ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.
http://www.scribd.com/doc/12926281/ARTICLE-Forensic-Artefacts-Le...
Scribd Upload a Document Search Documents Explore
Documents
Books - Fiction Books - Non-fiction Health & Medicine Brochures/Catalogs Government Docs How-To Guides/Manuals Magazines/Newspapers Recipes/Menus School Work + all categories Featured Recent
People
Authors Students Researchers Publishers Government & Nonprofits Businesses Musicians Artists & Designers Teachers + all categories Most Followed Popular Sign Up | Log In
digital investigation 4 (2007) 7387
a v a i l a b l e a t w w w. s c i e n c e d i r e c t . c o m
j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / d i i n
Wouter S. van Dongen

Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands
a r t i c l e
i n f o
a b s t r a c t
Article history:
Received 30 May 2007
Windows Live Messenger commonly referred by MSN Messenger is stant messaging client worldwide, and is mostly used on Microsoft Windo Previous examination into MSN Messenger concludes that few traces res
Keywords:
MSN Messenger Windows Live Messenger
1 of 18
10/11/2011 2:53 PM
ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0
Microsoft MessengerWindows described Previous nMSN usage Revised 128.0.0812.00). The Live Messenger 8.0 oversions [Dickson M. Anwhich following chapteressenger 7.5 disk after M article Microsofts June of messaging client. results in thisicrosoft to identify examination into MSN M describes a hind after instant 8.0 (build the use 2007 expounded. The Windows Live Messenger Instant messaging 2007 WindowsWLM. MSN Messenger or Accepted 13 Juneew were known asthecation. Digitoperat- 2006;3].is used article to eight paragraphs. Each this on the opposite concluded bas been Individed in thecomputer.is The subseque before version n Windows from 8.0 versions of XP is may differXP. Microsoft most used Investig and tings, contact les and for known le contact lessignatures and know Contact list worldwide (commonly referred b). these previous shows With the use of le of can accounts MSN for short, WLM is MarketShare, 2007 y Therefore, the log les. where structures whichWLM be used to ing system it is possible to recover useful tinformation when deleted. Programs suchha Conversation content Messenger is by far the most used infrom what useful information space contain. a and he free space and slack they on the names. Windows Live can 2006; analyse Forensic Box paragraph conversation content explains stant messaging client worldwide (Arrington, help to Mook, artefacts which are left behind after the use of Messenger. conditions conversation content can be foun disk. IP addresses are explained in the fou and are followed by a paragraph about cha are several ways to share les with contacts and the traces are discussed in sixth paragr regarding audio and video such as voice clips
74
sessions are explained in the following paragraph. The
instance (0) is written after a successful login. After an event with the same description is written to
In Section 4 all results are summarized, and this section The second way is by checking registry keys.
2.
Method
USER\Software\Microsoft\MSNMessenger\PerPassportSettings\. The MSN Passport ID is generated proprietary hash function on the WLM account.
The Windows Live Messenger examination has been con-
Preceding 15 actual research an overview of all Windows / the

Download this Document for Free
2 of 18
10/11/2011 2:53 PM
Application canndings Microsoft Windows Data\Microsoft\Messenger\<WLM_account>5 eighth uon were carefully checked byHome tandfollowing these\ LivebMessenger paragraph Conclusions are given inor ection ducted sednal loginAfter each was set-up. using disto e and event appendix. discusses sing he login After evalstallation and rstfunctionalities XPsuccessful ByProfessional, application as an le. attempt wereu contact and user anainvestigated. S logout SharingMetadata\Working\database_<unique_computer_ play LM uestions: packresults. intocreated in VMware (Virtual functionalities, test the written resultan event log C:\Windows\ both with the test scenarios were and are two lines are 2 installed the the deinstallation of lyzing allbased onscenarios the on of NTFS formatted le in W pictures. uation q service ID>\dfsr.db: engine started new machines, availableDatabase system. examined. from http://www.vmware.com)a images WLM was The and analyzed with AccessData Forensic Toolkit (available from http://www.accessdata.com) version 1.62.1. Each scenario was conducted on a clean copy of a VMware image. Furthermore the VMware images were live analyzed by using Windows Sysinternals Filemon and Regmon (available from
attemptnamedthe book.key method. will itbedirect new contactcoll.cachethe MSN The named aaddress WLM Nevertheless2 k accoun account. of settings. Recoveryadditional and last with Box The Pass WLM a le is the key the after allregistry Forensic thatThree b.freew only containsfourthandpreferences and(thisis disp Toolkit information user and pos user can to requested areforensicbox@gmail.com). in thethe WLMthe caching, key is createdthe I afterbedirectories has further whereby key will accountdisable successful are the instance in cra database engine accountthe manager.contactsH as the at of attemptWindows credentialthis registry WLM(0)S these is not name stopped created in explained during on are stored in Thethethird as source.be done path: inHKEY_C This will be placed Whe tions data obviously can createdtate. sele attempt.hard directory registry done by in up have this Onedisk.the DefaultSignInSstarting C:\d can directory is be by C binaryESENT named which accounts are stored. registry address successfully loggedso dont store my key will c a shared computer in, the binary including the binary data on it under the picture, or personal messages named UTL. U in the WLM options screen. In the registryacc the users display picture and WLM u address). Because of this it is possible to determ HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\ account all preferences and settings belong. If disabled the use of display pictures the value of empty.
PerPassportSettings\<MSN_Passport_ID>\DisableCache can be veried if caching is enabled. This registry key is only
When a user logs into Windows Live Messe
\Contacts\
and
C:\Documents
and
have trouble connecting to the server due to

