Escolar Documentos
Profissional Documentos
Cultura Documentos
available at www.sciencedirect.com
Article history: Windows Live Messenger – commonly referred by MSN Messenger – is the most used in-
Received 30 May 2007 stant messaging client worldwide, and is mostly used on Microsoft Windows XP.
Revised 12 June 2007 Previous examination into MSN Messenger concludes that few traces reside on the hard
Accepted 13 June 2007 disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identi-
fication. Digit Investig 2006;3]. In this article the opposite is concluded based on user set-
Keywords: tings, contact files and log files. With the use of file signatures and known file structures
MSN Messenger it is possible to recover useful information when deleted. Programs such as Forensic Box
Windows Live Messenger can help to analyse artefacts which are left behind after the use of Windows Live
Microsoft Messenger Messenger.
Instant messaging ª 2007 Elsevier Ltd. All rights reserved.
Contact list
Conversation content
Forensic Box
sessions are explained in the following paragraph. The instance (0)’ is written after a successful login. After a logout
eighth and final paragraph discusses contact and user dis- an event with the same description is written to the event file,
play pictures. only the additional information that will be displayed is ‘The
In Section 4 all results are summarized, and this section database engine has stopped the instance (0)’. Both entries
can be used as an appendix. Conclusions are given in Section 5 have ESENT as source.
and are based on the results. The second way is by checking registry keys. During a login
attempt a new registry key with the MSN Passport ID of the
account as the name of the key is created in ‘HKEY_CURRENT_
2. Method USER\Software\Microsoft\MSNMessenger\PerPassport-
Settings\’. The MSN Passport ID is generated by using a
The Windows Live Messenger examination has been con- proprietary hash function on the WLM account. This registry
ducted on Microsoft Windows XP Home and Professional, key contains all user preferences and settings. When a login
both with service pack 2 installed on an NTFS formatted file attempt is not successful this registry key will only contain
system. binary data named ‘DefaultSignInState’. When a user is
Preceding the actual research an overview of all Windows successfully logged in, the registry key will contain more
Live Messenger functionalities was set-up. By using these binary including the binary data named ‘UTL’. ‘UTL’ contains
functionalities, test scenarios were created in VMware (Virtual the user’s display picture and the WLM account (e-mail
machines, available from http://www.vmware.com) images address). Because of this it is possible to determine to which
and analyzed with AccessData Forensic Toolkit (available account all preferences and settings belong. If the user has
from http://www.accessdata.com) version 1.62.1. Each sce- disabled the use of display pictures the value of ‘UTL’ will be
nario was conducted on a clean copy of a VMware image. Fur- empty.
thermore the VMware images were ‘live’ analyzed by using The third method is to look for directories which are
Windows Sysinternals Filemon and Regmon (available from named after the WLM account. Three directories named
http://www.microsoft.com/technet/sysinternals/) to monitor after the WLM account are created during a first login
file and Windows registry activity, WinHex (available from attempt. One directory will be placed in ‘C:\documents and
http://www.x-ways.net) for the examination of the virtual Settings\<user>\Contacts\’ and a second in ‘C:\Documents
memory and files, and Wireshark (available from http:// and Settings\<user>\Local Settings\Application
www.wireshark.org) to monitor TCP/IP traffic. Data\Microsoft\Windows Live Contacts\’. If a login
Before analyzing the test scenario’s the ‘basic’ scenarios in- attempt is unsuccessful these directories will only contain
stallation and first login attempt were investigated. After ana- a file named contactcoll.cache of 2 kb. The content of
lyzing all the test scenarios the result of the deinstallation of these directories are further explained in the Section 3.2.2.
WLM was examined. The third directory is created in ‘C:\documents and
The plausibility of all the conclusions that were associated Settings\<user>\Local Settings\Application Data\
to findings were carefully checked by using the following eval- Microsoft\Messenger’. This directory is only created if the
uation questions: login attempt is successful, its purpose is to store shared files.
Looking for accounts which are set to be ‘remembered’ by
Are all the experiments which are carried out relevant for WLM is the fourth and last method. The accounts are saved
the conclusion? in the Windows credential manager. WLM credential data
Have sufficient experiments been carried out in order to give are stored in the registry path: ‘HKEY_CURRENT_USER\
a well founded conclusion? Software\Microsoft\IdentityCRL\’. The credentials can
Are there any counter examples? easily be decrypted with the tools Accessdata Password
Recovery Toolkit and Forensic Box (this freeware program
can be requested at forensicbox@gmail.com). In some situa-
3. Results tions this can obviously be done by starting up WLM to see
which accounts are stored.
3.1. Which accounts are used None of the above artefacts will be removed by uninstalling
Windows Live Messenger.
There are four ways which can be used to determine which
WLM accounts were used on the computer.
The first and most evident way is to check Windows 3.2. Contact list
application event file. After each successful login or logout
in WLM two lines are written into the event log ‘C:\Windows\ 3.2.1. Shared computer option
system32\config\AppEvent.Evt’. Due to these entries the By default Windows Live Messenger caches display pictures
used account and the date and time of usage can be and the address book. Nevertheless it is possible for the
established. user to disable the caching, whereby contacts are not saved
An event with the description ‘MsnMsgr (<process_ID>) on the hard disk. This can be done by selecting ‘This is
\\.\C:\Documents and Settings\<user>\Local Settings\ a shared computer so don’t store my address book, display
Application Data\Microsoft\Messenger\<WLM_account>\ picture, or personal messages on it’ under the security tab
SharingMetadata\Working\database_<unique_computer_ in the WLM options screen. In the registry under the key
ID>\dfsr.db: The Database engine started a new ‘HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
digital investigation 4 (2007) 73–87 75
Fig. 1 – Windows Explorer screenshot; example of the directory ‘C:\Documents and Settings\<user>\Local
Settings\Application Data\Microsoft\Windows Live Contacts\<WLM_account>\real\’ and its corresponding contact
files belonging to WLM account msnkoning@live.nl.
in plain text format. The contents of the tags are still encryp- Members.stg is a file which contains all the contacts of
ted in the same manner as the fully encrypted contacts. In the a user’s contact list. Members.stg consists out of several
registry key ‘HKEY_CURRENT_USER\Software\Microsoft\ XML chunks, each chunk covers one contact. In previous ver-
Windows Live\Communications Clients\Shared\<MSN_ sions of MSN Messenger this file was named listcache.dat. In
Passport_ID>\DisableContactEncryption’ can be verified the directory ‘C:\Documents and Settings\<user>\Local
if encryption is disabled. If this key has the value 1, encryption Settings\Temp’ the file members.stg is saved as
is disabled. Although this option seems useless, it is worth ‘w<name>.tmp’. In this directory more files are saved like
mentioning because it could be important when data carving ‘w<name>.tmp’, which makes it impossible to trace in which
is used to recover contact files from the free space and slack file the contacts are saved. By opening all ‘w<name>.tmp’ files
space of the hard disk. in a hexadecimal editor it is possible to determine with the
76 digital investigation 4 (2007) 73–87
help of the structure of the file whether it contains contacts XML and used to identify display pictures, backgrounds and
(see the file analysis paragraphs, Sections 3.2.3 – 3.2.5). voice clips.
The .MeContact file is named by the GUID algorithm. This All of these contact files are encrypted with a 128 bit AES en-
file holds information regarding the WLM user such as nick- cryption. The key to decrypt the files is an SHA1 hash of the cor-
name, status name, e-mail address, current display picture responding Windows Live Messenger account. All encrypted
and a timestamp of the last dynamic change (changing display Windows Live Messenger files can easily be decrypted with
picture or nickname). the use of the previously mentioned program Forensic Box.
Fig. 2 – Forensic Box screenshot; example of a decrypted members.stg file belonging to WLM account msnkoning@live.nl.
The information of contact wvdongen@zonnet.nl is shown.
Information related to the contact list is saved in Once again none of the above artefacts will be
‘<GUID>.Addressbook’. This file contains information such removed by uninstalling Windows Live Messenger. How-
as the number of contacts, a timestamp on which all contacts ever, a user may use the ‘shared computer’ option or man-
were downloaded from the server, some timestamps named ually delete all relevant files. In this case it may be possible
DeltaMembershipTS, DeltaALLTS and DeltaDynamicTS of to restore contacts from the free space and slack space of
which the meaning is not clear and contact and group the hard disk. In the following paragraphs the file charac-
checksums in a unknown format. Besides this two vague teristics are discussed which can be used to recover
values named ABCH_CacheKey and STORAGE_ChacheKey contacts.
can be found.
In the directory ‘C:\Documents and Settings\ 3.2.3. Members.stg file analysis
<user>\Application Data\Microsoft\MSN Messenger\ The members.stg file is characterized by the following
<MSN_Passport_ID>\MapFile’ several encrypted .dat files hex values which indicate the start of the file (header):
are saved. One of these .dat files contains e-mail addresses DD0CF11E0A1B11AE1000000000000000000000000000000003E0
and MSN_Paspoort_IDs of some contacts. It is not clear why 00300FEFF0900. Around offset 100 starts a consecutive
and when the contacts are saved in a .dat file. The other .dat section of hex values FF FF FF FF FF FF FF FF. This section
files mainly contain MSN object creators which do not hold ends with 52006F006F007400200045006E007400720079 (Root
any interesting information. MSN objects are formatted in Entry).
A section with the hex values 00 and FF alternated with few pattern between sections (see Fig. 5) it can be concluded
other values follows (see Fig. 4). that this marks the end of the file. By making a selection
Fig. 4
After this the encrypted XML sections with contacts ap- from the header to the end of the file, and exporting this
pear. The sections are salient separated by a number of 00 to members.stg, it is possible to decrypt the recovered file
00 00 00 00 00 00 00 hex values. with the use of Forensic Box (see Fig. 6).
Fig. 6 – Example of an interrupted pattern between encrypted XML section within members.stg.
78 digital investigation 4 (2007) 73–87
In order to decrypt the file Forensic Box needs the corre- making a selection from the begin to the end of the file,
sponding WLM account. This can be done by looking for the and exporting this to <name>.WindowsLiveContact, it is
traces described in Section 3.1. possible to decrypt the recovered file with the use of Foren-
sic Box.
3.2.4. .WindowsLiveContact file analysis
By searching the hard disk for ‘C:\Documents and Settings\ By comparing .WindowsLiveContact files in a hex edi-
<user>\Contacts\<WLM_account>\’ or ‘C:\Documents and tor it is evident that the start of each file is equal to other
Settings\<user>\Local Settings\Application Data\ .WindowsLiveContact of the corresponding WLM account.
Microsoft\Windows Live Contacts\<WLM_account>’ an Therefore, it is possible to search the hard disk for the
attempt can be made to restore deleted .WindowsLive- first 20 bytes of a .WindowsLiveContact file to find all
Contacts files. Under the .WindowsLiveContact path, after corresponding .WindowsLiveContact files of a WLM
the 00 hex value section the file begins. account.
Fig. 11 – Files containing MSN protocol traces in the Temporary Internet Files directory.
<?xml version¼‘‘1.0’’?>
<?xml-stylesheet type¼‘text/xsl’ href¼‘MessageLog.xsl’?>
<Log
End of a WLM chat log file: saved by using the ‘save as’ button are stored in order of their
extension. It is not possible to determine if the file is saved
from WLM or another program. Besides these registry keys
nothing that is related to transmitted files is logged.
The second possibility is by using the shared folder
</Log> option. This function is introduced in Windows Live
Messenger 8.0. When a user creates a sharing folder with
a contact the directory ‘C:\Documents and Settings\
<user>\Local Settings\Application Data\Microsoft\
Messenger\<WLM_account_user>\Sharing Folders\
<WLM_account_contact>\’ is created. Every file that is
shared is stored in this directory. All sharing activities are
automatically logged.
Fig. 12 – Screenshot WLM shared activities log; example of a user who shared files.
Another important file in the shared folder option is plain text from which much cannot be easily understood.
‘Dfsr.log’. This file is stored in the metadata directory ‘Dfsr.log’, however, clearly shows when a file is shared by
‘C:\Documents and Settings\<user>\Local Settings\ a user or contact. The following two examples illustrate this.
Application Data\Microsoft\Messenger\<WLM_account>\ Wouter-fox@hotmail.com (user) shares a file with msnkoning
SharingMetadata\Logs\’. ‘Dfsr.log’ is a file that contains @live.nl (contact):
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[0] ¼¼ \\.\C:\Documents and Settings\dongen\Lo-
cal Settings\Application Data\
Microsoft\Messenger\wouter-fox@hotmail.com\Sharing Folders\msnkoning@live.nl
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[1] ¼¼ msnkoning@live.nl
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[2] ¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE5
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[3] ¼¼ planning.gif
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[4] ¼¼ {D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v13
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[5] ¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v1
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[6] ¼¼ msnkoning@live.nl
20070329 12:38:56.404 2804 MRSH 3618 MarshallerTMarshal FileAttrs in metadata: 0x20
20070329 12:38:56.404 2804 SRTR 771 SERVER_InitializeFileTransfer planning.gif sizeRead:16384
20070329 12:38:56.404 2804 SRTR 818 SERVER_InitializeFileTransfer Initialized connId:{FA95D0E3-BFA5-
3BF8-268D-BE26CA8BE6B4} rdc:1
context:021972A8,00000000,05B74010 uid:{D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v13 gvsn{D274387A-
FCFC-439E-9030-CC3A8E27BF1B}-v13
20070329 12:38:56.404 2804 SRTR 833 SERVER_InitializeFileTransfer Success: 0
20070329 12:38:56.404 2804 FRTL 1333 FrtlSessionTSendOutputPacket Session:031BC5E0, bytesRemaining:-
11952, packet:InitializeFileTransfer_Response, callId:46, size:16672
20070329 12:38:56.404 2804 FRTL 74 FrtlSyncServerContextTwFrtlSyncServerContext ptr:031A98E0,
session:031BC5E0
20070329 12:38:56.404 3216 SNMGR 1424 SyncNegotiationManagerTLogNode node:msnkoning@live.nl state:STA-
TE_CONNECTED timer:306
connin:CONNECTION_STATE_ONLINE connout:CONNECTION_STATE_ONLINE
syncin:SYNC_STATE_IN_SYNC syncout:SYNC_STATE_IN_PROGRESS
digital investigation 4 (2007) 73–87 83
Wouter-fox@hotmail.com shares (actually sends see: sen- 3.7. Audio and video
dOutputpacket) the file ‘planning.gif’ on 29-03-2007 at
12:38:56 with msnkoning@live.nl. The file is copied to the In order to use the audio and video functionality the user
directory ‘C:\Documents and Settings\dongen\Local Set- first has to configure the devices in Windows Live Mes-
tings\Application Data\Microsoft\Messenger\wouter- senger. When the configuration is completed the binary
fox@hotmail.com\Sharing Folders\msnkoning@live.nl’. value ‘RTCTuned’ with the value ‘1’ is created under the
msnkoning@live.nl (contact) shares a file with wouter-fox registry key ‘HKEY_CURRENT_USER\Software\Microsoft\
@hotmail.com (user): MSNMessenger\’.
20070329 12:37:20.174 2548 MEET 2019 MeetTDownload Download Succeeded: true updateName:Eula.txt
uid:{46D6D7CB-E213-4E2C-A052-9DD08
532E98C}-v15 gvsn:{46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v15 connId:{B1B74304-961C-48D5-E935-
27B3D4DDEDD2} csName:msnkoning@live.nl csId:{82C754CD-15B5-D668-C475-FAF99140BBE5}
20070329 12:37:20.174 2548 EVNT 342 EventLogTAudit Audit message: Success 1073748828
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[0] ¼¼ \\.\C:\Documents and Settings\dongen\Local
Settings\Application Data\Microsoft\Messenger\wouter-fox@hotmail.com\Sharing
Folders\msnkoning@live.nl
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[1] ¼¼ msnkoning@live.nl
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[2] ¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE5
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[3] ¼¼ Eula.txt
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[4] ¼¼ {46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v15
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[5] ¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v1
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[6] ¼¼ msnkoning@live.nl
Fig. 15 – Example of the start of a voice clip opened in a hex editor; the underlined information is distinctive for a voice clip.
The timestamp is stored 16 bytes, for example: However, these traces may not be as complete as shown in
the example. Therefore, it may occur that only the text be-
tween the <Text></Text> tags can be found. In this case
one can search for parts of the following sentences in Unicode
D7 07 05 00 02 00 0F 00
format:
0C 00 08 00 0D 00 B4 02
3.8. Display pictures By using the SHA1D field – the name of the file – the display
picture of wvdongen@zonnet.nl can be found in the ‘Messen-
As in previous versions of MSN Messenger, display pictures of gerCache’ directory. Type¼‘‘3’’ signifies a display picture. For
the Windows Live Messenger user are stored in the directory more information about the MSN protocol visit the websites
‘C:\Documents and Settings\<user>\Application Data\ mentioned in Section 3.3.
Acknowledgments Wouter S. van Dongen BSc studied Computer Sciences at the Leiden
College of Advanced Studies and graduated Cum-Laude. He will
continue to pursue his MSc in System and Network Engineering at
The author would like to thank Erwin van Wiel of the Midden-
the University of Amsterdam. He currently works as a Forensic IT
West Brabrant Police department, creator of Forensic Box, for
Specialist at Fox-IT.
his useful suggestions.