article - forensic artefacts left by windows live messenger 8.0
DESCRIPTION
ARTICLE - Forensic Artefacts Left by Windows Live Messenger 8.0TRANSCRIPT
ava i lab le at www.sc ienced i rec t . com
journa l homepage : www. e lsev ier . com/ loca te / d i in
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7
Forensic artefacts left by Windows Live Messenger 8.0
Wouter S. van Dongen
Fox-IT Forensic IT Experts, Olof Palmestraat 6, 2616 LM Delft, The Netherlands
a r t i c l e i n f o
Article history:
Received 30 May 2007
Revised 12 June 2007
Accepted 13 June 2007
Keywords:
MSN Messenger
Windows Live Messenger
Microsoft Messenger
Instant messaging
Contact list
Conversation content
Forensic Box
a b s t r a c t
Windows Live Messenger – commonly referred by MSN Messenger – is the most used in-
stant messaging client worldwide, and is mostly used on Microsoft Windows XP.
Previous examination into MSN Messenger concludes that few traces reside on the hard
disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identi-
fication. Digit Investig 2006;3]. In this article the opposite is concluded based on user set-
tings, contact files and log files. With the use of file signatures and known file structures
it is possible to recover useful information when deleted. Programs such as Forensic Box
can help to analyse artefacts which are left behind after the use of Windows Live
Messenger.
ª 2007 Elsevier Ltd. All rights reserved.
1. Introduction
Windows Live Messenger (WLM) is the latest version of
Microsoft’s instant messaging client. Previous versions –
before version 8.0 – were known as MSN Messenger or
MSN for short, WLM is commonly referred by these previous
names. Windows Live Messenger is by far the most used in-
stant messaging client worldwide (Arrington, 2006; Mook,
2006). MSN was first released in July 1999, the current ver-
sion of WLM is 8.1 (at time of writing), which was released
in January 2007.
This article focuses on Windows Live Messenger version
8.0 (build 8.0.0812.00). The described results in this article
may differ from new versions of WLM.
This article explains a number of traces which are left be-
hind after the use of Windows Live Messenger 8.0 on Microsoft
Windows XP. Microsoft Windows XP is the most used operat-
ing system worldwide (MarketShare, 2007). Therefore, the
most likely combination to encounter is Windows Live Mes-
senger on Microsoft Windows XP.
In the next chapter the used research method is
expounded. The following chapter describes all the results
and is divided in to eight paragraphs. Each file is analyzed
for known file structures which can be used to restore them
from the free space and slack space on the hard drive.
The first paragraph starts with artefacts which are used
to identify which Windows Live Messenger accounts have
been used on the computer. The subsequent paragraph
shows where contact files of WLM accounts can be found
and what useful information they contain. The following
paragraph ‘conversation content’ explains under which
conditions conversation content can be found on the hard
disk. IP addresses are explained in the fourth paragraph
and are followed by a paragraph about chat logs. There
are several ways to share files with contacts, all methods
and the traces are discussed in sixth paragraph. Artefacts
regarding audio and video such as voice clips and webcam
E-mail address: [email protected]/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.diin.2007.06.019
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 774
sessions are explained in the following paragraph. The
eighth and final paragraph discusses contact and user dis-
play pictures.
In Section 4 all results are summarized, and this section
can be used as an appendix. Conclusions are given in Section 5
and are based on the results.
2. Method
The Windows Live Messenger examination has been con-
ducted on Microsoft Windows XP Home and Professional,
both with service pack 2 installed on an NTFS formatted file
system.
Preceding the actual research an overview of all Windows
Live Messenger functionalities was set-up. By using these
functionalities, test scenarios were created in VMware (Virtual
machines, available from http://www.vmware.com) images
and analyzed with AccessData Forensic Toolkit (available
from http://www.accessdata.com) version 1.62.1. Each sce-
nario was conducted on a clean copy of a VMware image. Fur-
thermore the VMware images were ‘live’ analyzed by using
Windows Sysinternals Filemon and Regmon (available from
http://www.microsoft.com/technet/sysinternals/) to monitor
file and Windows registry activity, WinHex (available from
http://www.x-ways.net) for the examination of the virtual
memory and files, and Wireshark (available from http://
www.wireshark.org) to monitor TCP/IP traffic.
Before analyzing the test scenario’s the ‘basic’ scenarios in-
stallation and first login attempt were investigated. After ana-
lyzing all the test scenarios the result of the deinstallation of
WLM was examined.
The plausibility of all the conclusions that were associated
to findings were carefully checked by using the following eval-
uation questions:
� Are all the experiments which are carried out relevant for
the conclusion?
� Have sufficient experiments been carried out in order to give
a well founded conclusion?
� Are there any counter examples?
3. Results
3.1. Which accounts are used
There are four ways which can be used to determine which
WLM accounts were used on the computer.
The first and most evident way is to check Windows
application event file. After each successful login or logout
in WLM two lines are written into the event log ‘C:\Windows\
system32\config\AppEvent.Evt’. Due to these entries the
used account and the date and time of usage can be
established.
An event with the description ‘MsnMsgr (<process_ID>)
\\.\C:\Documentsand Settings\<user>\LocalSettings\
Application Data\Microsoft\Messenger\<WLM_account>\
SharingMetadata\Working\database_<unique_computer_
ID>\dfsr.db: The Database engine started a new
instance (0)’ is written after a successful login. After a logout
an event with the same description is written to the event file,
only the additional information that will be displayed is ‘The
database engine has stopped the instance (0)’. Both entries
have ESENT as source.
The second way is by checking registry keys. During a login
attempt a new registry key with the MSN Passport ID of the
account as the name of the key is created in ‘HKEY_CURRENT_
USER\Software\Microsoft\MSNMessenger\PerPassport-
Settings\’. The MSN Passport ID is generated by using a
proprietary hash function on the WLM account. This registry
key contains all user preferences and settings. When a login
attempt is not successful this registry key will only contain
binary data named ‘DefaultSignInState’. When a user is
successfully logged in, the registry key will contain more
binary including the binary data named ‘UTL’. ‘UTL’ contains
the user’s display picture and the WLM account (e-mail
address). Because of this it is possible to determine to which
account all preferences and settings belong. If the user has
disabled the use of display pictures the value of ‘UTL’ will be
empty.
The third method is to look for directories which are
named after the WLM account. Three directories named
after the WLM account are created during a first login
attempt. One directory will be placed in ‘C:\documents and
Settings\<user>\Contacts\’ and a second in ‘C:\Documents
and Settings\<user>\Local Settings\Application
Data\Microsoft\Windows Live Contacts\’. If a login
attempt is unsuccessful these directories will only contain
a file named contactcoll.cache of 2 kb. The content of
these directories are further explained in the Section 3.2.2.
The third directory is created in ‘C:\documents and
Settings\<user>\Local Settings\Application Data\
Microsoft\Messenger’. This directory is only created if the
login attempt is successful, its purpose is to store shared files.
Looking for accounts which are set to be ‘remembered’ by
WLM is the fourth and last method. The accounts are saved
in the Windows credential manager. WLM credential data
are stored in the registry path: ‘HKEY_CURRENT_USER\
Software\Microsoft\IdentityCRL\’. The credentials can
easily be decrypted with the tools Accessdata Password
Recovery Toolkit and Forensic Box (this freeware program
can be requested at [email protected]). In some situa-
tions this can obviously be done by starting up WLM to see
which accounts are stored.
None of the above artefacts will be removed by uninstalling
Windows Live Messenger.
3.2. Contact list
3.2.1. Shared computer optionBy default Windows Live Messenger caches display pictures
and the address book. Nevertheless it is possible for the
user to disable the caching, whereby contacts are not saved
on the hard disk. This can be done by selecting ‘This is
a shared computer so don’t store my address book, display
picture, or personal messages on it’ under the security tab
in the WLM options screen. In the registry under the key
‘HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 75
PerPassportSettings\<MSN_Passport_ID>\DisableCache’
can be verified if caching is enabled. This registry key is only
created if this option is enabled. If this key has the value
‘01’, caching is disabled. When subsequently the option is
disabled the value is set to 00. Because of this the conclusion
can be made that if the value of the key is 00 the user has
used the ‘shared computer’ option in the past and if the key
does not exist the user might not have used this option or
deleted the key.
However, in order to enable the option ‘shared computer’
under the security tab in the options screen, the user will first
need to login with the default settings. Because of this con-
tacts are first saved and while logging out – after enabling
the shared computer option – removed. Due to this it could
be possible to recover contacts from the free space and slack
space or Windows swap file of the hard disk with the use of
the known structure of the files. This is further explained in
the ‘analysis’ paragraphs Sections 3.2.3 – 3.2.5 in the course
of this document. The directory ‘C:\Documents and
Settings\<user>\Local Settings\Application Data\
Microsoft\Windows Live Contacts\<WLM_account>\’
which is created during a first login attempt will not be deleted
by enabling the ‘shared computer’ option, however, the con-
tent of this directory will be removed.
3.2.2. ContactsIn the Windows Live Messenger options screen under the se-
curity tab it is possible for a user to disable encryption of saved
contact files. Encryption of contacts is enabled by default,
therefore it is not likely that a user will disable the encryption.
Besides this the contact files are not stored unencrypted with
the use of this option, only the filename and the XML tags are
When a user logs into Windows Live Messenger – without
enabling the ‘shared computer’ option – contacts are saved
in the directories ‘C:\Documents and Settings\<user>
\Contacts\’ and ‘C:\Documents and Settings\<user>
\Local Settings\Application Data\Microsoft\Windows
Live Contacts\<WLM_account>\shadow\’. Should WLM
have trouble connecting to the server due to, for example,
a slow Internet connection, WLM is able to function normally
by loading the saved contacts. When contacts are not saved
WLM is able to connect, but contact details such as nicknames
will appear further on. Encrypted contact files (default
settings) are named by the Global Unique identifier (GUID)
algorithm and are characterized by the extension .Windows-
LiveContact. If the user has disabled encryption the contact
files have the extension .CONTACT and are named after the
e-mail address or name of the contact. These .CONTACT
files are only saved in the directory ‘C:\Documents and
Settings\<user>\Contacts\’. This means if the encryption
option has been disabled contacts in the directory
‘C:\Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Windows Live Contacts\
<WLM_account>\shadow\’ are still stored encrypted as
<GUID>.WindowsLiveContact.
In the directory ‘C:\Documents and Settings\<user>\
Local Settings\Application Data\Microsoft\Windows
Live Contacts\<WLM_account>\shadow\’ the files mem-
bers.stg, contactcoll.cache and .MeContact are saved among
the .WindowsLiveContact files. Beside this directory the files
members.stg, contactcoll.cache and .MeContact are also
saved in the directory ‘C:\Documents and Settings\
<user>\Local Settings\Application Data\Microsoft\
Windows Live Contacts\<WLM_account>\real\’. .Address-
book files are saved in this directory as well.
Fig. 1 – Windows Explorer screenshot; example of the directory ‘C:\Documents and Settings\<user>\Local
Settings\Application Data\Microsoft\Windows Live Contacts\<WLM_account>\real\’ and its corresponding contact
files belonging to WLM account [email protected].
in plain text format. The contents of the tags are still encryp-
ted in the same manner as the fully encrypted contacts. In the
registry key ‘HKEY_CURRENT_USER\Software\Microsoft\
Windows Live\Communications Clients\Shared\<MSN_
Passport_ID>\DisableContactEncryption’ can be verified
if encryption is disabled. If this key has the value 1, encryption
is disabled. Although this option seems useless, it is worth
mentioning because it could be important when data carving
is used to recover contact files from the free space and slack
space of the hard disk.
