While examining a suspect machine I noted a large number of deleted dat files which appeared to relate to the use of Windows Live! Messenger. The files contained unencrypted text which looked like MSN Protocol commands. The files had a naming convention which followed "1234567890_12345678901234567890.dat". The first ten digits were a Unix numeric date/time stamp which matched the Created Date of the files, and where I was able to recover a chatlog which contained the same phrases as those held in file text beginning "MSG" it also matched the time of the message as recorded in the chat log.
Very useful as this has proven, I cannot identify what has caused the creation of these dat files. We are not aware of any version of WLM which stores these dat files (66000 recovered files from less than a month of usage) and the suspect helpfully deleted and reinstalled all his software (and his Windows account) when he realised he was under suspicion.
Can anyone satisfy my curiosity, please?