±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35514
New Yesterday: 4 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

MsnMsgr.txt & ContactsLog.txt

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Chris55728
Senior Member
 

MsnMsgr.txt & ContactsLog.txt

Post Posted: Mar 28, 14 21:29

Hi,

I have a case where I have 54 of each of the above files in a number of different directories.

1 of each file in the C:\Users\<userid>\AppData\Local\Microsoft\Messenger directory.
3 of each files in 3 different C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report<8 char hex> directories.
50 of each files in 50 different C:\Users\<userid>\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report<8 char hex> directories.

As I understand it the 'default' location for these files is the C:\Users\<userid>\AppData\Local\Microsoft\Messenger directory.

As far as I'm aware, both files contain communication logging information relating to the use of MSN Messenger (MSNM) and Windows Live Messenger (WLM).

However, I'm interested to know what the files in the Windows Error Reporting (WER) directories relate to. From having a quick look around, WER automatically collects errors when applications crash so I'm assuming these have been created when MSNM and/or WLM crashed and placed in a randomly generated(?) directory name?

The main reason for looking into these files is that an individual has been using a couple of legitimate email addresses on their laptop as well as one pretending to be someone else. What I need to do is try to find occasions when the individual has been using MSNM/WLM as one email address and very shortly afterwards has switched to the other email address.

I wrote a piece of Python code to parse the files looking for all occurrences of the email addresses I'm interested in and exported this out in the format 'full path of file';'date';'time';'email address'.

The results have proved useful but my problem is whether I can say the individual was at the keyboard all the time whenever an email address is referenced in either file. For example, if you leave yourself logged into WLM and walk away, is the ContactsLog.txt being updated or does it only get updated when you're actively using WLM? I have one instance where one email address appears active from midnight to just after 5am. Does this mean the individual was chatting away all that time or did they just go to sleep and leave their laptop on whilst logged into MSNM/WLM?

Are both the files exclusive to MSNM/WLM or would they get updated when a user logs into their email?

I also have some relevant Skype chat that overlaps the same date and time in my ContactsLog.txt file. Again I think I can work around this in as much as the individual could be chatting on Skype whilst also logged into WLM but not using it.

Any help/guidance gladly received.

Cheers,

Chris  
 

Page 1 of 1