Members.stg is a file which contains all the contacts of
a user’s contact list. Members.stg consists out of several
XML chunks, each chunk covers one contact. In previous ver-
sions of MSN Messenger this file was named listcache.dat. In
the directory ‘C:\Documents and Settings\<user>\Local
Settings\Temp’ the file members.stg is saved as
‘w<name>.tmp’. In this directory more files are saved like
‘w<name>.tmp’, which makes it impossible to trace in which
file the contacts are saved. By opening all ‘w<name>.tmp’ files
in a hexadecimal editor it is possible to determine with the
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 776
help of the structure of the file whether it contains contacts
(see the file analysis paragraphs, Sections 3.2.3 – 3.2.5).
The .MeContact file is named by the GUID algorithm. This
file holds information regarding the WLM user such as nick-
name, status name, e-mail address, current display picture
and a timestamp of the last dynamic change (changing display
picture or nickname).
XML and used to identify display pictures, backgrounds and
voice clips.
All of these contact files are encrypted with a 128 bit AES en-
cryption. The key to decrypt the files is an SHA1 hash of the cor-
responding Windows Live Messenger account. All encrypted
Windows Live Messenger files can easily be decrypted with
the use of the previously mentioned program Forensic Box.
Fig. 2 – Forensic Box screenshot; example of a decrypted members.stg file belonging to WLM account [email protected].
The information of contact [email protected] is shown.
Information related to the contact list is saved in
‘<GUID>.Addressbook’. This file contains information such
as the number of contacts, a timestamp on which all contacts
were downloaded from the server, some timestamps named
DeltaMembershipTS, DeltaALLTS and DeltaDynamicTS of
which the meaning is not clear and contact and group
checksums in a unknown format. Besides this two vague
values named ABCH_CacheKey and STORAGE_ChacheKey
can be found.
In the directory ‘C:\Documents and Settings\
<user>\Application Data\Microsoft\MSN Messenger\
<MSN_Passport_ID>\MapFile’ several encrypted .dat files
are saved. One of these .dat files contains e-mail addresses
and MSN_Paspoort_IDs of some contacts. It is not clear why
and when the contacts are saved in a .dat file. The other .dat
files mainly contain MSN object creators which do not hold
any interesting information. MSN objects are formatted in
Once again none of the above artefacts will be
removed by uninstalling Windows Live Messenger. How-
ever, a user may use the ‘shared computer’ option or man-
ually delete all relevant files. In this case it may be possible
to restore contacts from the free space and slack space of
the hard disk. In the following paragraphs the file charac-
teristics are discussed which can be used to recover
contacts.
3.2.3. Members.stg file analysisThe members.stg file is characterized by the following
hex values which indicate the start of the file (header):
DD0CF11E0A1B11AE1000000000000000000000000000000003E0
00300FEFF0900. Around offset 100 starts a consecutive
section of hex values FF FF FF FF FF FF FF FF. This section
ends with 52006F006F007400200045006E007400720079 (Root
Entry).
Fig. 3 – The recognizable ‘Root Entry’ section in members.stg.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 77
A section with the hex values 00 and FF alternated with few
other values follows (see Fig. 4).
pattern between sections (see Fig. 5) it can be concluded
that this marks the end of the file. By making a selection
Fig. 4
After this the encrypted XML sections with contacts ap-
pear. The sections are salient separated by a number of 00
00 00 00 00 00 00 00 hex values.
from the header to the end of the file, and exporting this
to members.stg, it is possible to decrypt the recovered file
with the use of Forensic Box (see Fig. 6).
Fig. 5 – Example of two encrypted XML sections within members.stg.
Unfortunately members.stg has no specific end signa-
ture. Through interruption of the 00 00 00 00 00 00 00 00
Fig. 6 – Example of an interrupted pattern between encrypted XML section within members.stg.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 778
In order to decrypt the file Forensic Box needs the corre-
sponding WLM account. This can be done by looking for the
traces described in Section 3.1.
3.2.4. .WindowsLiveContact file analysisBy searching the hard disk for ‘C:\Documents and Settings\
<user>\Contacts\<WLM_account>\’ or ‘C:\Documents and
Settings\<user>\Local Settings\Application Data\
Microsoft\Windows Live Contacts\<WLM_account>’ an
attempt can be made to restore deleted .WindowsLive-
Contacts files. Under the .WindowsLiveContact path, after
the 00 hex value section the file begins.
making a selection from the begin to the end of the file,
and exporting this to <name>.WindowsLiveContact, it is
possible to decrypt the recovered file with the use of Foren-
sic Box.
By comparing .WindowsLiveContact files in a hex edi-
tor it is evident that the start of each file is equal to other
.WindowsLiveContact of the corresponding WLM account.
Therefore, it is possible to search the hard disk for the
first 20 bytes of a .WindowsLiveContact file to find all
corresponding .WindowsLiveContact files of a WLM
account.
Fig. 7 – Example of the start of a .WindowsLiveContact file.
In .WindowsLiveContact files no sections with 00 00 00 00
00 00 00 00 hex values appear elsewhere in the file, therefore
it can be assumed that this marks the end of the file. By
3.2.5. .CONTACT file analysisCONTACT files have a characteristic start and end signature
through which the files can be restored relatively easily with
the use of data carving.
Fig. 8 – Example of the end of a .WindowsLiveContact file.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 79
Begin of a .CONTACT file:
<?xml version¼‘‘1.0’’ encoding¼‘‘UTF-8’’?><c:contact c:Version¼‘‘1’’ xmlns:c¼‘‘http://schemas.microsoft.com/Contact’’xmlns:xsi¼‘‘http://www.w3.org/2001/XMLSchema-instance’’xmlns:WL¼‘‘http://schemas.microsoft.com/Contact/Extended/WL’’>
End of a .CONTACT file:
3.3. Conversation content
In the article ‘An examination into MSN Messenger 7.5 contact
identification’ published in Digital Investigation 3 (2006) 79–83,
Mike Dickson states ‘conversation content never appeared
anywhere on the hard disk other than – on only one occasion
– within the Windows swap file’. In contrary to this statement
it is possible – in some situations – to find (parts of) conversa-
tions on the hard disk in other places than the Windows swap
file.
