digital investigation 4 (2007) 73–87

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Forensic artefacts left by Windows Live Messenger 8.0
Wouter S. van Dongen
Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands

article info
Article history: Received 30 May 2007 Revised 12 June 2007 Accepted 13 June 2007 Keywords: MSN Messenger Windows Live Messenger Microsoft Messenger Instant messaging Contact list Conversation content Forensic Box

abstract
Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP. Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger. ª 2007 Elsevier Ltd. All rights reserved.

1.

Introduction

Windows Live Messenger (WLM) is the latest version of Microsoft’s instant messaging client. Previous versions – before version 8.0 – were known as MSN Messenger or MSN for short, WLM is commonly referred by these previous names. Windows Live Messenger is by far the most used instant messaging client worldwide (Arrington, 2006; Mook, 2006). MSN was first released in July 1999, the current version of WLM is 8.1 (at time of writing), which was released in January 2007. This article focuses on Windows Live Messenger version 8.0 (build 8.0.0812.00). The described results in this article may differ from new versions of WLM. This article explains a number of traces which are left behind after the use of Windows Live Messenger 8.0 on Microsoft Windows XP. Microsoft Windows XP is the most used operating system worldwide (MarketShare, 2007). Therefore, the

most likely combination to encounter is Windows Live Messenger on Microsoft Windows XP. In the next chapter the used research method is expounded. The following chapter describes all the results and is divided in to eight paragraphs. Each file is analyzed for known file structures which can be used to restore them from the free space and slack space on the hard drive. The first paragraph starts with artefacts which are used to identify which Windows Live Messenger accounts have been used on the computer. The subsequent paragraph shows where contact files of WLM accounts can be found and what useful information they contain. The following paragraph ‘conversation content’ explains under which conditions conversation content can be found on the hard disk. IP addresses are explained in the fourth paragraph and are followed by a paragraph about chat logs. There are several ways to share files with contacts, all methods and the traces are discussed in sixth paragraph. Artefacts regarding audio and video such as voice clips and webcam

E-mail address: wvdongen@zonnet.nl 1742-2876/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2007.06.019

74

digital investigation 4 (2007) 73–87

sessions are explained in the following paragraph. The eighth and final paragraph discusses contact and user display pictures. In Section 4 all results are summarized, and this section can be used as an appendix. Conclusions are given in Section 5 and are based on the results.

2.

Method

The Windows Live Messenger examination has been conducted on Microsoft Windows XP Home and Professional, both with service pack 2 installed on an NTFS formatted file system. Preceding the actual research an overview of all Windows Live Messenger functionalities was set-up. By using these functionalities, test scenarios were created in VMware (Virtual machines, available from http://www.vmware.com) images and analyzed with AccessData Forensic Toolkit (available from http://www.accessdata.com) version 1.62.1. Each scenario was conducted on a clean copy of a VMware image. Furthermore the VMware images were ‘live’ analyzed by using Windows Sysinternals Filemon and Regmon (available from http://www.microsoft.com/technet/sysinternals/) to monitor file and Windows registry activity, WinHex (available from http://www.x-ways.net) for the examination of the virtual memory and files, and Wireshark (available from http:// www.wireshark.org) to monitor TCP/IP traffic. Before analyzing the test scenario’s the ‘basic’ scenarios installation and first login attempt were investigated. After analyzing all the test scenarios the result of the deinstallation of WLM was examined. The plausibility of all the conclusions that were associated to findings were carefully checked by using the following evaluation questions:  Are all the experiments which are carried out relevant for the conclusion?  Have sufficient experiments been carried out in order to give a well founded conclusion?  Are there any counter examples?

3.
3.1.

Results
Which accounts are used

instance (0)’ is written after a successful login. After a logout an event with the same description is written to the event file, only the additional information that will be displayed is ‘The database engine has stopped the instance (0)’. Both entries have ESENT as source. The second way is by checking registry keys. During a login attempt a new registry key with the MSN Passport ID of the account as the name of the key is created in ‘HKEY_CURRENT_ USER\Software\Microsoft\MSNMessenger\PerPassportSettings\’. The MSN Passport ID is generated by using a proprietary hash function on the WLM account. This registry key contains all user preferences and settings. When a login attempt is not successful this registry key will only contain binary data named ‘DefaultSignInState’. When a user is successfully logged in, the registry key will contain more binary including the binary data named ‘UTL’. ‘UTL’ contains the user’s display picture and the WLM account (e-mail address). Because of this it is possible to determine to which account all preferences and settings belong. If the user has disabled the use of display pictures the value of ‘UTL’ will be empty. The third method is to look for directories which are named after the WLM account. Three directories named after the WLM account are created during a first login attempt. One directory will be placed in ‘C:\documents and Settings\<user>\Contacts\’ and a second in ‘C:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\Windows Live Contacts\’. If a login attempt is unsuccessful these directories will only contain a file named contactcoll.cache of 2 kb. The content of these directories are further explained in the Section 3.2.2. The third directory is created in ‘C:\documents and Settings\<user>\Local Settings\Application Data\ Microsoft\Messenger’. This directory is only created if the login attempt is successful, its purpose is to store shared files. Looking for accounts which are set to be ‘remembered’ by WLM is the fourth and last method. The accounts are saved in the Windows credential manager. WLM credential data are stored in the registry path: ‘HKEY_CURRENT_USER\ Software\Microsoft\IdentityCRL\’. The credentials can easily be decrypted with the tools Accessdata Password Recovery Toolkit and Forensic Box (this freeware program can be requested at forensicbox@gmail.com). In some situations this can obviously be done by starting up WLM to see which accounts are stored. None of the above artefacts will be removed by uninstalling Windows Live Messenger.

