In a case I need to know when the suspect added a person as a WLM contact. Using Nirsofts LiveContactsView I can find this person in the suspects contacts. There is a last modified timestamp and I need to know what this date means. It doesnt seem to be the date the contact was added or when the contact changed his personal data.
I am not experienced at all in WLM artefacts but your question interested me, so I messed about a little and the following represent mere thoughts, rather than categoric knowledge;
I *guess* the fact that LiveContactsView does not extract the timestamp of interest is that it perhaps does not exist in contacts.edb (WLM2009 - which I presume is the WLM version you are investigating given your use of LiveContactsView). Although, given that timestamps can be extracted from the previous version of WLM (see below) it may be worth manually reviewing the unencrypted contents of the edb file for yourself.
For WLM2008, contact records are stored in MEMBERS.STG and there is an EnScript which I believe can decrypt the records called WLM Contact Data Reader. The output of this serves up a couple of timestamps - ChangeNumber and ServicelastChanged. I cannot claim to know what these represent but as they are stored at a 'contact' level, they are worth investigating further.
If the contact has a display picture, it is stored as a dt2 file in <WLM Application Data path>\<WLM account name>\ObjectStore\UserTile - timestamps associated with this dt2 file may offer some (partial) insight?? The first part of the file name is a base64-encoded SHA1 value of the file and this can be correlated with the UTL registry value.
You may also find profile pics for individuals spoken to in Docs&Setts\<profile>\Local Setts\Temp\MessengerCache with associated timestamps.
And that's where I ran dry….may provoke some thoughts, may be useless ?
Good luck.
I don't know the answer as I have found conflicting results so far in looking at this issue. What I can suggest is that you use mark Woan's esedbviewer to examine the contacts.edb; you will get a clearer view of the information available. Clearer in that you will see the information but not in the sense it will give you the answer!! Experimentation is the key there.
http//
H
Harry, Fab4 thank you very much for your help.
To investigate the contact pictures was a good tip, which I didn`t consider before. In this case the contact did not use a contact picture (UserTile), so this doesn`d get me somewhere.
I examined the contact.edb with EseDbViewer. The dates belonging to the particular contact don`t make any sense. I will give up at this point, it`s not THAT important. There are a lot of other cases waiting 😉 So, thanks again, keep up the good work.
There is a program called Forensic Box. As far as i'm aware, it decrypts the members.stg file and should show you a date when a user was added.
I read about Forensic Box in this article
WLM 2009 doesn`t seem to use members.stg anymore.
Thank you.