Solved

Location of MSN Live Messenger Temporary Chat Cache?

Posted on 2010-11-17
12
1,535 Views
Last Modified: 2013-12-17
Hi there! I have a question regarding the MSN Live Messenger temporary chat logs cache. The reason for the cache location is for forensics purposes.

The "cache" should not be the logs that are saved but maybe a small amount of chat logs awaiting to be deleted after the computer restarts or after a period of time?

If possible is there any C# codes that you may advise on retrieving the "cache"?

 
0
Comment
Question by:VMthinker
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 50

Expert Comment

by:jcimarron
ID: 34165923
VMthinker--Perhaps of help
http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
I think this is only a repeat of the above, but more concise
http://answers.yahoo.com/question/index?qid=20071116090107AA52rkF
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34166033
Sorry but thats not the answer to my question. My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history? Its something like the Messenger Cache found in %temp% but not pictures.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34168926
VMthinker--If you check the box "Automatically keep a History..." in item 2 in http://www.recipester.org/Recipe:Get_Chat_Log_history_15972692
MSN Live Messenger should automatically save the chats.  
Otherwise I do not think chats are saved.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34169415
It is confirmed by some sources that temporary logs do exists but I am unsure about their locations.
The reason that I am posting the question is due to the reverse engineering part of the program which I am unsure.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34169685
VMthinker--

"It is confirmed by some sources that temporary logs do exists... "
Please tell us about the sources.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:VMthinker
ID: 34169756
I've heard it at a forensics conference by SANS at one point of time but unsure of when it was until I needed the functions for this question.
0
 
LVL 69

Expert Comment

by:Merete
ID: 34170317
I have never heard of this I doubt it exists outside of the saved history, the reason
since Windows Live Mesenger is not integrated into windows therefor cannot be part of the NTuser.dat
What Is Ntuser DAT File?
http://www.ehow.com/about_6697490_ntuser-dat-file_.html
0
 
LVL 38

Accepted Solution

by:
BillDL earned 500 total points
ID: 34170677
Hi VMthinker

>>>
My question is about chat logs that are not "saved by the user" but rather saved by the system itself as a form of temporary chat logs which might contain part of the chat history?
<<<

If it is stored on the hard drive for a short time before deletion, then perhaps a file recovery program will recover the data, but I doubt it would be in any legible or editable format and would involve a massive amount of work finding that data amongst all other "undeleted" data from the drive.

C:\pagefile.sys

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1883
http://www.forensicswiki.org/index.php?title=Pagefile.sys

If you are involved in forensics already, then you may already have tools to extract the data from pagefile.sys, but I wouldn't expect it to be in any contiguous blocks or human readable format.

Search google for "analyze data in pagefile.sys" and you will get a mixed bag of professional and amateur opinions and suggestions.

If you know a few "strings" to search for, perhaps the job may be possible regardless of what efforts you make to find evidence.

I would have thought that the best way to test if any data is temporarily cached is to set up two test machines and monitor file and registry accesses at the time the testers submit their chat comments.

Mark Russinovich and Bryce Cogswell created some excellent utilities that are now owned by Microsoft and available for download at the SysInternals pages:
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Of course, these utilities SHOULD NOT be used on a system being preserved for forensic analysis.  There are bespoke software suites designed for that purpose, which I assume you already know about.  My suggestion is to simply see if you can pin down read/write accesses to then know where to look on a preserved system.

Of particular interest will be:

SysInternals Suite:
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

PsTools (run many of the utilities on remote systems):
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Handle:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Dump:
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
RAMMap:
http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx
EFSDump:
http://technet.microsoft.com/en-us/sysinternals/bb896735.aspx
Sync:
http://technet.microsoft.com/en-us/sysinternals/bb897438.aspx

Other useful utilities:

Windows Registry Recovery (read files containing Windows 9x,NT,2K,XP,2K3 registry hives):
http://www.mitec.cz/wrr.html
Windows File Analyzer (decodes and analyzes special files inc Index.dat):
http://www.mitec.cz/wfa.html
DirList:
http://www.mitec.cz/dirlist.html

Other miscellaneous ones:
http://www.nirsoft.net/

http://www.nirsoft.net/utils/special_folders_view.html
http://www.nirsoft.net/utils/opened_files_view.html
http://www.nirsoft.net/utils/reg_file_from_application.html
http://www.nirsoft.net/utils/live_messenger_contacts.html

Hope this is of some help.
Bill
0
 
LVL 38

Expert Comment

by:BillDL
ID: 34181931
Thank you VMthinker
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 34183810
VMthinker--Did BillDL's post let you find the location of those Chat files?
Is it  pagefile.sys ?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now