Yahoo Instant Messenger

Internet Forensics

7. Yahoo Instant Messenger

Items of Interest



 Registry keys

– What and where

 Distinguish between different kinds of

Registry evidence

– Some are global and apply to all users

– Some are user-specific

 File structures

– What and where

Registry – Global Items



 Registry keys track who logs in

– Successful logins generate a dozen or

more sub-keys under the screen name

– Unsuccessful attempts generate fewer

sub-keys

 Unsuccessful attempts also create a

key with the screen name

– Includes misspelled screen names

Registry – Global Items



Login information found at:

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename

Flubbyfingers has only three sub-keys

therefore unsuccessful login



Spazzyja007 has many more therefore

successful login

Registry – Global Items



 The Alerts key shows number of login

tries

– Successful or not

Flubbyfingers has only three sub-keys

therefore unsuccessful login



Spazzyja007 has many more therefore

successful login

Registry – Global Items



 The IMVironment key indicates

client-wide usage of IMVironments

– A kind of “wallpaper” for IM windows

 When a used IMV is selected

– Name and Key sub-keys are shown

 Unused IMVs do not have these values

Registry – Global Items



Found at:

NTUSER.DAT\

Software\

Yahoo\

Pager\

IMVironments

The apprentice IMV has been used

The chapstick IMV has not been used

Registry – Global Items



 More about IMVironments under user-

specific registry keys later

Registry – Login Values



 The Registry changes as each user

logs in to the client

 Found at:



NTUSER.DAT\

Software\

Yahoo\

Pager\

Registry – Login Values



 Auto Login

– 1 (Yes) means user is automatically

signed in when the client is launched

– 0 (No) means the user must manually

enter information to sign in

Registry – Login Values



 Yahoo! User ID

– The Yahoo screenname of the last

logged-in user

Registry – Login Values



 Save Password

– 1 (Yes) means that

 The sign-on password is saved on the local

machine

 It appears as ***** in the client



– 0 (No) means that the password isn’t

saved

Registry – Login Values



 EOptions String

– The encrypted password for the last

logged-in user

– If a subsequent user (or the same user)

logs in again and doesn’t store the

password, the old value from the

previous user is deleted

Registry – Profiles



All user profiles are stored in

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename

Registry- User-Specific Values



 Yahoo users may create and register

identities

– Alternate screen names (aka aliases)

– Officially associated with the base screen

name

Registry- User-Specific Values



 When the screen name is created, two

keys are also created

– All Identities

– Selected Identities

Registry- User-Specific Values



 Newly created identity displayed under

Selected Identities

– Regardless of whether it has been used in

a conversation or not

– Deleted identities are not displayed here

 The Registry entry is refreshed when

the user logs in again.

Registry- User-Specific Values



 IMVironments are used as

advertisements for movies or

commercial products

 They can be interactive

 Two keys track an individual’s usage

of IMVironments

Registry- User-Specific Values



 The 1st (Recent – an MRU list) is found at

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename\

IMVironments

Registry- User-Specific Values



 The last IMVironment used appears as

the first entry at the beginning of the

list

Last

IMVironment

used

Registry- User-Specific Values



 Under IMVironments, the 2nd Recent key

shows the screen names of

– Remote User

– Local user

– IMVironment in use during the session

 If multiple IMVs are used in the same

session, only the latest is shown here

– Still, all IMVs that have been used are recorded

on the Recent key in the IMVironments key

Means no IMV

Local user was used





Remote

user

Registry- User-Specific Values



 Even if an identify is later deleted, the

entries still remain for the key:



\screenname\IMVironments

Registry- User-Specific Values



 Registry Viewer shows the most recent

entry at the bottom of the list

 regedit sorts this information in

alphabetical order

 Thus, the “last used” information is

lost when viewed by that method

Registry- User-Specific Values



 By default, IMs are saved for the

duration of the session then deleted at

sign-off

 Users can opt to

– Save messages permanently

– Not save messages at all

Registry- User-Specific Values



 Determined by Archive key found at:

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename\

Archive

Registry- User-Specific Values



 Settings for message archiving

determined by two keys:

– Enabled

– AutoDelete

 Both = 1 (default)

– Messages saved during session but

cleared when Yahoo is closed

Registry- User-Specific Values



 Enabled = 1, AutoDelete = 0

– Messages are permanently saved

 Both = 0

– Messages are never saved

Registry- User-Specific Values



 Implications for pulling the plug

– If archiving is set to the default

– Any messages generated during that

session should still exist in the usual .DAT

files

– Because the client did not close the

session before the power was terminated

 More on DAT files later

Registry- User-Specific Values



 Information on chat rooms found at:

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename\

Chat

Base identify of the

user when visiting

an existing room



General category of

the room visited

Registry- User-Specific Values



 Bookmarked favorite chat rooms found at:

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename\

Chat\

Favorite Rooms

Unique 10-digit number

identifies the room

Registry- User-Specific Values



 File transfer information found at

NTUSER.DAT\

Software\

Yahoo\

Pager\

profiles\

profilename\

FT

Folder from which the

last outgoing file

transfer was sent (also

includes file name)





Folder to which the

last incoming file

transfer was saved

Registry- User-Specific Values



 For investigation purposes, might have to

prove or disprove that a suspect knew a

specific file was being transferred to his/her

computer

 Yahoo 7.0 requires approval for each file

received.

