Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
62Activity
0 of .
Results for:
No results containing your search query
P. 1
ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

Ratings:

4.0

(1)
|Views: 8,611|Likes:
Published by claudia.ime6226
ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0
ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0

More info:

Published by: claudia.ime6226 on Mar 03, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/10/2014

pdf

text

original

 
Forensic artefacts left by Windows Live Messenger 8.0
Wouter S. van Dongen
Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands
a r t i c l e i n f o
Article history:
Received 30 May 2007Revised 12 June 2007Accepted 13 June 2007
Keywords:
MSN MessengerWindows Live MessengerMicrosoft MessengerInstant messaging Contact listConversation contentForensic Box
a b s t r a c t
Windows Live Messenger – commonly referred by MSN Messenger – is the most used in-stant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the harddisk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identi-fication. Digit Investig 2006;3]. In this article the opposite is concluded based on user set-tings, contact files and log files. With the use of file signatures and known file structuresit is possible to recover useful information when deleted. Programs such as Forensic Boxcan help to analyse artefacts which are left behind after the use of Windows LiveMessenger.
ª
2007 Elsevier Ltd. All rights reserved.
1. Introduction
Windows Live Messenger (WLM) is the latest version of Microsoft’s instant messaging client. Previous versions before version 8.0 were known as MSN Messenger orMSN for short, WLM is commonly referred by these previousnames. Windows Live Messenger is by far the most used in-stant messaging client worldwide (Arrington, 2006; Mook,2006). MSN was first released in July 1999, the current ver-sion of WLM is 8.1 (at time of writing), which was releasedin January 2007.This article focuses on Windows Live Messenger version8.0 (build 8.0.0812.00). The described results in this articlemay differ from new versions of WLM.This article explains a number of traces which are left be-hindaftertheuseofWindowsLiveMessenger8.0onMicrosoftWindows XP. Microsoft Windows XP is the most used operat-ing system worldwide (MarketShare, 2007). Therefore, themost likely combination to encounter is Windows Live Mes-senger on Microsoft Windows XP.In the next chapter the used research method isexpounded. The following chapter describes all the resultsand is divided in to eight paragraphs. Each file is analyzedfor known file structures which can be used to restore themfrom the free space and slack space on the hard drive.The first paragraph starts with artefacts which are usedto identify which Windows Live Messenger accounts havebeen used on the computer. The subsequent paragraphshows where contact files of WLM accounts can be foundand what useful information they contain. The following paragraph ‘conversation contentexplains under whichconditions conversation content can be found on the harddisk. IP addresses are explained in the fourth paragraphand are followed by a paragraph about chat logs. Thereare several ways to share files with contacts, all methodsand the traces are discussed in sixth paragraph. Artefactsregarding audio and video such as voice clips and webcam
E-mail address:wvdongen@zonnet.nl
available at www.sciencedirect.comjournal homepage:www.elsevier.com/locate/diin
1742-2876/$ – see front matter
ª
2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.diin.2007.06.019
digital investigation 4 (2007) 73–87
 
sessions are explained in the following paragraph. Theeighth and final paragraph discusses contact and user dis-play pictures.In Section4all results are summarized, and this sectioncanbeusedasanappendix.ConclusionsaregiveninSection5and are based on the results.
2. Method
The Windows Live Messenger examination has been con-ducted on Microsoft Windows XP Home and Professional,both with service pack 2 installed on an NTFS formatted filesystem.Preceding the actual research an overview of all WindowsLive Messenger functionalities was set-up. By using thesefunctionalities,testscenarioswerecreatedinVMware(Virtualmachines, available fromhttp://www.vmware.com) imagesand analyzed with AccessData Forensic Toolkit (availablefromhttp://www.accessdata.com) version 1.62.1. Each sce-nario was conducted on a clean copy of a VMware image. Fur-thermore the VMware images were ‘live’ analyzed by using Windows Sysinternals Filemon and Regmon (available fromhttp://www.microsoft.com/technet/sysinternals/) to monitorfile and Windows registry activity, WinHex (available fromhttp://www.x-ways.net) for the examination of the virtualmemory and files, and Wireshark (available fromhttp://www.wireshark.org ) to monitor TCP/IP traffic.Beforeanalyzingthetestscenario’sthe‘basic’scenariosin-stallation and first login attempt were investigated. After ana-lyzing all the test scenarios the result of the deinstallation of WLM was examined.The plausibility of all the conclusions that were associatedtofindingswerecarefullycheckedbyusingthefollowingeval-uation questions:
Are all the experiments which are carried out relevant forthe conclusion?
Havesufficientexperimentsbeencarriedoutinordertogivea well founded conclusion?
Are there any counter examples?
3. Results
3.1. Which accounts are used
There are four ways which can be used to determine whichWLM accounts were used on the computer.The first and most evident way is to check Windowsapplication event file. After each successful login or logoutin WLM two lines are written into the event log ‘
C:\Windows\system32\config\AppEvent.Evt
’. Due to these entries theused account and the date and time of usage can beestablished.An event with the description ‘
MsnMsgr (
<
 process_ID 
>
)\\.\C:\DocumentsandSettings\
<
user 
>
\LocalSettings\Application Data\Microsoft\Messenger\
<
WLM_account
>
\SharingMetadata\Working\database_
<
unique_computer_ID 
>
\dfsr.db: The Database engine started a neinstance(0)
iswrittenafterasuccessfullogin.Afteralogoutan event with the same description is written to the event file,only the additional information that will be displayed is ‘Thedatabase engine has stopped the instance (0)’. Both entrieshave ESENT as source.The secondway is by checkingregistrykeys.Duringa loginattempt a new registry key with the MSN Passport ID of theaccount as the name of the key is created in ‘
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\PerPassport-Settings\
’. The MSN Passport ID is generated by using aproprietary hash function on the WLM account. This registrykey contains all user preferences and settings. When a loginattempt is not successful this registry key will only containbinary data named ‘DefaultSignInState’. When a user issuccessfully logged in, the registry key will contain morebinary including the binary data named ‘UTL’. ‘UTL’ containsthe user’s display picture and the WLM account (e-mailaddress). Because of this it is possible to determine to whichaccount all preferences and settings belong. If the user hasdisabled the use of display pictures the value of ‘UTL’ will beempty.The third method is to look for directories which arenamed after the WLM account. Three directories namedafter the WLM account are created during a first loginattempt. One directory will be placed in ‘
C:\documents and Settings\
<
user 
>
\Contacts\
’andasecondin‘
C:\Documentsand Settings\
<
user 
>
\Local Settings\ApplicationData\Microsoft\Windows Live Contacts\
. If a loginattempt is unsuccessful these directories will only containa file named contactcoll.cache of 2 kb. The content of these directories are further explained in the Section3.2.2.The third directory is created in
C:\documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\Messenger 
’. This directory is only created if thelogin attempt is successful, its purpose is to store shared files.Looking for accounts which are set to be ‘remembered’ byWLM is the fourth and last method. The accounts are savedin the Windows credential manager. WLM credential dataare stored in the registry path:
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\
’. The credentials caneasily be decrypted with the tools Accessdata PasswordRecovery Toolkit and Forensic Box (this freeware programcan be requested atforensicbox@gmail.com). In some situa-tions this can obviously be done by starting up WLM to seewhich accounts are stored.Noneoftheaboveartefactswillberemovedbyuninstalling Windows Live Messenger.
3.2. Contact list
3.2.1. Shared computer option
By default Windows Live Messenger caches display picturesand the address book. Nevertheless it is possible for theuser to disable the caching, whereby contacts are not savedon the hard disk. This can be done by selecting ‘This isa shared computer so don’t store my address book, displaypicture, or personal messages on it’ under the security tabin the WLM options screen. In the registry under the key
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
digital investigation 4 (2007) 73–87
74
 