First of all data stored in the system RAM are written to the
file ‘hiberfil.sys’ when the system is put in hibernation mode.
This file resides in the root of the system partition – usually
‘C:\hiberfil.sys’ – and is the same size as the total RAM.
‘hiberfil.sys’ is not removed when the system is operating
in normal mode. Mainly MSN protocol traces can be found,
but encrypted and decrypted contacts files reside in ‘hiber-
fil.sys’. Data are scattered across the file like in the Windows
swap and RAM and therefore hard to analyse. However, it is
fairly easy to find sent and received messages by searching
for ‘X-MMS-IM-Format’, whereas on the other hand it is very
difficult to determine the order of the messages. The X-
</c:contact>
MMS-IM-Format field specifies formatting options for the con-
tent of the message such as font name and colour.
Furthermore MSN protocol traces including received
messages can be found in the directory ‘C:\Documents and
Settings\<user>\Local Settings\Temporary Internet
Files\Content.IE5\’ and ‘C:\Documents and Settings\
<user>\Local Settings\Temporary Internet Files\’.
MSN protocol traces can only be found when port 1863 is
blocked by a firewall in this situation WLM uses port 80. Port
80 is the default HTTP traffic port and is therefore normally
not blocked by firewalls. Many organisations will block port
1863 for security reasons. Because of this these artefacts
may occur more often than people may expect.
MSN protocol traces are stored as ‘gateway.dll?
<internetaddress>’ and ‘gateway[1].<session_ID>’.
Fig. 10 – Files containing MSN protocol traces in the
Temporary Internet Files\Content.IE5\ directory.
Fig. 9 – Example of a message (Hi, how are you?) sent by [email protected].
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 780
Fig. 11 – Files containing MSN protocol traces in the Temporary Internet Files directory.
The script that is used is /gateway/gateway.dll, and it
takes the following parameters (Mintz and Sayer, 2004):
<Action>: Either ‘open’ to open a new session or ‘poll’ to re-
ceive queued commands without sending any commands.
Non-empty request don’t include an ‘action’ parameter.
<Server>: Only used with ‘action¼open’ to specify the type
of server to open. The value can be either ‘NS’ to open a notifi-
cation server session or ‘SB’ to open a switchboard session.
<IP>: Used with ‘action¼open’ to specify the IP address or
domain name of the server.
<SessionID>: Sent with every request.
If the hard disk is formatted using the file system NTFS
MSN protocol traces can also be found in the Master File Table
($MFT). The Master File Table is a file that contains one base
file record for each file and folder on an NTFS volume. If the al-
location information for a file or folder is too large to fit inside
a single record, other file records will be allocated as well. The
Master File Table is recorded in the boot sector of the hard
disk.
By sorting the ‘gateway files’ in the ‘Temporary Internet
Files’ directory by time and date the course of a WLM session
can be analyzed chronologically. Traces that reside in the
$MFT are already recorded in chronological order. The
$MFT timestamps of each record can be found by using
a hexadecimal editor. Timestamps are encoded in the 64 bit
hex value Little Endian – recognizable by the value 01 of
the eighth byte – and can be decoded using the program
DCode Date (available from http://www.digital-detective.
co.uk).
MSN protocol artefacts contain all kind of useful informa-
tion such as received messages, nicknames, contacts, status
of contacts (online, busy, away etcetera) and undertaken ac-
tions such as remote assistance. By looking into the creation
time of the files the exact time of an event can be deter-
mined. The traces are not removed when closing and/or
signing out of WLM. The files containing the traces are not
modified after the creation. The removal of the contents of
the ‘Temporary Internet Files’ occurs by default every 20
days. This may be different depending on the users Internet
Explorer settings.
The description of all MSN protocol traces is too exten-
sive for this article. In order to correctly interpret the
MSN protocol traces it is recommended to visit http://
msnpiki.msnfanatic.com and http://www.hypothetic.org/
docs/msn/. On these websites the MSN protocol is de-
scribed in detail.
3.4. IP addresses
Windows Live Messenger tries to establish a direct connec-
tion for file transfers between sender and receiver. First
the sender sends an invitation to initiate a file transfer
with the contact. Next the contact is asked to accept or de-
cline the file transfer. If the contact accepts the file transfer
all IP addresses of the available network adapters of the con-
tact are sent to the MSN server. The MSN server sends the IP
details on to the file sender in an MSN protocol packet. To
establish a direct connection the file sender sends TCP
SYN packets to all network adapters of the contact. If
WLM is able to establish the connection the file transfer
starts, if not the TCP SYN times out and a connection
through the MSN server is established. When monitoring
the network traffic with a TCP/IP sniffer such as Wireshark
the IP address of the contact is revealed as soon as the con-
tact accepts the file transfer. The file receiver can only reveal
the senders IP address if a direct connection is established
with sender. In the same way the IP address can be revealed
when establishing and shared directory, audio and webcam
connection.
3.5. Chat logs
In the registry under the key ‘HKEY_CURRENT_USER/
Software/Microsoft/MSNMessenger/PerPassportSettings/
Passport_ID’ can be checked if the message logging
option is enabled. If the binary key ‘MessageLogging-
Enabled’ has the value ‘0’ message logging has been dis-
abled. Any value other than ‘0’ – usually 04 03 01 00 00
00 – means that message logging is enabled. In the binary
key ‘MessageLogPath’ the path to the directory resides
where the messages are stored. The keys ‘MessageLoggin-
gEnabled’ and ‘MessageLogPath’ are created when the mes-
sage logging option is enabled. Because of this the
conclusion can be made that if the keys exist, depending
on their value, the user has used or is currently using
the option. If the keys exist but the contents of the direc-
tory that resides in the key ‘MessageLogPath’ is empty
the user might have deleted his/her messages. With the
use of starting and ending signatures message log files
could be recovered from the free space and slack space.