There are four ways which can be used to determine which WLM accounts were used on the computer. The first and most evident way is to check Windows application event file. After each successful login or logout in WLM two lines are written into the event log ‘C:\Windows\ system32\config\AppEvent.Evt’. Due to these entries the used account and the date and time of usage can be established. An event with the description ‘MsnMsgr (<process_ID>) \\.\C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Messenger\<WLM_account>\ SharingMetadata\Working\database_<unique_computer_ ID>\dfsr.db: The Database engine started a new

3.2. 3.2.1.

Contact list Shared computer option

By default Windows Live Messenger caches display pictures and the address book. Nevertheless it is possible for the user to disable the caching, whereby contacts are not saved on the hard disk. This can be done by selecting ‘This is a shared computer so don’t store my address book, display picture, or personal messages on it’ under the security tab in the WLM options screen. In the registry under the key ‘HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\

digital investigation 4 (2007) 73–87

75

PerPassportSettings\<MSN_Passport_ID>\DisableCache’ can be verified if caching is enabled. This registry key is only created if this option is enabled. If this key has the value ‘01’, caching is disabled. When subsequently the option is disabled the value is set to 00. Because of this the conclusion can be made that if the value of the key is 00 the user has used the ‘shared computer’ option in the past and if the key does not exist the user might not have used this option or deleted the key. However, in order to enable the option ‘shared computer’ under the security tab in the options screen, the user will first need to login with the default settings. Because of this contacts are first saved and while logging out – after enabling the shared computer option – removed. Due to this it could be possible to recover contacts from the free space and slack space or Windows swap file of the hard disk with the use of the known structure of the files. This is further explained in the ‘analysis’ paragraphs Sections 3.2.3 – 3.2.5 in the course of this document. The directory ‘C:\Documents and Settings\<user>\Local Settings\Application Data\ Microsoft\Windows Live Contacts\<WLM_account>\’ which is created during a first login attempt will not be deleted by enabling the ‘shared computer’ option, however, the content of this directory will be removed.

3.2.2.

Contacts

In the Windows Live Messenger options screen under the security tab it is possible for a user to disable encryption of saved contact files. Encryption of contacts is enabled by default, therefore it is not likely that a user will disable the encryption. Besides this the contact files are not stored unencrypted with the use of this option, only the filename and the XML tags are

When a user logs into Windows Live Messenger – without enabling the ‘shared computer’ option – contacts are saved in the directories ‘C:\Documents and Settings\<user> \Contacts\’ and ‘C:\Documents and Settings\<user> \Local Settings\Application Data\Microsoft\Windows Live Contacts\<WLM_account>\shadow\’. Should WLM have trouble connecting to the server due to, for example, a slow Internet connection, WLM is able to function normally by loading the saved contacts. When contacts are not saved WLM is able to connect, but contact details such as nicknames will appear further on. Encrypted contact files (default settings) are named by the Global Unique identifier (GUID) algorithm and are characterized by the extension .WindowsLiveContact. If the user has disabled encryption the contact files have the extension .CONTACT and are named after the e-mail address or name of the contact. These .CONTACT files are only saved in the directory ‘C:\Documents and Settings\<user>\Contacts\’. This means if the encryption option has been disabled contacts in the directory ‘C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Windows Live Contacts\ <WLM_account>\shadow\’ are still stored encrypted as <GUID>.WindowsLiveContact. In the directory ‘C:\Documents and Settings\<user>\ Local Settings\Application Data\Microsoft\Windows Live Contacts\<WLM_account>\shadow\’ the files members.stg, contactcoll.cache and .MeContact are saved among the .WindowsLiveContact files. Beside this directory the files members.stg, contactcoll.cache and .MeContact are also saved in the directory ‘C:\Documents and Settings\ <user>\Local Settings\Application Data\Microsoft\ Windows Live Contacts\<WLM_account>\real\’. .Addressbook files are saved in this directory as well.

Fig. 1 – Windows Explorer screenshot; example of the directory ‘C:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\Windows Live Contacts\<WLM_account>\real\’ and its corresponding contact files belonging to WLM account msnkoning@live.nl.

in plain text format. The contents of the tags are still encrypted in the same manner as the fully encrypted contacts. In the registry key ‘HKEY_CURRENT_USER\Software\Microsoft\ Windows Live\Communications Clients\Shared\<MSN_ Passport_ID>\DisableContactEncryption’ can be verified if encryption is disabled. If this key has the value 1, encryption is disabled. Although this option seems useless, it is worth mentioning because it could be important when data carving is used to recover contact files from the free space and slack space of the hard disk.

Members.stg is a file which contains all the contacts of a user’s contact list. Members.stg consists out of several XML chunks, each chunk covers one contact. In previous versions of MSN Messenger this file was named listcache.dat. In the directory ‘C:\Documents and Settings\<user>\Local Settings\Temp’ the file members.stg is saved as ‘w<name>.tmp’. In this directory more files are saved like ‘w<name>.tmp’, which makes it impossible to trace in which file the contacts are saved. By opening all ‘w<name>.tmp’ files in a hexadecimal editor it is possible to determine with the

76

digital investigation 4 (2007) 73–87

help of the structure of the file whether it contains contacts (see the file analysis paragraphs, Sections 3.2.3 – 3.2.5). The .MeContact file is named by the GUID algorithm. This file holds information regarding the WLM user such as nickname, status name, e-mail address, current display picture and a timestamp of the last dynamic change (changing display picture or nickname).

XML and used to identify display pictures, backgrounds and voice clips. All of these contact files are encrypted with a 128 bit AES encryption. The key to decrypt the files is an SHA1 hash of the corresponding Windows Live Messenger account. All encrypted Windows Live Messenger files can easily be decrypted with the use of the previously mentioned program Forensic Box.

Fig. 2 – Forensic Box screenshot; example of a decrypted members.stg file belonging to WLM account msnkoning@live.nl. The information of contact wvdongen@zonnet.nl is shown.

Information related to the contact list is saved in ‘<GUID>.Addressbook’. This file contains information such as the number of contacts, a timestamp on which all contacts were downloaded from the server, some timestamps named DeltaMembershipTS, DeltaALLTS and DeltaDynamicTS of which the meaning is not clear and contact and group checksums in a unknown format. Besides this two vague values named ABCH_CacheKey and STORAGE_ChacheKey can be found. In the directory ‘C:\Documents and Settings\ <user>\Application Data\Microsoft\MSN Messenger\ <MSN_Passport_ID>\MapFile’ several encrypted .dat files are saved. One of these .dat files contains e-mail addresses and MSN_Paspoort_IDs of some contacts. It is not clear why and when the contacts are saved in a .dat file. The other .dat files mainly contain MSN object creators which do not hold any interesting information. MSN objects are formatted in

Once again none of the above artefacts will be removed by uninstalling Windows Live Messenger. However, a user may use the ‘shared computer’ option or manually delete all relevant files. In this case it may be possible to restore contacts from the free space and slack space of the hard disk. In the following paragraphs the file characteristics are discussed which can be used to recover contacts.

3.2.3.

Members.stg file analysis

The members.stg file is characterized by the following hex values which indicate the start of the file (header): DD0CF11E0A1B11AE1000000000000000000000000000000003E0 00300FEFF0900. Around offset 100 starts a consecutive section of hex values FF FF FF FF FF FF FF FF. This section ends with 52006F006F007400200045006E007400720079 (Root Entry).

Fig. 3 – The recognizable ‘Root Entry’ section in members.stg.

digital investigation 4 (2007) 73–87

77

A section with the hex values 00 and FF alternated with few other values follows (see Fig. 4).

pattern between sections (see Fig. 5) it can be concluded that this marks the end of the file. By making a selection

Fig. 4

After this the encrypted XML sections with contacts appear. The sections are salient separated by a number of 00 00 00 00 00 00 00 00 hex values.

from the header to the end of the file, and exporting this to members.stg, it is possible to decrypt the recovered file with the use of Forensic Box (see Fig. 6).

Fig. 5 – Example of two encrypted XML sections within members.stg.

Unfortunately members.stg has no specific end signature. Through interruption of the 00 00 00 00 00 00 00 00

Fig. 6 – Example of an interrupted pattern between encrypted XML section within members.stg.

78

digital investigation 4 (2007) 73–87

In order to decrypt the file Forensic Box needs the corresponding WLM account. This can be done by looking for the traces described in Section 3.1.

making a selection from the begin to the end of the file, and exporting this to <name>.WindowsLiveContact, it is possible to decrypt the recovered file with the use of Forensic Box. By comparing .WindowsLiveContact files in a hex editor it is evident that the start of each file is equal to other .WindowsLiveContact of the corresponding WLM account. Therefore, it is possible to search the hard disk for the first 20 bytes of a .WindowsLiveContact file to find all corresponding .WindowsLiveContact files of a WLM account.

3.2.4.

.WindowsLiveContact file analysis

By searching the hard disk for ‘C:\Documents and Settings\ <user>\Contacts\<WLM_account>\’ or ‘C:\Documents and Settings\<user>\Local Settings\Application Data\ Microsoft\Windows Live Contacts\<WLM_account>’ an attempt can be made to restore deleted .WindowsLiveContacts files. Under the .WindowsLiveContact path, after the 00 hex value section the file begins.

Fig. 7 – Example of the start of a .WindowsLiveContact file.

3.2.5.
In .WindowsLiveContact files no sections with 00 00 00 00 00 00 00 00 hex values appear elsewhere in the file, therefore it can be assumed that this marks the end of the file. By

.CONTACT file analysis

CONTACT files have a characteristic start and end signature through which the files can be restored relatively easily with the use of data carving.

Fig. 8 – Example of the end of a .WindowsLiveContact file.

digital investigation 4 (2007) 73–87

79

Begin of a .CONTACT file: <?xml version¼‘‘1.0’’ encoding¼‘‘UTF-8’’?> <c:contact c:Version¼‘‘1’’ xmlns:c¼‘‘http://schemas.microsoft.com/Contact’’ xmlns:xsi¼‘‘http://www.w3.org/2001/XMLSchema-instance’’ xmlns:WL¼‘‘http://schemas.microsoft.com/Contact/Extended/WL’’>

End of a .CONTACT file:

MMS-IM-Format field specifies formatting options for the content of the message such as font name and colour. Furthermore MSN protocol traces including received messages can be found in the directory ‘C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\’ and ‘C:\Documents and Settings\ <user>\Local Settings\Temporary Internet Files\’. MSN protocol traces can only be found when port 1863 is blocked by a firewall in this situation WLM uses port 80. Port 80 is the default HTTP traffic port and is therefore normally not blocked by firewalls. Many organisations will block port 1863 for security reasons. Because of this these artefacts may occur more often than people may expect. MSN protocol traces are stored as ‘gateway.dll? <internetaddress>’ and ‘gateway[1].<session_ID>’.

</c:contact>

3.3.

Conversation content

In the article ‘An examination into MSN Messenger 7.5 contact identification’ published in Digital Investigation 3 (2006) 79–83, Mike Dickson states ‘conversation content never appeared anywhere on the hard disk other than – on only one occasion – within the Windows swap file’. In contrary to this statement it is possible – in some situations – to find (parts of) conversations on the hard disk in other places than the Windows swap file. First of all data stored in the system RAM are written to the file ‘hiberfil.sys’ when the system is put in hibernation mode. This file resides in the root of the system partition – usually ‘C:\hiberfil.sys’ – and is the same size as the total RAM. ‘hiberfil.sys’ is not removed when the system is operating in normal mode. Mainly MSN protocol traces can be found, but encrypted and decrypted contacts files reside in ‘hiberfil.sys’. Data are scattered across the file like in the Windows swap and RAM and therefore hard to analyse. However, it is fairly easy to find sent and received messages by searching for ‘X-MMS-IM-Format’, whereas on the other hand it is very difficult to determine the order of the messages. The X-

Fig. 10 – Files containing MSN protocol traces in the Temporary Internet Files\Content.IE5\ directory.

Fig. 9 – Example of a message (Hi, how are you?) sent by wvdongen@zonnet.nl.

80

digital investigation 4 (2007) 73–87

Fig. 11 – Files containing MSN protocol traces in the Temporary Internet Files directory.

The script that is used is /gateway/gateway.dll, and it takes the following parameters (Mintz and Sayer, 2004): <Action>: Either ‘open’ to open a new session or ‘poll’ to receive queued commands without sending any commands. Non-empty request don’t include an ‘action’ parameter. <Server>: Only used with ‘action¼open’ to specify the type of server to open. The value can be either ‘NS’ to open a notification server session or ‘SB’ to open a switchboard session. <IP>: Used with ‘action¼open’ to specify the IP address or domain name of the server. <SessionID>: Sent with every request. If the hard disk is formatted using the file system NTFS MSN protocol traces can also be found in the Master File Table ($MFT). The Master File Table is a file that contains one base file record for each file and folder on an NTFS volume. If the allocation information for a file or folder is too large to fit inside a single record, other file records will be allocated as well. The Master File Table is recorded in the boot sector of the hard disk. By sorting the ‘gateway files’ in the ‘Temporary Internet Files’ directory by time and date the course of a WLM session can be analyzed chronologically. Traces that reside in the $MFT are already recorded in chronological order. The $MFT timestamps of each record can be found by using a hexadecimal editor. Timestamps are encoded in the 64 bit hex value Little Endian – recognizable by the value 01 of the eighth byte – and can be decoded using the program DCode Date (available from http://www.digital-detective. co.uk). MSN protocol artefacts contain all kind of useful information such as received messages, nicknames, contacts, status of contacts (online, busy, away etcetera) and undertaken actions such as remote assistance. By looking into the creation time of the files the exact time of an event can be determined. The traces are not removed when closing and/or signing out of WLM. The files containing the traces are not modified after the creation. The removal of the contents of the ‘Temporary Internet Files’ occurs by default every 20 days. This may be different depending on the users Internet Explorer settings. The description of all MSN protocol traces is too extensive for this article. In order to correctly interpret the MSN protocol traces it is recommended to visit http:// msnpiki.msnfanatic.com and http://www.hypothetic.org/ docs/msn/. On these websites the MSN protocol is described in detail.

3.4.

IP addresses

Windows Live Messenger tries to establish a direct connection for file transfers between sender and receiver. First the sender sends an invitation to initiate a file transfer with the contact. Next the contact is asked to accept or decline the file transfer. If the contact accepts the file transfer all IP addresses of the available network adapters of the contact are sent to the MSN server. The MSN server sends the IP details on to the file sender in an MSN protocol packet. To establish a direct connection the file sender sends TCP SYN packets to all network adapters of the contact. If WLM is able to establish the connection the file transfer starts, if not the TCP SYN times out and a connection through the MSN server is established. When monitoring the network traffic with a TCP/IP sniffer such as Wireshark the IP address of the contact is revealed as soon as the contact accepts the file transfer. The file receiver can only reveal the senders IP address if a direct connection is established with sender. In the same way the IP address can be revealed when establishing and shared directory, audio and webcam connection.

3.5.

Chat logs

In the registry under the key ‘HKEY_CURRENT_USER/ Software/Microsoft/MSNMessenger/PerPassportSettings/ Passport_ID’ can be checked if the message logging option is enabled. If the binary key ‘MessageLoggingEnabled’ has the value ‘0’ message logging has been disabled. Any value other than ‘0’ – usually 04 03 01 00 00 00 – means that message logging is enabled. In the binary key ‘MessageLogPath’ the path to the directory resides where the messages are stored. The keys ‘MessageLoggingEnabled’ and ‘MessageLogPath’ are created when the message logging option is enabled. Because of this the conclusion can be made that if the keys exist, depending on their value, the user has used or is currently using the option. If the keys exist but the contents of the directory that resides in the key ‘MessageLogPath’ is empty the user might have deleted his/her messages. With the use of starting and ending signatures message log files could be recovered from the free space and slack space. Even when the keys ‘MessageLoggingEnabled’ and ‘MessageLogPath’ do not exist it is recommended to try to recover message log files because the user could have easily deleted the registry keys.

digital investigation 4 (2007) 73–87

81

Start of a WLM chat log file:

<?xml version¼‘‘1.0’’?> <?xml-stylesheet type¼‘text/xsl’ href¼‘MessageLog.xsl’?> <Log

End of a WLM chat log file:

</Log>

saved by using the ‘save as’ button are stored in order of their extension. It is not possible to determine if the file is saved from WLM or another program. Besides these registry keys nothing that is related to transmitted files is logged. The second possibility is by using the shared folder option. This function is introduced in Windows Live Messenger 8.0. When a user creates a sharing folder with a contact the directory ‘C:\Documents and Settings\ <user>\Local Settings\Application Data\Microsoft\ Messenger\<WLM_account_user>\Sharing Folders\ <WLM_account_contact>\’ is created. Every file that is shared is stored in this directory. All sharing activities are automatically logged.

