Examine

Yahoo
Messenger

Khang Nguyen
ITDF-2425-8002 / SPRING / 2009
khangpng@gmail.com
December 19, 2009

Table of Contents
Objectives ....................................................................................................................................... 3
Execute Summary ........................................................................................................................... 3
Procedures ....................................................................................................................................... 3
Installation: ................................................................................................................................. 3
Un-installation: ........................................................................................................................... 3
Logs: ........................................................................................................................................... 4
Profiles: ....................................................................................................................................... 6
Cache: ......................................................................................................................................... 6
Registry: ...................................................................................................................................... 6
Message Archive:........................................................................................................................ 7
Tools Used ...................................................................................................................................... 8
Appendix ......................................................................................................................................... 8

Table of Figures
Figure 1 3 values were added.......................................................................................................... 4
Figure 2-Log what changing in YM ............................................................................................... 4
Figure 3-Log raw message is transferred ........................................................................................ 5
Figure 4-Logging messages transferring between users ................................................................. 5
Figure 5-user sessions ..................................................................................................................... 5
Figure 6-HKEY_CURRENT_USER\Software\Yahoo\Pager\Profiles ........................................... 6
Figure 7-Contain user information.................................................................................................. 7
Figure 8-viewing chat log file ......................................................................................................... 8

Objectives
In this discovery event, my objective is to examine Yahoo Messenger - YM. I want to know
what differences I can see in registry or in system files by installing or uninstalling. In addition,
I look for how to read YM archive .dat file.

Execute Summary
After examining YM by installing or uninstalling, I found that YM left a lot of trunk in registry
and in system file behind. That is our chance to trace someone who uses YM to abuse people,
especially child-porn abuse, sex abuse, etc. Furthermore, like other software, even if we
uninstall or remove them, they still leave something behind which we could look for. Most of
software have logs and archive. We can also look for information in them.

Procedures
Installation:
In registry:
I used inctrl5 to take snap shot before and after installing. I checked everything to install
completely YM. I found that YM put a lot of keys into registry. Here is the result:
-

1733 keys were added.

38 keys were deleted.
2095 values were added.
141 values were deleted.
34 values changed.

Note: I wonder that why and what YM deletes keys and values when it is installing.
In system file:
By default, YM installs itself into C:\Program Files. This default configuration cannot be
changed. It creates several files and folders. I notice that several folders contain such important
information I need to examine. They are MESSENGER (root folder), LOGS, PROFILES, and
CACHE. Each time user logs in, YM logs everything and stores in those folders under .dat file.

Un-installation:
In registry:
I used inctrl5 again to take snap shot before and after installing. Even though I uninstalled it,
many keys are values still stayed in the registry and in the system files. Here is the result:
-

1338 keys were deleted. There were 395 keys remained in the registry.

3 values were added although that was UN-INSTALLATION.

Figure 1 3 values were added

1575 values were deleted. 520 values remained in the registry.

10 values were changed. 24 values were not changed.

In system file:
Although I removed YM, some folders and files were still in C:\Program Files. It left Profiles
behind. This folder contains Archive, iconindex.dat, and Icons.

Logs:
This folder contains six files. These files will log everything whenever user signs in, signs out
sends and receives messages, notices email, etc.
-

billing_user logs information of user who has calling account or billing.

client_user logs everything that changing or happening with YM.

Figure 2-Log what changing in YM

network_user logs raw message is transferred from current user to the other side user.

Figure 3-Log raw message is transferred

reliablemessaging_user has the same function with log file above, but it has timestamp
and more information what is transferring between two chatting users.

Figure 4-Logging messages transferring between users

voice_<computer name>_<num> - in my case, it is voice_ESOL_0- logs time user signs

in and signs out. It is called user sessions.

Figure 5-user sessions

ycp_user

Profiles:
YM creates automatically folders named the user had signed in. For example, there are 3 user
signed in; it must have 3 folders named user01, user02, and user03.
Each user folder contains 2 folders (Archive and Icons) and 1 .dat file (iconindex.dat).
Folder Icons and iconindex.dat store user information such as avatar. The most important
thing is the folder Archive. This folder will store several files that log what user chats with
other users. This is also the place that we should search evidence first.

Cache:
This folder contains every about YM configuration or whatever YM spoofs from the Internet. It
works as IE cache.

Registry:
The default key that YM registers is HKEY_CURRENT_USER\Software\Yahoo. I think I
should notice two keys: HKEY _CURRENT_USER\Software\Yahoo \Profiles and
HKEY_CURRENT_USER\Software\Yahoo\Pager\Profiles. These keys will tell me how many
users had already signed in and used computer. They also contain much information I want to
look at.

Figure 6-HKEY_CURRENT_USER\Software\Yahoo\Pager\Profiles

Figure 7-Contain user information

Message Archive:
This folder contains files that logs everything user chats with other users. We can use tool, like
Super YM Archive Decoder, to decode file .dat. These .dat files stored following the template
<timestamp>-<username>.dat. For example, 20090304-khangpngw.
Note: I notice that we can mess up with the timestamp of the file, but we cannot change the
timestamp inside the log. That point we should look at whenever we decode and view the
content.

Figure 8-viewing chat log file

Tools Used
Yahoo Messenger
MS Paint
Inctrl5
Super YM Archive Decoder

Appendix