/ 15
However, in order Download this Document for Free
to enable the option shared computer
3 of 18
10/11/2011 2:53 PM
is enabling Although in a the fully encrypted has the concurity the this shared the options this key contacts. value by disabled. the manner as option If screen, the u it is worth created same option this user to seems encryption theIn rst under tabifitsecurity tab forcomputerdisable useless,serof saved ted in the is possible is enabled. option, however, will the mentioning because it default e important when the option is contact les. Encryption of contacts tent caching iskey the couldremoved. isBecausedata default, 01, of this directory will beHKEY_CURRENT_USER\Software\Microsoft\ disabled. When subsequently of this conb settings. enabled by carving registry need to login with is used to rst not is set to 00. logging out the and slack therefore itrecoverlikely thatles Because free spaceconclusion disabled the value contact whilefrom the of this the encryption. tacts are is saved and a user will disable after enabling can shared computerthe les removed. Due tothe user with space ofthis the contact Besidesmadehard disk. value of not stored unencrypted has the be the that if option are the key is 00 this it could used the shared computer option inheand theand and slack the use of this option, contacts lename free space if the are be possible to recover only the from t the past XML tags key does not Windows swap might not have disk with the use or space or exist the user le of the hard used this option of deleted the structure of the les. This is further explained in the known key. the analysis paragraphs Sections 3.2.3 3.2.5 in the course and of this document. The directory C:\Documents
\Local slow Internet connection, WLM is able dire the .WindowsLiveContact les. option conta a<name>.tmpcontactSettings\Applicationimpossibleto Data users , shared Members.stg consists makes it fun enabling thewhichlist. computer Beside this to Live Sho le the contacts<WLM_account>\shadow\. .MeCon members.stg,each chunk covers one contacts in loading the saved contacts. Whencontact. the Contacts\ are saved.C:\Documents contactcoll.cache opening all I By and and XML chunks, directories by in a of MSN the savedis able toMessengerit is le was named li in directory C:\Documents sionshexadecimal editorbut contact details dete WLM connect, this possible to such will appear further C:\Documents on. Encrypted and contactS the directory settings) are named by the Global Unique ide algorithm and are characterized by the extens LiveContact. If the user has disabled encrypti les have the extension .CONTACT and are n e-mail address or name of the contact. Thes les are only saved in the directory C
w w
/ 15 Download this Document for Free
4 of 18
10/11/2011 2:53 PM
5 of 18
10/11/2011 2:53 PM
6 of 18
10/11/2011 2:53 PM
7 of 18
10/11/2011 2:53 PM
8 of 18
10/11/2011 2:53 PM
9 of 18
10/11/2011 2:53 PM
10 of 18
10/11/2011 2:53 PM
11 of 18
10/11/2011 2:53 PM
12 of 18
10/11/2011 2:53 PM
13 of 18
10/11/2011 2:53 PM
14 of 18
10/11/2011 2:53 PM
15 of 18
10/11/2011 2:53 PM
Allianz Sade. Proteja-se Cobre hospitalizao, ambulatrio e dentes. Saiba tudo em bancobpi.pt Messenger Chat Get Free Chat w/Friends From Around The World. Explore 5000+ Chatrooms! Registry Fix for Windows Scan, Diagnose & Fix Registry. Run Free Diagnostic Tool!
www.bancobpi.pt/Seguros
Paltalk.com
www.pchubs.com
16 of 18
10/11/2011 2:53 PM
17 of 18
10/11/2011 2:53 PM
www.SweetIM.com
Ads by Google
Upload a Document Search Documents Follow Us! scribd.com/scribd twitter.com/scribd facebook.com/scribd About Press Blog Partners Scribd 101 Web Stuff Support FAQ Developers / API Jobs Terms Copyright Privacy Copyright 2011 Scribd Inc. Language: English
18 of 18
10/11/2011 2:53 PM

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8

Uploaded by

Copyright:

Available Formats

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.

Scribd Upload a Document Search Documents Explore

digital investigation 4 (2007) 7387

Wouter S. van Dongen

Received 30 May 2007

MSN Messenger Windows Live Messenger

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

digital investigation 4 (2007) 7387

sessions are explained in the following paragraph. The

The Windows Live Messenger examination has been con-

Preceding 15 actual research an overview of all Windows / the

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

digital investigation 4 (2007) 7387

PerPassportSettings\<MSN_Passport_ID>\DisableCache can be veried if caching is enabled. This registry key is only

When a user logs into Windows Live Messe

have trouble connecting to the server due to

However, in order Download this Document for Free

to enable the option shared computer

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

/ 15 Download this Document for Free

You might also like