Regarding Yahoo Instant Messenger service.
My question is: Can one recover the deleted messenger archives, such that someone could read the content? This site has been very helpful but it wasn't clear to me whether the .dat files can be recovered if they had been deleted.
Thanks in advance!
Cindy
Deleted files don't just go away…the space they consume on the hard drive is simply made available. Imaging the drive will allow you to recover files that were previously deleted, or fragments of those files if they've been partially overwritten.
Tools like EnCase will even open some file fragments in any format you choose. For example, if you delete a .jpg image and some portions of the file are overwritten, you can tell EnCase explicitly to open the file as a .jpg image.
H. Carvey
"Windows Forensics and Incident Recovery"
Sorry to repeat what has been said and be the bearer of bad news Cindy but the deleted IM history archives will likely be easily readable, I had a similar case last week and was able to read old conversations from another IM provider going back over a year.
There is no chance that the computer was set up to regularly Defragment the disk as that can help, although not completely?
Also, is the PC owned explicitly by your husband as if you bought it you could claim that he has stolen your property. I dont know how the law would deal with that in your State.
All the best
Nick
Thanks for all the advice. Now to create a new topic on who is a good divorce attorney with knowledge of computer forensic laws 🙂
Yahoo and MSN Instant messengers do not store any sessions by default. The user has to actively save such files as either text or xml files (depending on the software and version number). If the user does not 'save', then finding evidence of such communcations are - as they say 'non-trivial'.
Andy
of course Andy, however (if u have the possibilty to use this other approach or if could be useful) i remeber of existence of some software (sorry, now i don't remember name) who
logs in real time MSN session…
Bye
Don't think I've ever heard of that software. It might be something that uses Messenger services, or it might be possible to use some kind of packet capturing software, such as Ethereal to sniff network traffic.
INFOSEC and real time forensics is not my forte, so I'm not much help.
Andy
Well, last year i saw on codeguru site a program (with src) called MsnSpy..and (i haven't tried yet) MSNTrackMonitor…
Bye
If you use encase there is a script that recovers Yahoo .dat files and if you are law enforcement there is a little utilty called Yahoom that will decode and present the to you in lovely clear format
Yahoo and MSN Instant messengers do not store any sessions by default. The user has to actively save such files as either text or xml files (depending on the software and version number). If the user does not 'save', then finding evidence of such communcations are - as they say 'non-trivial'.
Andy
Negative 🙂
Yahoo stores sessions in its internal format. MSN stores it in XML.
Of course, if proper setting is turned ON in GUI.