "cache"?

 
0
VMthinker
Asked:
VMthinker
  • 4
  • 3
  • 2
  • +1
1 Solution
 
jcimarronCommented:
VMthinker--Perhaps of help
http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
I think this is only a repeat of the above, but more concise
http://answers.yahoo.com/question/index?qid=20071116090107AA52rkF
0
 
VMthinkerAuthor Commented:
Sorry but thats not the answer to my question. My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history? Its something like the Messenger Cache found in %temp% but not pictures.
0
 
jcimarronCommented:
VMthinker--If you check the box "Automatically keep a History..." in item 2 in http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
MSN Live Messenger should automatically save the chats.  
Otherwise I do not think chats are saved.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
VMthinkerAuthor Commented:
It is confirmed by some sources that temporary logs do exists but I am unsure about their locations.
The reason that I am posting the question is due to the reverse engineering part of the program which I am unsure.
0
 
jcimarronCommented:
VMthinker--

"It is confirmed by some sources that temporary logs do exists... "
Please tell us about the sources.
0
 
VMthinkerAuthor Commented:
I've heard it at a forensics conference by SANS at one point of time but unsure of when it was until I needed the functions for this question.
0
 
MereteCommented:
I have never heard of this I doubt it exists outside of the saved history, the reason
since Windows Live Mesenger is not integrated into windows therefor cannot be part of the NTuser.dat
What Is Ntuser DAT File?
http://www.ehow.com/about_6697490_ntuser-dat-file_.html
0
 
BillDLCommented:
Hi VMthinker

>>>
My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history?
<<<

If it is stored on the hard drive for a short time before deletion, then perhaps a file recovery program will recover the data, but I doubt it would be in any legible or editable format and would involve a massive amount of work finding that data amongst all other "undeleted" data from the drive.

C:\pagefile.sys

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1883
http://www.forensicswiki.org/index.php?title=Pagefile.sys

If you are involved in forensics already, then you may already have tools to extract the data from pagefile.sys, but I wouldn't expect it to be in any contiguous blocks or human readable format.

Search google for "analyze data in pagefile.sys" and you will get a mixed bag of professional and amateur opinions and suggestions.

If you know a few "strings" to search for, perhaps the job may be possible regardless of what efforts you make to find evidence.

I would have thought that the best way to test if any data is temporarily cached is to set up two test machines and monitor file and registry accesses at the time the testers submit their chat comments.

Mark Russinovich and Bryce Cogswell created some excellent utilities that are now owned by Microsoft and available for download at the SysInternals pages:
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Of course, these utilities SHOULD NOT be used on a system being preserved for forensic analysis.  There are bespoke software suites designed for that purpose, which I assume you already know about.  My suggestion is to simply see if you can pin down read/write accesses to then know where to look on a preserved system.

Of particular interest will be:

SysInternals Suite:
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

PsTools (run many of the utilities on remote systems):
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Handle:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Dump:
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
RAMMap:
http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx
EFSDump:
http://technet.microsoft.com/en-us/sysinternals/bb896735.aspx
Sync:
http://technet.microsoft.com/en-us/sysinternals/bb897438.aspx

Other useful utilities:

Windows Registry Recovery (read files containing Windows 9x,NT,2K,XP,2K3 registry hives):
http://www.mitec.cz/wrr.html
Windows File Analyzer (decodes and analyzes special files inc Index.dat):
http://www.mitec.cz/wfa.html
DirList:
http://www.mitec.cz/dirlist.html

Other miscellaneous ones:
http://www.nirsoft.net/

http://www.nirsoft.net/utils/special_folders_view.html
http://www.nirsoft.net/utils/opened_files_view.html
http://www.nirsoft.net/utils/reg_file_from_application.html
http://www.nirsoft.net/utils/live_messenger_contacts.html

Hope this is of some help.
Bill
0
 
BillDLCommented:
Thank you VMthinker
0
 
jcimarronCommented:
VMthinker--Did BillDL's post let you find the location of those Chat files?
Is it  pagefile.sys ?
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now