PerPassportSettings\
<
MSN_Passport_ID 
>
\DisableCache
can be verified if caching is enabled. This registry key is onlycreated if this option is enabled. If this key has the value‘01’, caching is disabled. When subsequently the option isdisabled the value is set to 00. Because of this the conclusioncan be made that if the value of the key is 00 the user hasused the ‘shared computer’ option in the past and if the keydoes not exist the user might not have used this option ordeleted the key.However, in order to enable the option ‘shared computer’under the security tab in the options screen, the user will firstneed to login with the default settings. Because of this con-tacts are first saved and while logging out – after enabling the shared computer option – removed. Due to this it couldbe possible to recover contacts from the free space and slackspace or Windows swap file of the hard disk with the use of the known structure of the files. This is further explained inthe ‘analysis’ paragraphs Sections 3.2.3 – 3.2.5 in the courseof this document. The directory
C:\Documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\Windows Live Contacts\
<
WLM_account
>
\
whichiscreatedduringafirstloginattemptwillnotbedeletedby enabling the ‘shared computer’ option, however, the con-tent of this directory will be removed.
3.2.2. Contacts
In the Windows Live Messenger options screen under the se-curitytabitispossibleforausertodisableencryptionofsavedcontact files. Encryption of contacts is enabled by default,therefore it is not likely that a user will disable the encryption.Besides this the contact files are not stored unencrypted withthe use of this option, only the filename and the XML tags arein plain text format. The contents of the tags are still encryp-ted in the same manner as the fully encrypted contacts. In theregistry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Live\Communications Clients\Shared\
<
MSN_Passport_ID 
>
\DisableContactEncryption
’ can be verifiedifencryptionisdisabled.If thiskeyhasthevalue1,encryptionis disabled. Although this option seems useless, it is worthmentioning because it could be important when data carving is used to recover contact files from the free space and slackspace of the hard disk.When a user logs into Windows Live Messenger – withoutenabling the ‘shared computer’ option – contacts are savedin the directories
C:\Documents and Settings\
<
user 
>
\Contacts\
and
C:\Documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\WindowsLive Contacts\
<
WLM_account
>
\shadow\
’. Should WLMhave trouble connecting to the server due to, for example,a slow Internet connection, WLM is able to function normallyby loading the saved contacts. When contacts are not savedWLMisabletoconnect, butcontactdetailssuchasnicknameswill appear further on. Encrypted contact files (defaultsettings) are named by the Global Unique identifier (GUID)algorithm and are characterized by the extension .Windows-LiveContact. If the user has disabled encryption the contactfiles have the extension .CONTACT and are named after thee-mail address or name of the contact. These .CONTACTfiles are only saved in the directory
C:\Documents and Settings\
<
user 
>
\Contacts\
’.Thismeansiftheencryptionoption has been disabled contacts in the directory
C:\Documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\Windows Live Contacts\
<
WLM_account
>
\shadow\
are still stored encrypted as
<
GUID
>
.WindowsLiveContact
.In the directory ‘
C:\Documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\WindowsLive Contacts\
<
WLM_account
>
\shadow\
the files mem-bers.stg, contactcoll.cache and .MeContact are saved among the .WindowsLiveContact files. Beside this directory the filesmembers.stg, contactcoll.cache and .MeContact are alsosaved in the directory
C:\Documents and Settings\
<
user 
>
\Local Settings\Application Data\Microsoft\Windows Live Contacts\
<
WLM_account
>
\real\
’. .Address-book files are saved in this directory as well.Members.stg is a file which contains all the contacts of a user’s contact list. Members.stg consists out of severalXML chunks, each chunk covers one contact. In previous ver-sions of MSN Messenger this file was named listcache.dat. Inthe directory ‘
C:\Documents and Settings\
<
user 
>
\LocalSettings\Temp 
the le members.stg is saved as
w
<
name
>
.tmp
’. In this directory more files are saved like
w
<
name
>
.tmp
’, which makes it impossible to trace in whichfilethecontactsaresaved.Byopeningall
w
<
name
>
.tmp
filesin a hexadecimal editor it is possible to determine with the
Fig. 1 – Windows Explorer screenshot; example of the directory ‘
C:\Documents and Settings\
<
user 
>
\LocalSettings\Application Data\Microsoft\Windows Live Contacts\
<
WLM_account
>
\real\
’ and its corresponding contact files belonging to WLM account msnkoning@live.nl.
digital investigation 4 (2007) 73–87
75

Activity (62)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Martha Willis liked this
Martha Willis liked this
Martha Willis liked this
Pierre Fauchère liked this
Polo Marco liked this
Silvia Be liked this
Eric Mauricio liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->