Instant Messaging

AOL Instant Messenger

AOL Instant Messenger (AIM) was one of the first and is still one of the most popular dedicated instant messaging services. Provided to both AOL users and non-users alike, AIM allows for Internet-based chatting and uses a client-and-server storage mechanism.

AIM works off of screen names, unique identifies specific to an individual. Screen names installed on a given machine can be found in the registry at HKCU\Software\America Online\AOL Instant Messenger (TM)\ CurrentVersion\Users\SCREENNAME.

Additionally, each screen name will have a subdirectory under C:\ Documents and Settings\USERNAME\Application Data\Aim\.

Associated with each screen name is an individual password under Login\Password below the screen name registry key. Prior to version 5, AIM provided easy-to-decipher passwords, a free utility to decipher them can be found at Digital Detectives. Post 5. x passwords have not been deciphered as of the time of this writing.

Individual identification information (profile) for a screen name can be obtained from a separate AIM client by selecting Buddy Info . This will additionally allow the investigator to search for other info or other screen names associated with an individual. The details for the profile are stored in an HTML file entitled http://www.info.htm under the screen name subdirectory.

Individuals with whom the suspect is frequent correspondences are organized into a Buddy List. The Buddy List can have numerous categories and subcategories , and is stored on both the AOL server and locally in the user-info.bag file for each screen name. Buddies are organized under groups, in the following example Co-Workers and File-Sharing-Friends . By looking up the Buddy Info for the screen names, information on the individuals may be found. Running strings and searching for words returns:

 C:\Tools\ strings userinfo.bag  grep -e "\w*" AOL Feedbag 1.1 Buddies File-Sharing-Friends CIThief Istealsecrets Co-Workers Bobfromaccounting maryalice 

A secondary source of screen names which were looked up on the subject machine or engaged in a conversation are in the registry under the Recent ScreenNames and Recent IM ScreenNames subkeys of the main AOL key noted previously, respectively. The highest listed number is the most recently used.

AIM does not store logs of chats by default; however, main memory and the pagefile may contain this information. A simple grep on the screen names found the Buddy list may turn up more screen names and/or chat session details. The hibernation file and pagefile are both good starting points to search.

Information on visited URLs can be found in the URLcache subdirectory under the screen name. The directory contains TMP files that correspond to other file types, Quickview or other programs which reader file headers can be used to view the images, html, and other content in these files. Additionally, the urlcache.dat file contains meta-information on the contents of the directory. The strings command returns the names of the files, their remote creation times, the last update times (locally, in GMT), and the actual content type. Here is a sample urlcache.dat file:

 C:\Tools\ strings urlcache.dat AIM URL Cache {403d93ea-a7f1-11d2-ad33-00104b5f8cd8} C:\Documents and Settings\Admin\Application Data\Aim\MyScreenName\urlcache\aim256.tmp: http://cdn-aimtoday.aol.com/aimtoday_buddyicons/lovedont_1 Wed, 10 Dec 2003 14:10:17 GMT Tue, 17 Feb 2004 18:57:00 GMT] image/gif C:\Documents and Settings\Admin\Application Data\Aim\MyScreenName\urlcache\aim255.tmp6 http://cdn-aimtoday.aol.com/aimtoday_buddyicons/jayz_1 Wed, 19 Nov 2003 20:14:23 GMT Tue, 17 Feb 2004 18:57:22 GMT% image/gif C:\Documents and Settings\Admin\Application Data\Aim\MyScreenName\urlcache\aim254.tmp7 

Finally, AIM enables users to share and receive files over the network. By default, these files are stored locally under C:\Documents and Settings\ USERNAME\My Documents\filelib\SCREENNAME\ and C:\Documents and Settings\USERNAME\My Documents\download\SCREENNAME\. Files in this directory may indicate they were downloaded and/or uploaded by the suspect. These directories can be changed using the Xfer/DirFileLib and Xfer/DirDownload subkeys of the main AOL key.

Microsoft Messenger

Microsoft (MSN) Messenger comes integrated with later version of Windows. It installs by default, but requires a user to provide a valid user name and login. The product performs similar actions to AOL Instant Messenger, and is primarily registry-based from an investigative standpoint. The main registry key is located under HKCU\Software\Microsoft\MessengerService\ ListCache\.Net Messenger Service.

MSN Messenger is based on an individual identity. The identity is the handle or alias the end user presents when logging in, as well as the name shown to others. The last identity to log in is stored under the IdentityName subkey of the main MSN Messenger key. When a new identity logs in, the old identity's information is overwritten with new registry key. As with other IM passwords, the MSN password is able to be decrypted with the appropriate program. The latest version can be decrypted with the Elcomsoft Advanced Instant Messenger Password Recovery program.

IM correspondents are stored in the registry as well, in one of four lists:

• Contact. These are the actual contact names of the individuals who the suspect has added to her list of correspondents and can view their online and offline statuses.

• Allow. These are the contacts that are explicitly permitted to view the online and /offline status of the suspect's account and send messages to the suspect.

• Block. These are the contacts that are explicitly blocked from sending the user messages or viewing her online and offline status.

• Reverse. These are individuals that have added the suspect to their own Contacts list.

Correspondent names are stored in keys starting with LISTNAME# (for example, Contact0), where LISTNAME is one of the four preceding lists and # is number starting at zero that is incremented by one for each entry. The value of the key contains the email address of the contact, the alias of the contact, and the number which represents the group that individual belongs to (if any) as the final digit(s) in the entry.

As noted previously, individuals can be placed into user-created groups. The individual groups are listed under keys labeled group#, where # starts at 0 and is incremented by one for each group. This number is used by the preceding contacts' entries to indicate group membership. The value of each group key is the name of the group.

Like AIM, MSN Messenger does not store logs of chats by default. However the main memory and the pagefile may contain this information. A simple grep on the names found the contact lists may turn up more names or chat session details. The hibernation file and pagefile are both good starting points to search. Additionally, a simple grep on Session Start.+Session Close may turn up evidence of full MSN Messenger chat sessions.

As with AIM, Microsoft Messenger permits the sending and receiving of files through the client. By default, downloaded files will be stored in the My Received Files folder in the suspect's My Documents folder. The location of received files is under the registry subkey HKCU\Software\Microsoft\ MessengerService\FTReceiveFolder.