Solved

Location of MSN Live Messenger Temporary Chat Cache?

Posted on 2010-11-17
12
1,537 Views
Last Modified: 2013-12-17
Hi there! I have a question regarding the MSN Live Messenger temporary chat logs cache. The reason for the cache location is for forensics purposes.

The "cache" should not be the logs that are saved but maybe a small amount of chat logs awaiting to be deleted after the computer restarts or after a period of time?

If possible is there any C# codes that you may advise on retrieving the "cache"?

 
0
Comment
Question by:VMthinker
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 50

Expert Comment

by:jcimarron
ID: 34165923
VMthinker--Perhaps of help
http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
I think this is only a repeat of the above, but more concise
http://answers.yahoo.com/question/index?qid=20071116090107AA52rkF
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34166033
Sorry but thats not the answer to my question. My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history? Its something like the Messenger Cache found in %temp% but not pictures.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34168926
VMthinker--If you check the box "Automatically keep a History..." in item 2 in http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
MSN Live Messenger should automatically save the chats.  
Otherwise I do not think chats are saved.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34169415
It is confirmed by some sources that temporary logs do exists but I am unsure about their locations.
The reason that I am posting the question is due to the reverse engineering part of the program which I am unsure.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34169685
VMthinker--

"It is confirmed by some sources that temporary logs do exists... "
Please tell us about the sources.
0
Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 2

Author Comment

by:VMthinker
ID: 34169756
I've heard it at a forensics conference by SANS at one point of time but unsure of when it was until I needed the functions for this question.
0
 
LVL 70

Expert Comment

by:Merete
ID: 34170317
I have never heard of this I doubt it exists outside of the saved history, the reason
since Windows Live Mesenger is not integrated into windows therefor cannot be part of the NTuser.dat
What Is Ntuser DAT File?
http://www.ehow.com/about_6697490_ntuser-dat-file_.html
0
 
LVL 38

Accepted Solution

by:
BillDL earned 500 total points
ID: 34170677
Hi VMthinker

>>>
My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history?
<<<

If it is stored on the hard drive for a short time before deletion, then perhaps a file recovery program will recover the data, but I doubt it would be in any legible or editable format and would involve a massive amount of work finding that data amongst all other "undeleted" data from the drive.

C:\pagefile.sys

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1883
http://www.forensicswiki.org/index.php?title=Pagefile.sys

If you are involved in forensics already, then you may already have tools to extract the data from pagefile.sys, but I wouldn't expect it to be in any contiguous blocks or human readable format.

Search google for "analyze data in pagefile.sys" and you will get a mixed bag of professional and amateur opinions and suggestions.

If you know a few "strings" to search for, perhaps the job may be possible regardless of what efforts you make to find evidence.

I would have thought that the best way to test if any data is temporarily cached is to set up two test machines and monitor file and registry accesses at the time the testers submit their chat comments.

Mark Russinovich and Bryce Cogswell created some excellent utilities that are now owned by Microsoft and available for download at the SysInternals pages:
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Of course, these utilities SHOULD NOT be used on a system being preserved for forensic analysis.  There are bespoke software suites designed for that purpose, which I assume you already know about.  My suggestion is to simply see if you can pin down read/write accesses to then know where to look on a preserved system.

Of particular interest will be:

SysInternals Suite:
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

PsTools (run many of the utilities on remote systems):
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Handle:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Dump:
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
RAMMap:
http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx
EFSDump:
http://technet.microsoft.com/en-us/sysinternals/bb896735.aspx
Sync:
http://technet.microsoft.com/en-us/sysinternals/bb897438.aspx

Other useful utilities:

Windows Registry Recovery (read files containing Windows 9x,NT,2K,XP,2K3 registry hives):
http://www.mitec.cz/wrr.html
Windows File Analyzer (decodes and analyzes special files inc Index.dat):
http://www.mitec.cz/wfa.html
DirList:
http://www.mitec.cz/dirlist.html

Other miscellaneous ones:
http://www.nirsoft.net/

http://www.nirsoft.net/utils/special_folders_view.html
http://www.nirsoft.net/utils/opened_files_view.html
http://www.nirsoft.net/utils/reg_file_from_application.html
http://www.nirsoft.net/utils/live_messenger_contacts.html

Hope this is of some help.
Bill
0
 
LVL 38

Expert Comment

by:BillDL
ID: 34181931
Thank you VMthinker
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34183810
VMthinker--Did BillDL's post let you find the location of those Chat files?
Is it  pagefile.sys ?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Computers reporting Windows patches applied 14 74
Bios question 14 32
Export import database 4 39
Flashplayer.hta Download 1 28
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now