– Feature cannot be turned off as in previous

versions

 Popup window includes thumbnail;

– User cannot claim not to have known nature of

file received

File Structures



 ystats_A.dat

– Tracks outgoing posts per session

 Type a line and hit Enter – that’s a post

– Session file so it’s deleted when user signs off

 Found (in FTK) at:

Program Files\

Yahoo!\

Messenger

Total outgoing posts







Total posts with this IMV

File Structures



 ystats_B.dat

– Tracks outgoing file transfers per IM session

– Session file so it’s deleted when user signs off

 Found (in FTK) at:

Program Files\

Yahoo!\

Messenger

Total outgoing file

transfers this session

File Structures



 ypager.log

– Logs communications of different types

– Can be used to find traces of

communications between two parties

 Found (in FTK) at:

Program Files\

Yahoo!\

Messenger

NOTE: On the real

FTK screen, scroll

down from here to

see the action codes

File Structures



 IP addresses

resolve to Yahoo

servers Code Explanation



 Action codes have 0 Connection initiated

1 Connect succeeded

specific meanings

2 Connect failed

3 Connection failed on retry

4 Returned command (not used)

5 Ping initiate (check connection)

6 Ping response (connection is OK)

7 Ping (keep connection)

File Structures



 IMVcache folder

– Contains folders named for each

IMVironment that has been used by the

Yahoo client

– Contents include the individual graphics

components that make up the individual

IMVs

 GIF and Shockwave files, for example

File Structures



 Incoming file transfers

– May leave traces in unexpected places

– Creates a link (shortcut) in the logged-in

Windows user’s Recent folder

– The file does not have to be opened to

create this shortcut

File Structures



 When an incoming file is saved on the

local machine, an entry is created in

the INDEX.DAT file that tracks browser

history

 This entry remains even if the

corresponding file is later deleted

Can see this picture

in the Graphics tab

File Structures



 Incoming files are saved in the

directory specified by the user

 Absent intervention by the user the file

is saved in the default location

specified by the Yahoo client

 There may also be a registry entry

indicating the last location to which a

file was saved

File Structures



 Outgoing files cause an entry in

Program Files\

Yahoo!\

Messenger\

Data

 Looks like a file with a JPG extension

– Really contains information about the transfer

– Usually deleted upon completion of the transfer

Original filename &

path of the file









Filename

Transfer time in Unix Numerical format*



Recipient’s screen name * Use DECODE app from Digital Detective

File Structures



 Archiving instant messages

– Default setting is all messages are saved

during session but deleted after sign-off

– Archive settings themselves remain until

changed by the user

– Settings can be configured to each

individual user

 Archives stored in a proprietary DAT

format

File Structures



 AOL IM doesn’t let you send a

message to a Buddy who’s offline but

Yahoo IM does

 When the Yahoo user is online again

any stored messages are sent

 Yahoo says that read offline messages

will be deleted but they’re still in the

DAT archive with the online messages

File Structures



 Archived messages are stored in a

folder

– Named for the screen name of the

remote user

 Found in

Messenger\

Profiles\

screenname

File Structures



 Each local user who is archiving has a

similar folder structure

 If conference archiving is enabled

there is a folder named for the local

user

– That’s where the DAT file will be found

File Structures



 Archived messages can be found at



Drive:\

Program Files\

Yahoo!\

Messenger\

Profiles\

local_user\

Archive\

Messages\

remote_user\

yyyymmdd-localuser.DAT

Local user (may be an alternate identity)



Date according to local machine

File Structures



 DAT information

– Store in a proprietary encrypted form

– User name used to encrypt the file

 Viewed in Hex format it’s unreadable

 FTK decodes for you

– Color-coded format helps user view

contents

File Structures



 If DAT file viewed from within its

original file structure, FTK places the

remote user’s screen name in the

dialog

 If a standalone DAT file is loaded as

evidence, the remote user is named

“Chat Partner”

File Structures



 When archiving is turned on, each

post in an IM session is individually

time-stamped

– Based on time of local machine

 Normally, if the remote user is in a

different time zone the posts are

converted to the local machine time

File Structures



 A mobile phone number can be saved

for a contact

– Enables text messages to be sent to that

number via Yahoo Messenger

 If archiving in ON, the text messages

are treated like an IM conversation

– Stored in a DAT file

File Structures



 Archived text messages can be found at



Drive:\

Program Files\

Yahoo!\

Messenger\

Profiles\

local_user\

Archive\

Mobile Messages\

mobile_number\

Same name format as IM messages