Even when the keys ‘MessageLoggingEnabled’ and ‘Messa-
geLogPath’ do not exist it is recommended to try to recover
message log files because the user could have easily
deleted the registry keys.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 81
Start of a WLM chat log file:
<?xml version¼‘‘1.0’’?><?xml-stylesheet type¼‘text/xsl’ href¼‘MessageLog.xsl’?><Log
End of a WLM chat log file:
</Log>
saved by using the ‘save as’ button are stored in order of their
extension. It is not possible to determine if the file is saved
from WLM or another program. Besides these registry keys
nothing that is related to transmitted files is logged.
The second possibility is by using the shared folder
option. This function is introduced in Windows Live
Messenger 8.0. When a user creates a sharing folder with
a contact the directory ‘C:\Documents and Settings\
<user>\Local Settings\Application Data\Microsoft\
Messenger\<WLM_account_user>\Sharing Folders\
<WLM_account_contact>\’ is created. Every file that is
shared is stored in this directory. All sharing activities are
automatically logged.
Fig. 12 – Screenshot WLM shared activities log; example of a user who shared files.
Logged messages are not deleted when uninstalling Win-
dows Live Messenger.
3.6. Transmitted files
Windows Live Messenger offers two possibilities to share files
with a contact.
The first possibility is to send a single file. By default files
which are received by WLM are stored in the directory
‘C:\Documents and Settings\<user>\My Documents\My
Received Files\’. This directory can be modified by the
user in the WLM options menu. The path to the ‘receiving’ di-
rectory is stored in the registry key ‘HKEY_CURRENT_USER\
Software\Microsoft\MSNMessenger\FtReceiveFolder’.
Users can also use the ‘save as’ button to save the file in any
other directory. In this case the file is logged in the registry
under the key ‘HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU’.
In this key all files – including their directory path – which are
The Sharing Activity Log file is stored in the file ‘C:\
Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Messenger\<WLM_account>\
SharingMetadata\activitylog.dat’. ‘Activitylog.dat’ has
the same construction as Fig. 12. At the beginning of this
file the oldest activity is logged (hash.rtf shared with msnko-
[email protected] on 13-3-2007 at 16:11:22) and at the bottom the
most recent file will be logged (Beethoven’s Symphony
shared with [email protected] on 16-3-2007 at
17:04:06). The files names are placed in order of status,
contact and timestamp. Shared files including their directory
path (status New File and Shared) will be described as
opposed to deleted files which will be described without
their directory path. Timestamps are formatted in a 64 bits
hex value (Little Endian) given directly above the next file.
Timestamps can be decoded with the previously mentioned
program DCode Date. The user is able to remove his/her
sharing activity log in WLM, in this case ‘activity.dat’ will
be emptied.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 782
Fig. 13 – Example of a timestamp that resides in ‘activity.dat’.
Another important file in the shared folder option is
‘Dfsr.log’. This file is stored in the metadata directory
‘C:\Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Messenger\<WLM_account>\
SharingMetadata\Logs\’. ‘Dfsr.log’ is a file that contains
plain text from which much cannot be easily understood.
‘Dfsr.log’, however, clearly shows when a file is shared by
a user or contact. The following two examples illustrate this.
[email protected] (user) shares a file with msnkoning
@live.nl (contact):
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[0]¼¼ \\.\C:\Documents and Settings\dongen\Lo-
cal Settings\Application Data\
Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]
20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[1]¼¼ [email protected] 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[2]¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE520070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[3]¼¼ planning.gif20070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[4]¼¼ {D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v1320070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[5]¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v120070329 12:38:56.404 2804 EVNT 347 EventLogTAudit Param[6]¼¼ [email protected] 12:38:56.404 2804 MRSH 3618 MarshallerTMarshal FileAttrs in metadata: 0x20
20070329 12:38:56.404 2804 SRTR 771 SERVER_InitializeFileTransfer planning.gif sizeRead:16384
20070329 12:38:56.404 2804 SRTR 818 SERVER_InitializeFileTransfer Initialized connId:{FA95D0E3-BFA5-
3BF8-268D-BE26CA8BE6B4} rdc:1
context:021972A8,00000000,05B74010 uid:{D274387A-FCFC-439E-9030-CC3A8E27BF1B}-v13 gvsn{D274387A-
FCFC-439E-9030-CC3A8E27BF1B}-v13
20070329 12:38:56.404 2804 SRTR 833 SERVER_InitializeFileTransfer Success: 0
20070329 12:38:56.404 2804 FRTL 1333 FrtlSessionTSendOutputPacket Session:031BC5E0, bytesRemaining:-
11952, packet:InitializeFileTransfer_Response, callId:46, size:16672
20070329 12:38:56.404 2804 FRTL 74 FrtlSyncServerContextTwFrtlSyncServerContext ptr:031A98E0,
session:031BC5E0
20070329 12:38:56.404 3216 SNMGR 1424 SyncNegotiationManagerTLogNode node:[email protected] state:STA-
TE_CONNECTED timer:306
connin:CONNECTION_STATE_ONLINE connout:CONNECTION_STATE_ONLINE
syncin:SYNC_STATE_IN_SYNC syncout:SYNC_STATE_IN_PROGRESS
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 83
[email protected] shares (actually sends see: sen-
dOutputpacket) the file ‘planning.gif’ on 29-03-2007 at
12:38:56 with [email protected]. The file is copied to the
directory ‘C:\Documents and Settings\dongen\Local Set-
tings\Application Data\Microsoft\Messenger\wouter-
[email protected]\Sharing Folders\[email protected]’.
[email protected] (contact) shares a file with wouter-fox
@hotmail.com (user):
3.7. Audio and video
In order to use the audio and video functionality the user
first has to configure the devices in Windows Live Mes-
senger. When the configuration is completed the binary
value ‘RTCTuned’ with the value ‘1’ is created under the
registry key ‘HKEY_CURRENT_USER\Software\Microsoft\
MSNMessenger\’.
20070329 12:37:20.174 2548 MEET 2019 MeetTDownload Download Succeeded: true updateName:Eula.txt
uid:{46D6D7CB-E213-4E2C-A052-9DD08
532E98C}-v15 gvsn:{46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v15 connId:{B1B74304-961C-48D5-E935-
27B3D4DDEDD2} csName:[email protected] csId:{82C754CD-15B5-D668-C475-FAF99140BBE5}
20070329 12:37:20.174 2548 EVNT 342 EventLogTAudit Audit message: Success 1073748828
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[0]¼¼ \\.\C:\Documents and Settings\dongen\LocalSettings\Application Data\Microsoft\Messenger\[email protected]\Sharing
Folders\[email protected]
20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[1]¼¼ [email protected] 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[2]¼¼ 82C754CD-15B5-D668-C475-FAF99140BBE520070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[3]¼¼ Eula.txt20070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[4]¼¼ {46D6D7CB-E213-4E2C-A052-9DD08532E98C}-v1520070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[5]¼¼ {82C754CD-15B5-D668-C475-FAF99140BBE5}-v120070329 12:37:20.174 2548 EVNT 347 EventLogTAudit Param[6]¼¼ [email protected]
[email protected] receives the file ‘Eula.txt’ in the
directory ‘C:\Documents and Settings\dongen\Local
Settings\ApplicationData\Microsoft\Messenger\wouter-
[email protected]\Sharing Folders\[email protected]’
at 29-03-2007 on 12:37:20 which is shared by [email protected].
When a contact opens the shared directory of the user his/
her display picture is saved as _thumb.png in the directory
‘C:\Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Messenger\<WLM_account_
user>\SharingMetadata\<WLM_account_contact>\’.
Fig. 14 – ScreenshotWindowsExplorerandPaint;WLMaccount
[email protected] shares files with [email protected].
The display picture of [email protected] is shown in Paint.
3.7.1. Voice clipsIf the user sends a voice clip to a contact, the clip will
temporarily be stored in two directories.
In the first directory ‘C:\Documents and
Settings\<user>\Application Data\Microsoft\MSN
Messenger\<MSN_Passport_ID>\VoiceClip\’ voice clips
are stored in a .dat file. Voice clips which are stored in
this directory are removed when the user logs-out of
Windows Live Messenger.
The second directory is ‘C:\Documents and
Settings\<user>\Application Data\Microsoft\MSN
Messenger\VoiceClip\’. In this directory voice clips
are stored in the format ‘msnmsgr_<timestamp>.wav’.
Voice clips in this directory are not removed when the
user logs-out, only when Windows Live Messenger is
closed.
Received voice clips are stored between – and in the
same format as – sent voice clips in the directory ‘C:\
Documents and Settings\<user>\Application Data\
Microsoft\MSN Messenger\VoiceClip’. This is the
only directory where voice clips are stored. Sent and
received voice clips cannot be distinguished from each
other.
The voice clips have a characteristic starting signature
with which they can be restored after removal from the free
space and slack space.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 784
Fig. 15 – Example of the start of a voice clip opened in a hex editor; the underlined information is distinctive for a voice clip.
It is not possible to determine to which WLM account or
contact a voice clips belongs.
3.7.2. WebcamWhen a webcam session in a conversation is initiated for the
first time, the registry key ‘HKEY_CURRENT_USER\Software\
Microsoft\MSNMessenger\webcam’ will be created. A time-
stamp of the last initiation of a webcam session is stored in
this registry key and contains a binary value grouped by the
type of webcam session. Four types of webcam sessions can
be distinguished:
1. tllp: only the user is broadcasting.
2. tllv: only the contact is broadcasting.
3. tllpr_t_p: both contact and user are broadcasting, the
user started the request.
4. tllpr_v: both contact and user are broadcasting, the con-
tact started the request.
in the directory ‘C:\Documents and Settings\<user>\
Local Settings\Temporary Internet Files\’. By using
the last accessed time of the file can be determined when
the user has initiated a webcam session with a contact.
Advertisement images have a size of 300� 250 pixels and
are downloaded from the Internet address http://spe.atdmt.
com. When a user logs into WLM, images with a different
size from the Internet address are also downloaded in the
‘Temporary Internet Files’ directory.
When using the time indication traces it is not possible to
determine with which contact the webcam session has been
conducted.
Beside time indications’ traces, traces of webcam sessions
may reside in the RAM, Windows Swap and hiberfil.sys (hiber-
nation file). By searching for ‘<Application>viewing
webcam</Application>’ one can attempt to find traces of
webcam invitations such as the involved Windows Live
Messenger user and the contact. Some examples are as
follows:
<User FriendlyName¼‘‘Wouter’’/></From><Application>viewing webcam</Application><Text Style¼‘‘-color:#545454; ’’>You have invited MSN King to start viewing webcam. Please wait for a response or Cancel
(Alt þ Q) the pending invitation.</Text></Invitation>
<User FriendlyName¼‘‘MSN King’’/></From><Application>viewing webcam</Application><Text Style¼‘‘-color:#545454; ’’>MSN King has accepted your invitation to start viewing webcam.</Text>
<User FriendlyName¼‘‘MSN King’’/></From><Application>viewing webcam</Application><Text Style¼‘‘-color:#545454; ’’>You have accepted the invitation to start viewing webcam.</Text>
The timestamp is stored 16 bytes, for example:
The first two bytes D7 07 show the year (2007), followed by
the byte 05 which displays the month (May). The byte 02
stands for the day in the week (Tuesday), followed by the
day 0F of the month (15th). The seventh byte 0C holds the
hour in UTC (12), the next bytes contain the minutes 08 (8), fol-
lowed by the bytes containing the seconds 0D (13). The last
two bytes B4 02 contain the milliseconds (692). All italicized
null bytes have no meaning.
When the webcam of the contact is activated in a chat ses-
sion an advertisement is shown during the connection set-up.
This advertisement is a flash animation or image and is stored
D7 07 05 00 02 00 0F 00
0C 00 08 00 0D 00 B4 02
However, these traces may not be as complete as shown in
the example. Therefore, it may occur that only the text be-
tween the <Text></Text> tags can be found. In this case
one can search for parts of the following sentences in Unicode
format:
� You have invited <contact_nickname> to start viewing
webcam. Please wait for a response or Cancel (AltþQ) the
pending invitation.
� <contact_nickname> has accepted your invitation to start
viewing webcam.
� You have stopped viewing webcam with <contact_
nickname>.
� <contact_nickname> is inviting you to start viewing web-
cam. Do you want to Accept (AltþC) or Decline (AltþD) the
invitation?
� You have accepted the invitation to start viewing webcam.
� <contact_nickname> has stopped viewing webcam with
you.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 85
� <contact_nickname> wants to have a Video Call. Answer
(AltþC) Decline (AltþD).
� You have answered the call.
� You declined the Video Call from <contact_nickname>.
� Making a Video Call to <contact_nickname>.
� You have invited <contact_nickname> to start sending
webcam. Please wait for a response or Cancel (AltþQ) the
pending invitation.
3.7.3. AudioBeside the RAM, Windows Swap and hiberfil.sys (hibernation
file), no traces of audio conversations can be found on the
hard disk. One can only try to trace back the contact by
searching for parts of the following sentences in Unicode
Format:
� Calling <contact_nickname>. Hang up (AltþQ)
� <contact_nickname> is answering your call. Hang up
(AltþQ)
� <contact_nickname> is calling you.
� Your call is ended.
� You have answered the call. Hang up (AltþQ).
� <contact_nickname> is not answering.
� You declined the call from <contact_nickname>.
It is not possible to determine the time and date of the
audio session.
Microsoft\MSN Messenger\<MSN_Passport_ID>\UserTile’.
Display pictures are resized to 96� 96 pixels and are stored in
a PNG file in ‘TFR<nr>.dat’.
Contact display pictures of used WLM accounts on
the computer are cached in the directory ‘C:\Documents and
Settings\<user>\Local Settings\Temp\MessengerCache\’.
Before WLM version 8.0 this directory was ‘C:\Documents and
Settings\<user>\Local Settings\Temporary Internet
Files\’ (Dickson, 2006). Besides the directory, the way in
which display pictures are stored have also changed. Contact
display pictures are stored without an extension and are
named after an SHA1 hash of the original picture, encoded
in Base64. Another difference from previous versions of MSN
Messenger is that display pictures are not only cached when
the user converses with the contact but are also cached
from online notifications and contact card views. When a con-
tact changes the display picture the old display picture is not
removed. WLM uses the .WindowsLiveContact file – by using
the UserTitleLocation tag – to determine which cached display
picture belongs to the contact. For a forensic examination not
only the .WindowsLiveContact file can be used to determine
which display picture a contact is or was displaying. By using
the MSN protocol traces which may possibly reside in the
‘Temporary Internet Files’ directory (see Section 3.3), Windows
swap and hiberfil.sys (hibernation file) the display picture of
a contact can be found.
Example of an MSN protocol trace from the ‘Temporary In-
ternet Files’ directory:
NLN AWY [email protected] 1 Wouter 1616756772
<msnobj Creator¼‘‘[email protected]’’ Size¼‘‘26954’’ type¼‘‘3’’ Location¼‘‘TFR1.dat’’Friendly¼‘‘AAA’’ SHA1D¼‘‘7vyAg4LVCW8gUGejU0AoNnkXo00¼’’SHA1C¼‘‘ayipuajsaArc3KtqJ2EEblAkoac¼’’/>
3.8. Display pictures
As in previous versions of MSN Messenger, display pictures of
the Windows Live Messenger user are stored in the directory
‘C:\Documents and Settings\<user>\Application Data\
By using the SHA1D field – the name of the file – the display
picture of [email protected] can be found in the ‘Messen-
gerCache’ directory. Type¼‘‘3’’ signifies a display picture. For
more information about the MSN protocol visit the websites
mentioned in Section 3.3.
Fig. 16 – The display picture of the MSN protocol example.
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 786
4. Results summary
4.1. Directories and files
� C:\Windows\system32\config\AppEvent.Evt: after each
successful login or logout two lines are written in the event
log [see Section 3.1].
� C:\hiberfil.sys: the hibernation file, this file may contain
MSN protocol traces [see Section 3.3].
� C:\Documents and Settings\<user>\Contacts\: con-
tains cached contact files such as .WindowsLiveContact,
.Contact, .WindowsLiveGroup, .Group and contactcoll.cache
files. The files are stored in a directory named after the WLM
account [see Section 3.2].
� C:\Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Windows Live Contacts\:
contains cached contact files stored in a directory named
after the WLM account. This directory is broken down in
the following subdirectories:
B <WLM_account>\Real\: .MeContact, .Addressbook,
members.stg, contactcoll.cache files [see Section 3.2.2].
B <WLM_account>\Shadow\: .WindowsLiveContact, mem-
bers.stg, contactcoll.cache, .MeContact and .WindowsLi-
veGroup files [see Section 3.2.2].
� C:\Documents and Settings\<user>\Local Settings\
Temp\: the members.stg file stored as ‘w<name>.tmp’ [see
Section 3.2.2].
� C:\Documents and Settings\<user>\Local Settings\
Application Data\Microsoft\Messenger\: this directory
is used for the shared folder option. Files are stored ordered
by directories named after the WLM accounts and broken
down in directories named after the contact.
B <WLM_account_user>\Sharing
Folders\<WLM_account_contact>\: the actual shared
files [see Section 3.6].
B <WLM_account_user>\SharingMetaData\: activitylog.
dat, shared folder activity log file [see Section 3.6].
B <WLM_account_user>\SharingMetaData\Logs:
Dfsr.log contains shared folder activities [see Section 3.6].
B <WLM_account_user>\SharingMetaData\<WLM_account_
contact>\: _thumb.png, and contact display picture [see
Section 3.6].
� C:\Documents and Settings\<user>\Application
Data\Microsoft\MSN Messenger\<MSN_Passport_ID>\:
B MapFile\: several encrypted .dat files, one of these files
contains MSN Passport IDs and e-mail addresses of con-
tacts [see Section 3.2.2].
B UserTitle\: WLM user display pictures stored in the for-
mat ‘TFR<nr>.dat’ [see Section 3.8].
B VoiceClip\: voice clips stored in a .dat file [see Section
3.7.1].
B C:\Documents and Settings\<user>\Application
Data\Microsoft\MSN Messenger\VoiceClip\: voice
clips stored in the format ‘msnmsgr_<timestamp>.wav’
[see Section 3.7.1].
� C:\Documents and Settings\<user>\Local Settings\
Temporary Internet Files\: gateway.dll files containing
MSN protocol traces and webcam advertisement images are
cached in this directory [see Sections 3.3 and 3.7.2].
� C:\Documents and Settings\<user>\Local Settings\
Temporary Internet Files\Content.IE5\: gateway[<nr>].
<session_ID> files containing MSN protocol traces are
cached in this directory [see Section 3.3].
� C:\Documents and Settings\<user>\My Documents\My
Received Files\: default storage directory for received files
[see Section 3.6].
� C:\Documents and Settings\<user>\Local Settings\
Temp\MessengerCache\: cached contact display pictures
[see Section 3.8].
4.2. Registry
� HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\:
Global WLM settings.
B RTCTuned: boolean indicating if the user has configured
audio and video devices [see Section 3.7].
� HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\webcam\: a timestamp of the last initiation of a webcam ses-
sion is stored in this registry key and contains a binary value
grouped by the type of webcam session:
B tllp: only the user is broadcasting [see Section 3.7.2].
B tllv: only the contact is broadcasting [see Section 3.7.2].
B tllpr_t_p: both contact and user are broadcasting, the
user started the request [see Section 3.7.2].
B tllpr_v: both contact and user are broadcasting, the
contact started the request [see Section 3.7.2].
� HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\PerPassportSettings\< MSN_Passport_ID>\: user set-
tings and preferences ordered by MSN Passport ID. The fol-
lowing interesting values can be found under this registry
key:
B UTL: contains the WLM account (e-mail address) [see
Section 3.1].
B DisableCache: registry key to verify if caching is disabled
[see Section 3.2.1].
B DisableContactEncryption: registry key to verify if
encryption is disabled [see Section 3.2.2].
B MessageLoggingEnabled: registry key to verify if
message logging is enabled [see Section 3.5].
B MessageLogPath: holds the directory where message log
files are stored [see Section 3.5].
B FtReceiveFolder: holds the directory where received
files are stored [see Section 3.6].
� HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\:
location of the Windows credential manager holds accounts
which are set to be ‘remembered’ by WLM [see Section 3.1].
� HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU: in
this registry key all files – including their directory path –
which are saved by using the ‘save as’ button are stored in
order of their extension [see Section 3.6].
5. Conclusions
It is clear that traces are left behind on the hard disk when Win-
dows Live Messenger is used. Even though it is not always
d i g i t a l i n v e s t i g a t i o n 4 ( 2 0 0 7 ) 7 3 – 8 7 87
possible to trace back complete conversations, traces that indi-
cate the use of WLM can always be found on the hard disk: user
settings, contacts files, temporary files, log files, registry keys,
free space and slack space and so on. By analyzing all of these
traces it is possible to get an overall picture of a user’s WLM ac-
tivities. Programs like Forensic Box and DCode Date can be very
helpful in forensic examinations. Besides this, file signatures
and known file structures can also be of great value in an exam-
ination when a user has tried to cover his traces.
When someone has deliberately performed illegal activi-
ties with the use of Windows Live Messenger, one must
have extensive knowledge of Windows Live Messenger and
computers in general in order to be able to delete all the traces.
Acknowledgments
The author would like to thank Erwin van Wiel of the Midden-
West Brabrant Police department, creator of Forensic Box, for
his useful suggestions.
r e f e r e n c e s
Arrington Michael. Instant messaging and trashing google.Available from: <http://www.techcrunch.com/2006/07/24/instant-messaging-and-trashing-google>; 2006.
Dickson Mike. An examination into MSN Messenger 7.5 contactidentification. Digit Investig 2006;3.
Mook Nate. MSN Messenger most used IM client. Available from:<http://www.betanews.com/article/MSN_Messenger_Most_Used_IM_Client/1144778820>; 2006.
MarketShare.com. Operating system market share for April, 2007.Available from: <http://marketshare.hitslink.com/report.aspx?qprid¼2>; 2007.
Mintz Mike, Sayer Andrew. MSN Messenger protocol, general –HTTP connections. Available from: <http://www.hypothetic.org/docs/msn/general/http_connections.php>; 2004.
Wouter S. van Dongen BSc studied Computer Sciences at the LeidenCollege of Advanced Studies and graduated Cum-Laude. He willcontinue to pursue his MSc in System and Network Engineering atthe University of Amsterdam. He currently works as a Forensic ITSpecialist at Fox-IT.