Fig. 12 – Screenshot WLM shared activities log; example of a user who shared files.

Logged messages are not deleted when uninstalling Windows Live Messenger.

3.6.

Transmitted files

Windows Live Messenger offers two possibilities to share files with a contact. The first possibility is to send a single file. By default files which are received by WLM are stored in the directory ‘C:\Documents and Settings\<user>\My Documents\My Received Files\’. This directory can be modified by the user in the WLM options menu. The path to the ‘receiving’ directory is stored in the registry key ‘HKEY_CURRENT_USER\ Software\Microsoft\MSNMessenger\FtReceiveFolder’. Users can also use the ‘save as’ button to save the file in any other directory. In this case the file is logged in the registry under the key ‘HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU’. In this key all files – including their directory path – which are

The Sharing Activity Log file is stored in the file ‘C:\ Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Messenger\<WLM_account>\ SharingMetadata\activitylog.dat’. ‘Activitylog.dat’ has the same construction as Fig. 12. At the beginning of this file the oldest activity is logged (hash.rtf shared with msnkoning@live.nl on 13-3-2007 at 16:11:22) and at the bottom the most recent file will be logged (Beethoven’s Symphony shared with wouter-fox@hotmail.com on 16-3-2007 at 17:04:06). The files names are placed in order of status, contact and timestamp. Shared files including their directory path (status New File and Shared) will be described as opposed to deleted files which will be described without their directory path. Timestamps are formatted in a 64 bits hex value (Little Endian) given directly above the next file. Timestamps can be decoded with the previously mentioned program DCode Date. The user is able to remove his/her sharing activity log in WLM, in this case ‘activity.dat’ will be emptied.

82

digital investigation 4 (2007) 73–87

Fig. 13 – Example of a timestamp that resides in ‘activity.dat’.

Another important file in the shared folder option is ‘Dfsr.log’. This file is stored in the metadata directory ‘C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Messenger\<WLM_account>\ SharingMetadata\Logs\’. ‘Dfsr.log’ is a file that contains

plain text from which much cannot be easily understood. ‘Dfsr.log’, however, clearly shows when a file is shared by a user or contact. The following two examples illustrate this. Wouter-fox@hotmail.com (user) shares a file with msnkoning @live.nl (contact):

20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[0] ¼¼ \\.\C:\Documents and Settings\dongen\Local Settings\Application Data\ Microsoft\Messenger\wouter-fox@hotmail.com\Sharing Folders\msnkoning@live.nl 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[1] ¼¼ msnkoning@live.nl 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[2] ¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE5 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[3] ¼¼ planning.gif 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[4] ¼¼ {D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v13 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[5] ¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v1 20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[6] ¼¼ msnkoning@live.nl 20070329 12:38:56.404 2804 MRSH 3618 MarshallerTMarshal FileAttrs in metadata: 0x20 20070329 12:38:56.404 2804 SRTR 771 SERVER_InitializeFileTransfer planning.gif sizeRead:16384 20070329 12:38:56.404 2804 SRTR 818 SERVER_InitializeFileTransfer Initialized connId:{FA95D0E3-BFA53BF8-268D-BE26CA8BE6B4} rdc:1 context:021972A8,00000000,05B74010 uid:{D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v13 gvsn{D274387AFCFC-439E-9030-CC3A8E27BF1B}-v13 20070329 12:38:56.404 2804 SRTR 833 SERVER_InitializeFileTransfer Success: 0 20070329 12:38:56.404 2804 FRTL 1333 FrtlSessionTSendOutputPacket Session:031BC5E0, bytesRemaining:11952, packet:InitializeFileTransfer_Response, callId:46, size:16672 20070329 12:38:56.404 2804 FRTL 74 FrtlSyncServerContextTwFrtlSyncServerContext ptr:031A98E0, session:031BC5E0 20070329 12:38:56.404 3216 SNMGR 1424 SyncNegotiationManagerTLogNode node:msnkoning@live.nl state:STATE_CONNECTED timer:306 connin:CONNECTION_STATE_ONLINE connout:CONNECTION_STATE_ONLINE syncin:SYNC_STATE_IN_SYNC syncout:SYNC_STATE_IN_PROGRESS

digital investigation 4 (2007) 73–87

83

Wouter-fox@hotmail.com shares (actually sends see: sendOutputpacket) the file ‘planning.gif’ on 29-03-2007 at 12:38:56 with msnkoning@live.nl. The file is copied to the directory ‘C:\Documents and Settings\dongen\Local Settings\Application Data\Microsoft\Messenger\wouterfox@hotmail.com\Sharing Folders\msnkoning@live.nl’. msnkoning@live.nl (contact) shares a file with wouter-fox @hotmail.com (user):

3.7.

