If you have EnCase then I wrote an EnScript to do this very thing, the version 6 one is available here:
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=819
and the version 7 spin is available in the App Store (for free).
Have a look at this document:
http://computerforensics.parsonage.co.uk/downloads/MSNandLiveMessengerArtefactsOfConversations.pdf
which gives a fair bit of info about the older Messenger versions and the search for protocol messages.
Basically you need to search the whole of the drive for the pitch and format flag "PF=[number]" (if memory serves me correctly) the message (if there are any, and there are usually a fair few false positives) will follow soon afterwards in plain ASCII text.
These protocol messages have no embedded time stamps. The messages received from the remote machine contain the email address of the sender in the header, the one's sent from the local machine do not. I have seen these protocol messages in stand-alone 'gateway.txt' files which of course have a time stamp but it is much more common to find the messages in the page/swap file or in unallocated space where there is no time/date information. After extensive use I can say that sometimes you can find oceans of messages, sometimes a few, and occasionally nothing. That is my experience anyway.
Read the document and do a grep search or spend money on the Belkasoft solution, its up to you <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
Good hunting,
Paul
↧