Recovery of Artefacts from MSN and Windows Live Messenger Conversations

Computer Forensics Miscellany

MSN and Windows Live Messenger Conversations

MSN Messenger and its later incarnation Windows Live Messenger are one of many Instant Messenger programs. Their primary use is to communicate in real time with known contacts by typing messages and sending them to each other.

One of the most frequent requests to a forensic investigator is for any evidence of “chat logs” or any instant messaging conversations.

The purpose of this paper is to assist the forensic examiner to investigate all possible opportunities to recover evidence of instant message conversations from MSN Messenger and Windows Live Messenger.

MSN and Windows Live Messenger Artefacts of Conversations

This is the  Enscript mentioned in the document, its purpose is  to search and recover fragments from MSN protocol messages. This has been written by a colleague Paul Tew.

MSN Text Fragments Finder Enscript

This is a basic program that will convert the Passport address into the folder numbers used by the Messenger programs.

MSNFoldersSetup.zip