Audio and video

In order to use the audio and video functionality the user first has to configure the devices in Windows Live Messenger. When the configuration is completed the binary value ‘RTCTuned’ with the value ‘1’ is created under the registry key ‘HKEY_CURRENT_USER\Software\Microsoft\ MSNMessenger\’.

20070329 12:37:20.174 2548 MEET 2019 MeetTDownload Download Succeeded: true updateName:Eula.txt uid:{46D6D7CB-E213-4E2C-A052-9DD08 532E98C}-v15 gvsn:{46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v15 connId:{B1B74304-961C-48D5-E93527B3D4DDEDD2} csName:msnkoning@live.nl csId:{82C754CD-15B5-D668-C475-FAF99140BBE5} 20070329 12:37:20.174 2548 EVNT 342 EventLogTAudit Audit message: Success 1073748828 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[0] ¼¼ \\.\C:\Documents and Settings\dongen\Local Settings\Application Data\Microsoft\Messenger\wouter-fox@hotmail.com\Sharing Folders\msnkoning@live.nl 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[1] ¼¼ msnkoning@live.nl 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[2] ¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE5 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[3] ¼¼ Eula.txt 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[4] ¼¼ {46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v15 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[5] ¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v1 20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[6] ¼¼ msnkoning@live.nl

Wouter-fox@hotmail.com receives the file ‘Eula.txt’ in the directory ‘C:\Documents and Settings\dongen\Local Settings\Application Data\Microsoft\Messenger\wouterfox@hotmail.com\Sharing Folders\msnkoning@live.nl’ at 29-03-2007 on 12:37:20 which is shared by msnkoning@live.nl. When a contact opens the shared directory of the user his/ her display picture is saved as _thumb.png in the directory ‘C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Messenger\<WLM_account_ user>\SharingMetadata\<WLM_account_contact>\’.

3.7.1.

Voice clips

Fig. 14 – Screenshot Windows Explorer and Paint; WLM account msnkoning@live.nl shares files with wvdongen@zonnet.nl. The display picture of wvdongen@zonnet.nl is shown in Paint.

If the user sends a voice clip to a contact, the clip will temporarily be stored in two directories. In the first directory ‘C:\Documents and Settings\<user>\Application Data\Microsoft\MSN Messenger\<MSN_Passport_ID>\VoiceClip\’ voice clips are stored in a .dat file. Voice clips which are stored in this directory are removed when the user logs-out of Windows Live Messenger. The second directory is ‘C:\Documents and Settings\<user>\Application Data\Microsoft\MSN Messenger\VoiceClip\’. In this directory voice clips are stored in the format ‘msnmsgr_<timestamp>.wav’. Voice clips in this directory are not removed when the user logs-out, only when Windows Live Messenger is closed. Received voice clips are stored between – and in the same format as – sent voice clips in the directory ‘C:\ Documents and Settings\<user>\Application Data\ Microsoft\MSN Messenger\VoiceClip’. This is the only directory where voice clips are stored. Sent and received voice clips cannot be distinguished from each other. The voice clips have a characteristic starting signature with which they can be restored after removal from the free space and slack space.

84

digital investigation 4 (2007) 73–87

Fig. 15 – Example of the start of a voice clip opened in a hex editor; the underlined information is distinctive for a voice clip.

It is not possible to determine to which WLM account or contact a voice clips belongs.

3.7.2.

Webcam

When a webcam session in a conversation is initiated for the first time, the registry key ‘HKEY_CURRENT_USER\Software\ Microsoft\MSNMessenger\webcam’ will be created. A timestamp of the last initiation of a webcam session is stored in this registry key and contains a binary value grouped by the type of webcam session. Four types of webcam sessions can be distinguished: 1. tllp: only the user is broadcasting. 2. tllv: only the contact is broadcasting. 3. tllpr_t_p: both contact and user are broadcasting, the user started the request. 4. tllpr_v: both contact and user are broadcasting, the contact started the request.

in the directory ‘C:\Documents and Settings\<user>\ Local Settings\Temporary Internet Files\’. By using the last accessed time of the file can be determined when the user has initiated a webcam session with a contact. Advertisement images have a size of 300 Â 250 pixels and are downloaded from the Internet address http://spe.atdmt. com. When a user logs into WLM, images with a different size from the Internet address are also downloaded in the ‘Temporary Internet Files’ directory. When using the time indication traces it is not possible to determine with which contact the webcam session has been conducted. Beside time indications’ traces, traces of webcam sessions may reside in the RAM, Windows Swap and hiberfil.sys (hibernation file). By searching for ‘<Application>viewing webcam</Application>’ one can attempt to find traces of webcam invitations such as the involved Windows Live Messenger user and the contact. Some examples are as follows:

<User FriendlyName¼‘‘Wouter’’/></From><Application>viewing webcam</Application><Text Style¼‘‘color:#545454; ’’>You have invited MSN King to start viewing webcam. Please wait for a response or Cancel (Alt þ Q) the pending invitation.</Text></Invitation> <User FriendlyName¼‘‘MSN King’’/></From><Application>viewing webcam</Application><Text Style¼‘‘color:#545454; ’’>MSN King has accepted your invitation to start viewing webcam.</Text> <User FriendlyName¼‘‘MSN King’’/></From><Application>viewing webcam</Application><Text Style¼‘‘color:#545454; ’’>You have accepted the invitation to start viewing webcam.</Text>

The timestamp is stored 16 bytes, for example:

D7 07 05 00 02 00 0F 00 0C 00 08 00 0D 00 B4 02

However, these traces may not be as complete as shown in the example. Therefore, it may occur that only the text between the <Text></Text> tags can be found. In this case one can search for parts of the following sentences in Unicode format:  You have invited <contact_nickname> to start viewing webcam. Please wait for a response or Cancel (Alt þ Q) the pending invitation.  <contact_nickname> has accepted your invitation to start viewing webcam.  You have stopped viewing webcam with <contact_ nickname>.  <contact_nickname> is inviting you to start viewing webcam. Do you want to Accept (Alt þ C) or Decline (Alt þ D) the invitation?  You have accepted the invitation to start viewing webcam.  <contact_nickname> has stopped viewing webcam with you.

The first two bytes D7 07 show the year (2007), followed by the byte 05 which displays the month (May). The byte 02 stands for the day in the week (Tuesday), followed by the day 0F of the month (15th). The seventh byte 0C holds the hour in UTC (12), the next bytes contain the minutes 08 (8), followed by the bytes containing the seconds 0D (13). The last two bytes B4 02 contain the milliseconds (692). All italicized null bytes have no meaning. When the webcam of the contact is activated in a chat session an advertisement is shown during the connection set-up. This advertisement is a flash animation or image and is stored

digital investigation 4 (2007) 73–87

85 

<contact_nickname> wants to have a Video Call. Answer (Alt þ C) Decline (Alt þ D).  You have answered the call.  You declined the Video Call from <contact_nickname>.  Making a Video Call to <contact_nickname>.  You have invited <contact_nickname> to start sending webcam. Please wait for a response or Cancel (Alt þ Q) the pending invitation.

3.7.3.

Audio

Beside the RAM, Windows Swap and hiberfil.sys (hibernation file), no traces of audio conversations can be found on the hard disk. One can only try to trace back the contact by searching for parts of the following sentences in Unicode Format:  Calling <contact_nickname>. Hang up (Alt þ Q)  <contact_nickname> is answering your call. Hang up (Alt þ Q)  <contact_nickname> is calling you.  Your call is ended.  You have answered the call. Hang up (Alt þ Q).  <contact_nickname> is not answering.  You declined the call from <contact_nickname>. It is not possible to determine the time and date of the audio session.

Microsoft\MSN Messenger\<MSN_Passport_ID>\UserTile’. Display pictures are resized to 96 Â 96 pixels and are stored in a PNG file in ‘TFR<nr>.dat’. Contact display pictures of used WLM accounts on the computer are cached in the directory ‘C:\Documents and Settings\<user>\Local Settings\Temp\MessengerCache\’. Before WLM version 8.0 this directory was ‘C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\’ (Dickson, 2006). Besides the directory, the way in which display pictures are stored have also changed. Contact display pictures are stored without an extension and are named after an SHA1 hash of the original picture, encoded in Base64. Another difference from previous versions of MSN Messenger is that display pictures are not only cached when the user converses with the contact but are also cached from online notifications and contact card views. When a contact changes the display picture the old display picture is not removed. WLM uses the .WindowsLiveContact file – by using the UserTitleLocation tag – to determine which cached display picture belongs to the contact. For a forensic examination not only the .WindowsLiveContact file can be used to determine which display picture a contact is or was displaying. By using the MSN protocol traces which may possibly reside in the ‘Temporary Internet Files’ directory (see Section 3.3), Windows swap and hiberfil.sys (hibernation file) the display picture of a contact can be found. Example of an MSN protocol trace from the ‘Temporary Internet Files’ directory:

NLN AWY wvdongen@zonnet.nl 1 Wouter 1616756772 <msnobj Creator¼‘‘wvdongen@zonnet.nl’’ Size¼‘‘26954’’ type¼‘‘3’’ Location¼‘‘TFR1.dat’’ Friendly¼‘‘AAA’’ SHA1D¼‘‘7vyAg4LVCW8gUGejU0AoNnkXo00¼’’ SHA1C¼‘‘ayipuajsaArc3KtqJ2EEblAkoac¼’’/>

3.8.

Display pictures

As in previous versions of MSN Messenger, display pictures of the Windows Live Messenger user are stored in the directory ‘C:\Documents and Settings\<user>\Application Data\

By using the SHA1D field – the name of the file – the display picture of wvdongen@zonnet.nl can be found in the ‘MessengerCache’ directory. Type¼‘‘3’’ signifies a display picture. For more information about the MSN protocol visit the websites mentioned in Section 3.3.

Fig. 16 – The display picture of the MSN protocol example.

86

digital investigation 4 (2007) 73–87

4.
4.1.

