±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 153

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

MSN Messenger Time/Date Stamps

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 


MSN Messenger Time/Date Stamps

Post Posted: Nov 22, 05 20:41

Hi people,

I've got a case where I am trying to establish whether a user was using MSN Messenger at a given time.

We have no message logs stored and are trying to answer the question by examing the time stamps associated with various MSN Messenger files.
Unfortunately, testing is throwing up some patchy results.

Ideally, I'm looking for a matrix of MSN Messenger files to Time Stamps applied during startup/useage/shutdown.

Is anyone aware of a source of information for this?

Any advice welcomed.  

Senior Member

Re: MSN Messenger Time/Date Stamps

Post Posted: Nov 22, 05 21:15

Paraben's Chat Examiner supports MSN 6.1, 6.2 & 7.0.


Paraben's E-Mail examiner support MSN mail


I recently used Chat Examiner in a case involving Trillian logs. Chat Examiner does the job and has a nice reporting and bookmarking feature.  


Re: MSN Messenger Time/Date Stamps

Post Posted: Nov 22, 05 22:11

Hi there,

Thanks for the reply.

Unfortunately, I suspect that I have not explained the problem adequately.

I don't think that Chat Examiner is likely to be able to provide us with any help in this specific case as no chat logs were generated and so there are no logs for Chat Examiner to examine.

Unless I've misinterpreted you and you are suggesting that Chat Examiner can provide me with MSN startup/shutdown times?

All I've got to work with is the MSN Messenger files, bearing a wide variety of different time stamps, and text fragments retrieved from the swap file & unallocated space.
So far as I can see, the session fragments recovered from slack space do not have any time coding information embedded in them which leaves me trying to piece together a pattern of usage based solely on the time stamps associated with the MSN Messenger program and Dat files.

What I'm really looking for is something like:
" The Last Accessed time associated with File X is the time that MSN Messenger was started; The Creation Time associated with File Y is the time that MSN Messenger was shut down"

Of course, I realise that it's unlikely (in the extreme) to be that easy, my life never is Smile

However, any advice is welcomed.  

Senior Member

Re: MSN Messenger Time/Date Stamps

Post Posted: Nov 22, 05 22:52


It might be a little easier if you could provide the following information:

1. What operating system are you dealing with?

2. What version of MSN are you working with?

3. Are you working with an image of the drive, or just files from the drive?




Re: MSN Messenger Time/Date Stamps

Post Posted: Nov 23, 05 14:39

Hi Harlan,

Thanks for the reply.

Yes, of course, that was remiss of me.

It's MSN6 on an XP SP2 platform and it's being accessed as an Encase 5 evidence file.

This is one of those irritating little issues where you expect that the information will be widely published - but isn't Smile
I'd go straight to the horses mouth but I have never yet managed to get Microsoft to patch me through to one of their developers.....

Warm regards,


Senior Member

Re: MSN Messenger Time/Date Stamps

Post Posted: Jan 05, 06 06:14

I am new to the forums and deal with MSN every so often. I would be interested in hearing an answer to this question  


Re: MSN Messenger Time/Date Stamps

Post Posted: Feb 19, 06 05:35

do we have another system or program for msn messenger (old ) chat logs.?
for exemp: 10 months ago.. etc..


Page 1 of 2
Page 1, 2  Next