Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Location of MSN Live Messenger Temporary Chat Cache?

Posted on 2010-11-17
12
Medium Priority
?
1,550 Views
Last Modified: 2013-12-17
Hi there! I have a question regarding the MSN Live Messenger temporary chat logs cache. The reason for the cache location is for forensics purposes.

The "cache" should not be the logs that are saved but maybe a small amount of chat logs awaiting to be deleted after the computer restarts or after a period of time?

If possible is there any C# codes that you may advise on retrieving the "cache"?

 
0
Comment
Question by:VMthinker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 50

Expert Comment

by:jcimarron
ID: 34165923
VMthinker--Perhaps of help
http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
I think this is only a repeat of the above, but more concise
http://answers.yahoo.com/question/index?qid=20071116090107AA52rkF
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34166033
Sorry but thats not the answer to my question. My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history? Its something like the Messenger Cache found in %temp% but not pictures.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34168926
VMthinker--If you check the box "Automatically keep a History..." in item 2 in http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
MSN Live Messenger should automatically save the chats.  
Otherwise I do not think chats are saved.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 2

Author Comment

by:VMthinker
ID: 34169415
It is confirmed by some sources that temporary logs do exists but I am unsure about their locations.
The reason that I am posting the question is due to the reverse engineering part of the program which I am unsure.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34169685
VMthinker--

"It is confirmed by some sources that temporary logs do exists... "
Please tell us about the sources.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34169756
I've heard it at a forensics conference by SANS at one point of time but unsure of when it was until I needed the functions for this question.
0
 
LVL 70

Expert Comment

by:Merete
ID: 34170317
I have never heard of this I doubt it exists outside of the saved history, the reason
since Windows Live Mesenger is not integrated into windows therefor cannot be part of the NTuser.dat
What Is Ntuser DAT File?
http://www.ehow.com/about_6697490_ntuser-dat-file_.html
0
 
LVL 38

Accepted Solution

by:
BillDL earned 2000 total points
ID: 34170677
Hi VMthinker

>>>
My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history?
<<<

If it is stored on the hard drive for a short time before deletion, then perhaps a file recovery program will recover the data, but I doubt it would be in any legible or editable format and would involve a massive amount of work finding that data amongst all other "undeleted" data from the drive.

C:\pagefile.sys

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1883
http://www.forensicswiki.org/index.php?title=Pagefile.sys

If you are involved in forensics already, then you may already have tools to extract the data from pagefile.sys, but I wouldn't expect it to be in any contiguous blocks or human readable format.

Search google for "analyze data in pagefile.sys" and you will get a mixed bag of professional and amateur opinions and suggestions.

If you know a few "strings" to search for, perhaps the job may be possible regardless of what efforts you make to find evidence.

I would have thought that the best way to test if any data is temporarily cached is to set up two test machines and monitor file and registry accesses at the time the testers submit their chat comments.

Mark Russinovich and Bryce Cogswell created some excellent utilities that are now owned by Microsoft and available for download at the SysInternals pages:
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Of course, these utilities SHOULD NOT be used on a system being preserved for forensic analysis.  There are bespoke software suites designed for that purpose, which I assume you already know about.  My suggestion is to simply see if you can pin down read/write accesses to then know where to look on a preserved system.

Of particular interest will be:

SysInternals Suite:
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

PsTools (run many of the utilities on remote systems):
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Handle:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Dump:
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
RAMMap:
http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx
EFSDump:
http://technet.microsoft.com/en-us/sysinternals/bb896735.aspx
Sync:
http://technet.microsoft.com/en-us/sysinternals/bb897438.aspx

Other useful utilities:

Windows Registry Recovery (read files containing Windows 9x,NT,2K,XP,2K3 registry hives):
http://www.mitec.cz/wrr.html
Windows File Analyzer (decodes and analyzes special files inc Index.dat):
http://www.mitec.cz/wfa.html
DirList:
http://www.mitec.cz/dirlist.html

Other miscellaneous ones:
http://www.nirsoft.net/

http://www.nirsoft.net/utils/special_folders_view.html
http://www.nirsoft.net/utils/opened_files_view.html
http://www.nirsoft.net/utils/reg_file_from_application.html
http://www.nirsoft.net/utils/live_messenger_contacts.html

Hope this is of some help.
Bill
0
 
LVL 38

Expert Comment

by:BillDL
ID: 34181931
Thank you VMthinker
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34183810
VMthinker--Did BillDL's post let you find the location of those Chat files?
Is it  pagefile.sys ?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question