Results summary
Directories and files 

C:\Windows\system32\config\AppEvent.Evt: after each successful login or logout two lines are written in the event log [see Section 3.1].  C:\hiberfil.sys: the hibernation file, this file may contain MSN protocol traces [see Section 3.3].  C:\Documents and Settings\<user>\Contacts\: contains cached contact files such as .WindowsLiveContact, .Contact, .WindowsLiveGroup, .Group and contactcoll.cache files. The files are stored in a directory named after the WLM account [see Section 3.2].  C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Windows Live Contacts\: contains cached contact files stored in a directory named after the WLM account. This directory is broken down in the following subdirectories: B <WLM_account>\Real\: .MeContact, .Addressbook, members.stg, contactcoll.cache files [see Section 3.2.2]. B <WLM_account>\Shadow\: .WindowsLiveContact, members.stg, contactcoll.cache, .MeContact and .WindowsLiveGroup files [see Section 3.2.2].  C:\Documents and Settings\<user>\Local Settings\ Temp\: the members.stg file stored as ‘w<name>.tmp’ [see Section 3.2.2].  C:\Documents and Settings\<user>\Local Settings\ Application Data\Microsoft\Messenger\: this directory is used for the shared folder option. Files are stored ordered by directories named after the WLM accounts and broken down in directories named after the contact. B <WLM_account_user>\Sharing Folders\<WLM_account_contact>\: the actual shared files [see Section 3.6]. B <WLM_account_user>\SharingMetaData\: activitylog. dat, shared folder activity log file [see Section 3.6]. B <WLM_account_user>\SharingMetaData\Logs: Dfsr.log contains shared folder activities [see Section 3.6]. B <WLM_account_user>\SharingMetaData\<WLM_account_ contact>\: _thumb.png, and contact display picture [see Section 3.6].  C:\Documents and Settings\<user>\Application Data\Microsoft\MSN Messenger\<MSN_Passport_ID>\: B MapFile\: several encrypted .dat files, one of these files contains MSN Passport IDs and e-mail addresses of contacts [see Section 3.2.2]. B UserTitle\: WLM user display pictures stored in the format ‘TFR<nr>.dat’ [see Section 3.8]. B VoiceClip\: voice clips stored in a .dat file [see Section 3.7.1]. B C:\Documents and Settings\<user>\Application Data\Microsoft\MSN Messenger\VoiceClip\: voice clips stored in the format ‘msnmsgr_<timestamp>.wav’ [see Section 3.7.1].  C:\Documents and Settings\<user>\Local Settings\ Temporary Internet Files\: gateway.dll files containing MSN protocol traces and webcam advertisement images are cached in this directory [see Sections 3.3 and 3.7.2]. 

C:\Documents and Settings\<user>\Local Settings\ Temporary Internet Files\Content.IE5\: gateway[<nr>]. <session_ID> files containing MSN protocol traces are cached in this directory [see Section 3.3].  C:\Documents and Settings\<user>\My Documents\My Received Files\: default storage directory for received files [see Section 3.6].  C:\Documents and Settings\<user>\Local Settings\ Temp\MessengerCache\: cached contact display pictures [see Section 3.8].

4.2.

Registry 

HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\: Global WLM settings. B RTCTuned: boolean indicating if the user has configured audio and video devices [see Section 3.7].  HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\ webcam\: a timestamp of the last initiation of a webcam session is stored in this registry key and contains a binary value grouped by the type of webcam session: B tllp: only the user is broadcasting [see Section 3.7.2]. B tllv: only the contact is broadcasting [see Section 3.7.2]. B tllpr_t_p: both contact and user are broadcasting, the user started the request [see Section 3.7.2]. B tllpr_v: both contact and user are broadcasting, the contact started the request [see Section 3.7.2].  HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\ PerPassportSettings\< MSN_Passport_ID>\: user settings and preferences ordered by MSN Passport ID. The following interesting values can be found under this registry key: B UTL: contains the WLM account (e-mail address) [see Section 3.1]. B DisableCache: registry key to verify if caching is disabled [see Section 3.2.1]. B DisableContactEncryption: registry key to verify if encryption is disabled [see Section 3.2.2]. B MessageLoggingEnabled: registry key to verify if message logging is enabled [see Section 3.5]. B MessageLogPath: holds the directory where message log files are stored [see Section 3.5]. B FtReceiveFolder: holds the directory where received files are stored [see Section 3.6].  HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\: location of the Windows credential manager holds accounts which are set to be ‘remembered’ by WLM [see Section 3.1].  HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\OpenSaveMRU: in this registry key all files – including their directory path – which are saved by using the ‘save as’ button are stored in order of their extension [see Section 3.6].

5.

Conclusions

It is clear that traces are left behind on the hard disk when Windows Live Messenger is used. Even though it is not always

digital investigation 4 (2007) 73–87

87

possible to trace back complete conversations, traces that indicate the use of WLM can always be found on the hard disk: user settings, contacts files, temporary files, log files, registry keys, free space and slack space and so on. By analyzing all of these traces it is possible to get an overall picture of a user’s WLM activities. Programs like Forensic Box and DCode Date can be very helpful in forensic examinations. Besides this, file signatures and known file structures can also be of great value in an examination when a user has tried to cover his traces. When someone has deliberately performed illegal activities with the use of Windows Live Messenger, one must have extensive knowledge of Windows Live Messenger and computers in general in order to be able to delete all the traces.

references

Arrington Michael. Instant messaging and trashing google. Available from: <http://www.techcrunch.com/2006/07/24/ instant-messaging-and-trashing-google>; 2006. Dickson Mike. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3. Mook Nate. MSN Messenger most used IM client. Available from: <http://www.betanews.com/article/MSN_Messenger_Most_ Used_IM_Client/1144778820>; 2006. MarketShare.com. Operating system market share for April, 2007. Available from: <http://marketshare.hitslink.com/report. aspx?qprid¼2>; 2007. Mintz Mike, Sayer Andrew. MSN Messenger protocol, general – HTTP connections. Available from: <http://www.hypothetic. org/docs/msn/general/http_connections.php>; 2004. Wouter S. van Dongen BSc studied Computer Sciences at the Leiden College of Advanced Studies and graduated Cum-Laude. He will continue to pursue his MSc in System and Network Engineering at the University of Amsterdam. He currently works as a Forensic IT Specialist at Fox-IT.

Acknowledgments
The author would like to thank Erwin van Wiel of the MiddenWest Brabrant Police department, creator of Forensic Box, for his useful suggestions.

Sign up to vote on this title
UsefulNot useful