MSN Messenger Time/...
 
Notifications
Clear all

MSN Messenger Time/Date Stamps  

  RSS
jlloyd
(@jlloyd)
New Member

Hi people,

I've got a case where I am trying to establish whether a user was using MSN Messenger at a given time.

We have no message logs stored and are trying to answer the question by examing the time stamps associated with various MSN Messenger files.
Unfortunately, testing is throwing up some patchy results.

Ideally, I'm looking for a matrix of MSN Messenger files to Time Stamps applied during startup/useage/shutdown.

Is anyone aware of a source of information for this?

Any advice welcomed.

Quote
Posted : 22/11/2005 8:41 pm
(@arashiryu)
Active Member

Paraben's Chat Examiner supports MSN 6.1, 6.2 & 7.0.

http//www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=162

Paraben's E-Mail examiner support MSN mail

http//www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=101

I recently used Chat Examiner in a case involving Trillian logs. Chat Examiner does the job and has a nice reporting and bookmarking feature.

ReplyQuote
Posted : 22/11/2005 9:15 pm
jlloyd
(@jlloyd)
New Member

Hi there,

Thanks for the reply.

Unfortunately, I suspect that I have not explained the problem adequately.

I don't think that Chat Examiner is likely to be able to provide us with any help in this specific case as no chat logs were generated and so there are no logs for Chat Examiner to examine.

Unless I've misinterpreted you and you are suggesting that Chat Examiner can provide me with MSN startup/shutdown times?

All I've got to work with is the MSN Messenger files, bearing a wide variety of different time stamps, and text fragments retrieved from the swap file & unallocated space.
So far as I can see, the session fragments recovered from slack space do not have any time coding information embedded in them which leaves me trying to piece together a pattern of usage based solely on the time stamps associated with the MSN Messenger program and Dat files.

What I'm really looking for is something like
" The Last Accessed time associated with File X is the time that MSN Messenger was started; The Creation Time associated with File Y is the time that MSN Messenger was shut down"

Of course, I realise that it's unlikely (in the extreme) to be that easy, my life never is -)

However, any advice is welcomed.

ReplyQuote
Posted : 22/11/2005 10:11 pm
(@keydet89)
Community Legend

jlloyd,

It might be a little easier if you could provide the following information

1. What operating system are you dealing with?

2. What version of MSN are you working with?

3. Are you working with an image of the drive, or just files from the drive?

Thanks,

Harlan

ReplyQuote
Posted : 22/11/2005 10:52 pm
jlloyd
(@jlloyd)
New Member

Hi Harlan,

Thanks for the reply.

Yes, of course, that was remiss of me.

It's MSN6 on an XP SP2 platform and it's being accessed as an Encase 5 evidence file.

This is one of those irritating little issues where you expect that the information will be widely published - but isn't -)
I'd go straight to the horses mouth but I have never yet managed to get Microsoft to patch me through to one of their developers…..

Warm regards,

Justin.

ReplyQuote
Posted : 23/11/2005 2:39 pm
BraneRift
(@branerift)
Member

I am new to the forums and deal with MSN every so often. I would be interested in hearing an answer to this question

ReplyQuote
Posted : 05/01/2006 6:14 am
ZeReZeK
(@zerezek)
New Member

do we have another system or program for msn messenger (old ) chat logs.?
for exemp 10 months ago.. etc..

thanks.

ReplyQuote
Posted : 19/02/2006 5:35 am
youcefb9
(@youcefb9)
Junior Member

Hi jlooyd,
I would suggest that you try to install MSN6 on a test system, play with it and see what traces are left. particulary look at the registry keys that are touched when the application is used. each registry key has a modifed time assocciated with and this could help in answering when was the last time MSN was used.

Some of the registrey keys you can look at are MRU list, UserAssist, OpenSaveMRU.

Even in cases where the applicaiton is uninstalled you still have a plethora of info you can dig from the registry.

ReplyQuote
Posted : 20/02/2006 4:20 am
Share: