Windows Live Messenger Forensics: Contact List Artefacts. Dennis Cortjens (dennis.cortjens@os3.nl)



Similar documents
WhatsApp Database Encryption on Android and BlackBerry Project Plan. D. Cortjens A. Spruyt F. Wieringa

Stellar Phoenix Exchange Server Backup

The Forensic Recovery of Instant Messages from. MSN Messenger and Windows Live Messenger

Backups User Guide. for Webroot SecureAnywhere Essentials Webroot SecureAnywhere Complete

Work. MATLAB Source Control Using Git

Installation Guide. Installing MYOB AccountRight in a Remote Desktop Services Environment

User Manual. Document Management System

2) Sharing Projects Made easy by IntelliGantt s Share Wizard, there are three share options to fit the needs of your project.

TEACHER GUIDE. ebackpack provides a separate Administrative Guide and Student Guide through our support site at

Microsoft Office 365 online archive features and FAQs

How to: Using archive files in Microsoft Outlook

EMC E EMC Content Management Foundation Exam(CMF)

Why the need for set of rules in Microsoft Outlook?

SourceAnywhere Service Configurator can be launched from Start -> All Programs -> Dynamsoft SourceAnywhere Server.

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

Moving a CIMPLICITY SQL Database using Detach/Attach Proficy HMI/SCADA CIMPLICITY

Table of Contents. OpenDrive Drive 2. Installation 4 Standard Installation Unattended Installation

Working with Office Applications and ProjectWise

Sophos Mobile Encryption Help. Product version: 1.0 Document date: April 2012

Carry it Easy. User Guide

BulkSMS Text Messenger Product Manual

Click Studios. Passwordstate. Upgrade Instructions to V7 from V5.xx

Memory Forensics for QQ from a Live System

Document Management User Guide

Egnyte for Power and Standard Users. User Guide

How to Access UF Health Jacksonville VPN services

Microsoft SQL Server 2005 How to Create and Restore Database (GRANTH3) Manually

User Reports. Time on System. Session Count. Detailed Reports. Summary Reports. Individual Gantt Charts

Recovering Digital Evidence in a Cloud Computing Paradigm. Jad Saliba Founder and CTO

Setup Commander. Administration Guide Copyright 2013, ROVABU Software B.V. Version Page 1

E-Notebook SQL 12.0 Desktop Database Installation Guide. E-Notebook SQL 12.0 Desktop Database Installation Guide

ASUS WebStorage Client-based for Windows [Advanced] User Manual

Grand Blanc Community Schools

**Web mail users: Web mail provides you with the ability to access your via a browser using a "Hotmail-like" or "Outlook 2003 like" interface.

Xopero Backup Build your private cloud backup environment. Getting started

Novell ZENworks Asset Management 7.5

Lab 5 Managing Access to Shared Folders

Archive s Outlook 2010 & 2013 on Windows XP, Vista, 7, 8

Sage Intelligence Financial Reporting for Sage ERP X3 Version 6.5 Installation Guide

Cloud Services MDM. ios User Guide

Decision Support AITS University Administration. EDDIE 4.1 User Guide

How to backup important data

Index. Page 1. Index

Outlook 2007: Managing your mailbox

How To Export Data From Exchange To A Mailbox On A Pc Or Macintosh (For Free) With A Gpl Or Ipa (For A Free) Or Ipo (For Cheap) With An Outlook 2003 Or Outlook 2007 (For An Ub

Microsoft Office & Lync Tech Tips

FaxCore Ev5 Database Migration Guide :: Microsoft SQL 2008 Edition

Recover EDB and Export Exchange Database to PST 2010

BestSync Tutorial. Synchronize with a FTP Server. This tutorial demonstrates how to setup a task to synchronize with a folder in FTP server.

Simple, Secure User Guide for OpenDrive Drive Application v for OS-X Platform May 2015

Sample- for evaluation purposes only! Advanced Outlook. TeachUcomp, Inc. A Presentation of TeachUcomp Incorporated. Copyright TeachUcomp, Inc.

Things to consider before you do an In-place upgrade to Windows 10. Setup Info. In-place upgrade to Windows 10 Enterprise with SCCM

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

Business 360 Online - Product concepts and features

Exporting s from Outlook Version 1.00

Copyright Pro Softnet Corporation. All rights reserved. 2 of 24

Getting Started The Windows SharePoint Services Window

Setting Up SSL on IIS6 for MEGA Advisor

OneDrive in Office 365

IONU PRO Product Overview

Mass-DAC Secure Document Repository User Guide

Non-ThinManager Components

WebMail Forensics. Thomas Akin, CISSP. Director, Southeast Cybercrime Institute Kennesaw State University

SharePoint 2007 Get started User Guide. Team Sites

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

What is new in Switch 12

BASF D6Direct. User s Manual

Using Internet or Windows Explorer to Upload Your Site

SharePoint User Manual

Prerequisites Guide. Version 4.0, Rev. 1

This manual provides information and instructions for Mac SharePoint Users at Fermilab. Using Sharepoint from a Mac: Terminal Server Instructions

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers

E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide. E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide

Quick Start Guide. Microsoft OneNote 2013 looks different from previous versions, so we created this guide to help you minimize the learning curve.

EasySuite. User Guide V1.0

The Citrix service is now available to faculty and staff at Cypress College.

for Networks Installation Guide for thin client package on workstations September 2015 (GUIDE 3) Version 1.3-N

F9 Integration Manager

SonicWALL CDP Local Archiving

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

Using RSMACC version control system with AB Industrial programming Controllers and files.

MECnet Portal: Using Web Based

DigLA A Digsby Log Analysis Tool to Identify Forensic Artifacts

Table of Contents. Table of Contents

Basic knowledge of the Microsoft Windows operating system and its core functionality Working knowledge of Transact-SQL and relational databases

Export & Backup Guide

Sign in to Outlook Web App

Ascent Capture's MSDE 2000 Backup and Restore Instructions (For Ascent Capture 7.x and 6.x using the default MSDE 2000 database)

BlackBerry Enterprise Server Version: 5.0. Upgrade Planning Guide

Mimeo Printer User Guide

Virtual Spirits control panel V5

Instructions. Introduction

Transcription:

Windows Live Messenger Forensics: Contact List Artefacts Dennis Cortjens (dennis.cortjens@os3.nl) 29th of February, 2012

Contents 1 Document Information 2 1.1 Description............................................. 2 1.2 Version History.......................................... 2 2 Project Information 3 2.1 Introduction............................................ 3 2.2 Problem.............................................. 3 2.3 Position.............................................. 4 2.4 Questions............................................. 4 2.4.1 Main............................................ 4 2.4.2 Sub............................................ 4 2.5 Goal................................................ 4 2.6 Scope............................................... 5 3 Planning 6 3.1 Activities.............................................. 6 3.2 Milestones............................................. 6 3.3 Global Overview.......................................... 7 4 Organization 8 4.1 Team................................................ 8 4.2 Information............................................ 8 1

Chapter 1 Document Information 1.1 Description This document is the project plan for the Windows Live Messenger Forensics: Contact List Artefacts project. This small project is part of the CyberCrime and Forensics subject of the System and Network Engineering course. 1.2 Version History Version Date Author Comments Status 0.1 29th of February, 2012 D. Cortjens first version of the Project Plan draft Table 1.1: Version History 2

Chapter 2 Project Information 2.1 Introduction Microsoft s instant messaging service has been around for quite some time. It started in 1999 with the launch of MSN Messenger and was renamed to Windows Live Messenger in 2006. Nowadays it still is a widely used messaging service, especially among young people. It is a popular way of communicating with each other, even though instant messaging is being moved to cloud services such as Facebook. The service and its application has changed a lot through the years. A lot of features have been added which leave behind artefacts. Although not all feature are turned on by default, like saving chat history, and therefor won t leave behind anything. There are however some artefacts left behind by default which are interesting from a forensic point-of-view and have become an useful source of information in criminal cases. 2.2 Problem MSN Messenger and Windows Live Messenger save the user s contact lists at every login. These contact lists are saved in the STG file format for MSN Messenger and the first versions of Windows Live Messenger. They are saved in the EDB file format for the latest versions of Windows Live Messenger. Both file formats use encryption to secure the data within the file. There are applications developed which are able to decrypt the files and export the data inside to a report. For the STG files Forensic Box is often used and for the EDB files this is LiveContactsView. These applications have their short commings. Forensic Box is old and is no longer maintained. There is no known developer or website. In older cases STG files are still found, despite Microsoft renaming the application and changing the file format six years ago. Investigating the STG files oftenly results in an unknown error when opening with Forensic Box, especially file from the latest version of MSN Messenger. The latest version of LiveContactsView is from 2010, but there hasn t been an update ever since. Although Windows Live Messenger has changed a lot over the last two years. A major disadvantage of LiveContactsView is, that it s not listing the e-mail address of the user in the report. This makes it very difficult to trace the user s e-mail address back to the EDB file and the associated report. Both applications have the disadvantage of not being able to decrypt multiple files in a bulk process. This is a problem, because MSN Messenger and Windows Live Messenger saves the contact list at every login which means a lot of files. Therefor investigating STG or EDB files is a time consuming task. Another issue with Windows Live Messenger is, that it saves the EDB files in different subfolders. These folders can differ from /new/ to /old/, /old1/, /old2/ and so on, increasing the investigation time by needing to browse through the files. The world of Digital Forensics world is in need of a full and automated process for investigating the data inside EDB and STG files. 3

2.3 Position A literature study on Windows Live Messenger artefacts resulted in two articles on SciVerse (Elsevier). In 2006 Mick Dickson researched artefacts of MSN Messenger version 7.5. He mentioned that this version of MSN Messenger left very little artefacts on the local computer and that some of them only appear in the memory or Windows swap file [1]. He didn t mentioned the presence of STG files on the local computer, although they were present in that version of MSN Messenger. In 2007 Wouter S. van Dongen researched artefacts of Windows Live Messenger version 8.0. He mentioned that this version of Windows Live Messenger left artefacts on the local computer that could give an overall picture of an users activities. He also mentioned the presence of STG files on the local computer [2]. These findings are outdated, because they describe old versions of MSN Messenger and Windows Live Messenger. However, they are a good basis and reference for this research. 2.4 Questions 2.4.1 Main How could the forensic analysis of MSN Messenger and Windows Live Messenger contact list artefacts be improved, automated and logged to reduce the time needed to investigate these artefacts? 2.4.2 Sub The main question is researched with the following subquestions: 1. Which artefacts are left behind by the lastest version of Windows Live Messenger? 2. What is the locations of the contact list artefacts? 3. What are the characteristics of the contact list artefacts? 4. What is the forensic value of these characteristics? 5. Can the forensic analysis of the contact list artefacts be automated? 2.5 Goal The goals are set by the following subquestions: Which artefacts are left behind by the latest version of Windows Live Messenger? Determine which artefacts are left behind by the latest version of Windows Live Messenger by testing it against the work of Van Dongen and by researching the application itself. What is the locations of the contact list artefacts? Determine the possible locations of the contact list artefacts. What are the characteristics of the contact list artefacts? Determine the characteristics of the contact list artefacts, including the content. What is the forensic value of these characteristics? Determine the forensic value and validity of the contact list artefacts. Can the forensic analysis of the contact list artefacts be automated? Determine whether or not it is possible to automate the contact list artefact analysis by creating a analysis tool. This tool should be able to decrypt a contact list file on every location, process its content and log all the steps of the analysis. 4

2.6 Scope This project is limited by the following scope: It focuses on the contact list artefacts of the latest version of Windows Live Messenger; It focuses on the forensic value and validity of the artefact files; The analysis tool will be written in Python and will be command line based; All other artefacts are research in basic if there is enough time for it or will be mentioned as further work. 5

Chapter 3 Planning 3.1 Activities The following activities are defined: Activity Time Deadline Write plan DRAFT 8 hours 29/02/2012 Write plan FINAL 4 hours 02/03/2012 Literature study 8 hours 02/03/2012 General artefact research 8 hours 07/03/2012 Contact list artefact research 12 hours 14/03/2012 Build analysis tool 16 hours 21/03/2012 Test analysis tool 4 hours 23/03/2012 Create presentation DRAFT 8 hours 23/03/2012 Create presentation FINAL 4 hours 26/03/2012 Write report DRAFT 20 hours 28/03/2012 Write report FINAL 8 hours 30/03/2012 Total 100 hours 30/03/2012 Table 3.1: Activities 3.2 Milestones The following milestones are defined: Milestone Deadline Plan is written (FINAL) 02/03/2012 Contact list artefact research is completed 14/03/2012 Analysis tool is build 21/03/2012 Presentation is created (FINAL) 26/03/2012 Report is written (FINAL) 30/03/2012 Table 3.2: Milestones 6

3.3 Global Overview Figure 3.1: Gantt Chart 7

Chapter 4 Organization 4.1 Team Name Role Skills D. Cortjens student/researcher Project Managing, Forensics and Programming Table 4.1: Team 4.2 Information The project documents and files will be held in a GIT repository. The GIT repository is stored on the server 145.100.105.82 and has a specific folder structure as shown in table 4.2. Folder Subfolders Description documents literature The subfolder with all the literature used for researching the projects subject. plan The subfolder with all the source files and latest PDF file for the project plan. report The subfolder with all the source files and latest PDF file for the project report. tool - The folder and possible subfolders with the source files for the analysis tool. Table 4.2: Folder Structure 8

Bibliography [1] Mike Dickson, An examination into MSN Messenger 7.5 contact identification, 2006. [2] Wouter S. van Dongen, Forensic artefacts left by Windows Live Messenger 8.0, 2007. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information