My Road to Digital Forensics Excellence

Yahoo Messenger

Posted by Paul Bobby on November 4, 2008

I encountered my first case in which Yahoo Messenger became a factor. In my Corporate environment, external chat mechanisms are disabled and even with the large number of laptops deployed to the employees, the installation and use of non-approved chat tools is prohibited. I discovered the use of Yahoo Messenger on the hard drive of a case I’m working, and wanted insight in to the artifacts left behind.

The directory C:\Program Files\Yahoo Messenger had been deleted, but under Lost Files, Encase had placed a Profiles\<screenname> directory. If you recall, Lost Files contains those items that have no valid parent folder entry in the $MFT. The following folder tree was recoverable:


Under Profiles is a directory named after the ScreenName of the individual using the Messenger software. Under Archive->Messages is a series of directories named after the ScreenNames of the people being chatted with. The fact that two folders called Archive are listed under the ScreenName is not a bug within Encase – Encase is actually very smart here demonstrating the ability to accurately interpret the Record Use in the MFT header.

Inside each directory is a file, <date-screenname.dat>, for example 20080821-secureartisan.dat, and contains a log of the chat session between the local individual and the remote individual. This file has a structure, can be parsed, and can ultimately reveal a complete conversation, including timestamp’s, between two people.

I wrote an Enscript to parse out these files, and the algorithm is based on a single post made by Tony Balzanto on the Guidance Software forums. These .dat files do not have a unique header. The message is ciphered using an XOR of the ScreenName and the cleartext message. The .dat file contains a series of records, each one with the following format:

  • 4 bytes – UNIX timestamp
  • 4 bytes – Type code
  • 4 bytes – User code
  • 4 bytes – Message length in bytes
  • x bytes – XOR’d message
  • 4 bytes – Terminator

Here is a sample header:


On July 17th, 2008 at 14:39:42 (timezone based on what the case is set to), a 464byte message was received.

My Enscript can be found on the Guidance Software forum. I recently posted it requesting feedback from the community, and will create an EnPack version and post it to the EnScript repository at a later date.

There are a couple of things I would like to research further:

  1. What is the Type Code and its values?
  2. What other values can be found in the User Code (1 = Recv, 0 = Sent)
  3. An approach to searching for deleted Yahoo Messenger logs in the unallocated space.

I have a few Yahoo Messenger logs, and in each case the Type code is (06 00 00 00) followed by a User code of either (00 00 00 00) or (01 00 00 00). But I have no idea if this is a high fidelity indicator or not.

Another caveat is that the ScreenName must be known. An approach to searching for deleted Messenger Logs was posted by Lance Mueller in his blog. His theory was that you take a keyword, and produce a list of possible keywords to search for by XORing it with the ScreenName. For example, if you know the individual was involved in a murder, use the word ‘murder’ and XOR it with the ScreenName (by starting at a different letter in the ScreenName) and produce a list of possible XOR variations on the word murder. This keyword list may let you identify Messenger fragments in the Unallocated Space.

Any other approaches? I would welcome suggestions.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: