Solved

Location of MSN Live Messenger Temporary Chat Cache?

Posted on 2010-11-17
12
1,538 Views
Last Modified: 2013-12-17
Hi there! I have a question regarding the MSN Live Messenger temporary chat logs cache. The reason for the cache location is for forensics purposes.

The "cache" should not be the logs that are saved but maybe a small amount of chat logs awaiting to be deleted after the computer restarts or after a period of time?

If possible is there any C# codes that you may advise on retrieving the "cache"?

 
0
Comment
Question by:VMthinker
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 50

Expert Comment

by:jcimarron
ID: 34165923
VMthinker--Perhaps of help
http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
I think this is only a repeat of the above, but more concise
http://answers.yahoo.com/question/index?qid=20071116090107AA52rkF
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34166033
Sorry but thats not the answer to my question. My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history? Its something like the Messenger Cache found in %temp% but not pictures.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34168926
VMthinker--If you check the box "Automatically keep a History..." in item 2 in http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
MSN Live Messenger should automatically save the chats.  
Otherwise I do not think chats are saved.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 2

Author Comment

by:VMthinker
ID: 34169415
It is confirmed by some sources that temporary logs do exists but I am unsure about their locations.
The reason that I am posting the question is due to the reverse engineering part of the program which I am unsure.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34169685
VMthinker--

"It is confirmed by some sources that temporary logs do exists... "
Please tell us about the sources.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34169756
I've heard it at a forensics conference by SANS at one point of time but unsure of when it was until I needed the functions for this question.
0
 
LVL 70

Expert Comment

by:Merete
ID: 34170317
I have never heard of this I doubt it exists outside of the saved history, the reason
since Windows Live Mesenger is not integrated into windows therefor cannot be part of the NTuser.dat
What Is Ntuser DAT File?
http://www.ehow.com/about_6697490_ntuser-dat-file_.html
0
 
LVL 38

Accepted Solution

by:
BillDL earned 500 total points
ID: 34170677
Hi VMthinker

>>>
My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history?
<<<

If it is stored on the hard drive for a short time before deletion, then perhaps a file recovery program will recover the data, but I doubt it would be in any legible or editable format and would involve a massive amount of work finding that data amongst all other "undeleted" data from the drive.

C:\pagefile.sys

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1883
http://www.forensicswiki.org/index.php?title=Pagefile.sys

If you are involved in forensics already, then you may already have tools to extract the data from pagefile.sys, but I wouldn't expect it to be in any contiguous blocks or human readable format.

Search google for "analyze data in pagefile.sys" and you will get a mixed bag of professional and amateur opinions and suggestions.

If you know a few "strings" to search for, perhaps the job may be possible regardless of what efforts you make to find evidence.

I would have thought that the best way to test if any data is temporarily cached is to set up two test machines and monitor file and registry accesses at the time the testers submit their chat comments.

Mark Russinovich and Bryce Cogswell created some excellent utilities that are now owned by Microsoft and available for download at the SysInternals pages:
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Of course, these utilities SHOULD NOT be used on a system being preserved for forensic analysis.  There are bespoke software suites designed for that purpose, which I assume you already know about.  My suggestion is to simply see if you can pin down read/write accesses to then know where to look on a preserved system.

Of particular interest will be:

SysInternals Suite:
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

PsTools (run many of the utilities on remote systems):
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Handle:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Dump:
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
RAMMap:
http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx
EFSDump:
http://technet.microsoft.com/en-us/sysinternals/bb896735.aspx
Sync:
http://technet.microsoft.com/en-us/sysinternals/bb897438.aspx

Other useful utilities:

Windows Registry Recovery (read files containing Windows 9x,NT,2K,XP,2K3 registry hives):
http://www.mitec.cz/wrr.html
Windows File Analyzer (decodes and analyzes special files inc Index.dat):
http://www.mitec.cz/wfa.html
DirList:
http://www.mitec.cz/dirlist.html

Other miscellaneous ones:
http://www.nirsoft.net/

http://www.nirsoft.net/utils/special_folders_view.html
http://www.nirsoft.net/utils/opened_files_view.html
http://www.nirsoft.net/utils/reg_file_from_application.html
http://www.nirsoft.net/utils/live_messenger_contacts.html

Hope this is of some help.
Bill
0
 
LVL 38

Expert Comment

by:BillDL
ID: 34181931
Thank you VMthinker
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34183810
VMthinker--Did BillDL's post let you find the location of those Chat files?
Is it  pagefile.sys ?
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
extended monitor print screen 8 28
Windows NLB cluster 3 28
Cygwin - GNU GPL License 1 22
Problem to file 4 19
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now