Forensic recovery of MSN Instant Messages
#1
Scooby Regular
Thread Starter
Join Date: Aug 2000
Location: God's promised land
Posts: 80,907
Likes: 0
Received 0 Likes
on
0 Posts
Forensic recovery of MSN Instant Messages
Hi all,
Does anybody know with 100% certainty, whether a message sent on a home PC, running Home Vista if that's relevant, via MSN Instant Messenger to another private pc, with both computers set to "don't-save" chat logs, is forensically recoverable, using any means available? It was from about 6 months ago. There is no evidence that either pc was being externally monitored.
Many thanks.
Does anybody know with 100% certainty, whether a message sent on a home PC, running Home Vista if that's relevant, via MSN Instant Messenger to another private pc, with both computers set to "don't-save" chat logs, is forensically recoverable, using any means available? It was from about 6 months ago. There is no evidence that either pc was being externally monitored.
Many thanks.
#2
You can ask Burr on here as he deals with recovering things from hard drives / phones etc..
My played with computers for a long time and recovers lots of stuff for people opinion is 'no'.
Steve
My played with computers for a long time and recovers lots of stuff for people opinion is 'no'.
Steve
#4
Scooby Regular
Thread Starter
Join Date: Aug 2000
Location: God's promised land
Posts: 80,907
Likes: 0
Received 0 Likes
on
0 Posts
Cheers for that jura. Just wondered what the real world situation is, whether in reality all the methods outlined there do actually produce accurate results.
#5
Scooby Regular
iTrader: (1)
Join Date: Oct 2010
Location: Darlington
Posts: 500
Likes: 0
Received 0 Likes
on
0 Posts
There's no "100% certainty" answer without actually trying. If the block that stored the information has been overwritten several times, then probably not no, however you won't know whether it has or not until someone tries for you.
My guess would be "probably not" but that's all it is, a guess and you won't be able to get a "100% certainty" answer from anyone just replying to a forum post.
My guess would be "probably not" but that's all it is, a guess and you won't be able to get a "100% certainty" answer from anyone just replying to a forum post.
#6
Prehaps a quick refresher in File storage is required.
When you save a file on a computer, its saved on the hard drive in any location that available - due do space & file size.
A record of the file / name / size and start position on the disk is stored in a master data table.
When you load / delete or change the file, the file & the master data table are ammended.
if you dlete the file, rather than delete the whole file, the OS just deletes a a set of values from the master data table, effectivly allowing the OS to overwrite the residual data on the drive. (its quicker than individually deleting each block)
If i recall it used to be a hash value of C5 (it's been some time ) this value releates to the position of the bolck of data on the hard drive.
All the recovery stuff does, is change the hash value back to make the file / location visible, and from that they can recover the residual block of data
Over write the file with new data, and it becomes difficult.
However you cant always guarantee any files written over the top will completly fit the footprint the original file had
brings back the days of sector editors
Mart
When you save a file on a computer, its saved on the hard drive in any location that available - due do space & file size.
A record of the file / name / size and start position on the disk is stored in a master data table.
When you load / delete or change the file, the file & the master data table are ammended.
if you dlete the file, rather than delete the whole file, the OS just deletes a a set of values from the master data table, effectivly allowing the OS to overwrite the residual data on the drive. (its quicker than individually deleting each block)
If i recall it used to be a hash value of C5 (it's been some time ) this value releates to the position of the bolck of data on the hard drive.
All the recovery stuff does, is change the hash value back to make the file / location visible, and from that they can recover the residual block of data
Over write the file with new data, and it becomes difficult.
However you cant always guarantee any files written over the top will completly fit the footprint the original file had
brings back the days of sector editors
Mart
#7
Scooby Regular
the OP states that " both computers are set to "don't-save" chat logs" so is the data even persistent on the machine (written to disk), I would have thought not
Last edited by hodgy0_2; 16 November 2010 at 01:21 PM.
Trending Topics
#8
Scooby Regular
Thread Starter
Join Date: Aug 2000
Location: God's promised land
Posts: 80,907
Likes: 0
Received 0 Likes
on
0 Posts
Yes, no chat logs have ever been "deleted" on either computer - they were never saved in the first place. But does that mean they never hit the hard drive?
#9
I assume you know what you are looking for? If so you can do a sector-scan for that (hopefully unique) word.
Steve
#10
Scooby Regular
they might have been included in the system page file that writes temporary information to disk -- but this is cleared and recreated during a reboot and I doubt the information in the page file is "readable" anyway
I think the chances of recovery are very very small
most data recovery companies would tell you whether you have any hope over the phone, and most will even examine the disk for free and tell you what can be recovered.
I think the chances of recovery are very very small
most data recovery companies would tell you whether you have any hope over the phone, and most will even examine the disk for free and tell you what can be recovered.
#12
Scooby Regular
Just what I was thinking.
If in doubt and it's essential the data isn't found there's dban or even physical destruction, but that would be a last resort. Probs not necessary unless you're a secret agent.
If in doubt and it's essential the data isn't found there's dban or even physical destruction, but that would be a last resort. Probs not necessary unless you're a secret agent.
Last edited by GlesgaKiss; 17 November 2010 at 01:39 PM.
#13
Guest
Posts: n/a
On the local pc's I would say no as the conversation is set to not save. However theoretically it could be held on the messaging server at Microsoft's end however the reality of that is extremely unlikely due to their retention/privacy policies and the millions of users of the service. It would cost too much in storage for a start.
Last edited by Bravo2zero_sps; 17 November 2010 at 04:48 PM.
#14
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Microsoft? Analyse MSN communications? Who would have thought?
Six degrees of separation in instant messaging
mb
Six degrees of separation in instant messaging
mb
#15
Scooby Regular
Thread Starter
Join Date: Aug 2000
Location: God's promised land
Posts: 80,907
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for all the replies online and off. I think the group consensus is "extremely unlikely", but i'll update the thread as and when i have a definitive answer. Cheers.
Thread
Thread Starter
Forum
Replies
Last Post
alcazar
Computer & Technology Related
2
29 September 2015 07:18 PM