Forums
Main Category
General (Technical,...
Viewing Windows Liv...
 
Notifications
Clear all

Viewing Windows Live message fragments in readable format

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by abelsher 13 years ago
7 Posts
5 Users
0 Reactions
1,847 Views
RSS
DrGunlove
 DrGunlove
(@drgunlove)
Active Member
Joined: 13 years ago
Posts: 5
Topic starter 23/02/2012 3:53 pm  

Hi,

Being a" Noob "in the world of computer forensics, I have many questions. One in particular relates to apparent windows live messenger fragments which i have found languishing in Google chrome/user data/default/cache files.

Within this cache file are a number of other files named "history Index" and within one of these I have discovered various Facebook items, along with Windows Live Messenger fragments. I am particularly interested in these as they contain valuable evidence and email addresses of those involved in the messaging.

Can anyone tell me if there is any way to export these into a format that is easily legible? I know that they can be viewed in a notepad txt file but it is very messy.

Thanks in anticipation…

DrG 😯


   
Quote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
23/02/2012 4:43 pm  

You have two issues here; the first is the fact it is embedded in Chrome History, the other is the conversion of the chat content.

For the Chrome History, it is an SQLite database - so you can download a free SQLite browser and have a look about yourself. the field you most lilely want to look at is the "page_content" field, which stores a stripped version of the text in the visited web page.
Alternatively, if that sounds too in-depth, then you could use Chrome Forensics by Mark Woan, which is free. Link here.

With regard to Windows Live Messenger chat - it will normally either be in XML format (which is what it is natively stored in) or in HTML (which is what Messenger Plus! stores it in). Personally I find it surprising that these would appear in Chrome History, but there you go.

The HTML should be readable by exporting the chat content into a .html file. To view XML chat logs sensibly, the easiest method is to export it into a folder which contains the relevant stylesheet - in this case MessageLog.xsl. The chat logs will then be nicely formatted when you view them.


   
ReplyQuote
DrGunlove
 DrGunlove
(@drgunlove)
Active Member
Joined: 13 years ago
Posts: 5
Topic starter 23/02/2012 5:14 pm  

You have two issues here; the first is the fact it is embedded in Chrome History, the other is the conversion of the chat content.

For the Chrome History, it is an SQLite database - so you can download a free SQLite browser and have a look about yourself. the field you most lilely want to look at is the "page_content" field, which stores a stripped version of the text in the visited web page.
Alternatively, if that sounds too in-depth, then you could use Chrome Forensics by Mark Woan, which is free. Link here.

With regard to Windows Live Messenger chat - it will normally either be in XML format (which is what it is natively stored in) or in HTML (which is what Messenger Plus! stores it in). Personally I find it surprising that these would appear in Chrome History, but there you go.

The HTML should be readable by exporting the chat content into a .html file. To view XML chat logs sensibly, the easiest method is to export it into a folder which contains the relevant stylesheet - in this case MessageLog.xsl. The chat logs will then be nicely formatted when you view them.

Chris,

Many thanks for that. I have used the SQlite browser and isolated the text that I needed! brilliant and thank you.

There are indeed window Live Hotmail fragments along with Facebook excerpts contained within these files (History Index) When accessed through Encase. Some Very useful evidence (certainly in my current case).

Help much appreciated ta.

DrG


   
ReplyQuote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
14/04/2012 6:07 pm  

If this is still actual, Belkasoft Evidence Center can help you with MSN/Live Messenger and with Hotmail in RAM/hibernation/page files. You can try it for free at http//belkasoft.com.


   
ReplyQuote
 sebastianorossi
(@sebastianorossi)
Trusted Member
Joined: 14 years ago
Posts: 85
17/04/2012 7:32 pm  

really, we can try it for free? Which are the limitations?
thanks


   
ReplyQuote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
18/04/2012 3:41 am  

really, we can try it for free? Which are the limitations?
thanks

It works for 10 days and extracts no more than 20 messages per a contact. If this is not enough for you, please contact support at belkasoft.com and we will try to help you.


   
ReplyQuote
 abelsher
(@abelsher)
Active Member
Joined: 14 years ago
Posts: 7
18/04/2012 8:08 am  

Internet evidence finder is the leading product for data recovery and a free trial is available at www.jadsoftware.com.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: