December 30th, 2008 by ahoogI recently had the need to decode the Yahoo! Messenger archive files (.dat) from a suspect’s computer. I did not come across any nice, command-line, OSS packages but here’s what I did find (and use).
Explanation of Yahoo! Messenger Archive format
This site has a nice write-up on the format of the Yahoo! Messenger Archive .dat files. This is helpful if you want to decode them by hand or add the signature to foremost.conf for file carving. It’s interesting to note that the messages at XOR’d with the user name.
Ikitek Software
Yahoo Message Archive Decoder by Ikitek Software is the first package I found and trusted enough to install. The application worked fine after I provided the entire profile directory (default location of C:\Program Files\Yahoo!\Messenger\Profiles) instead of just the archive directory. The help menu has an interesting section about heaven but I stuck to the task at hand.
Piravi Software Solutions
Super Yahoo Messenger Archive Decoder by PIRAVI Software Solutions was a second program I installed. The distinctly un-Web 2.0 website was targeting a distinctly different audience than the forensic analyst. Nevertheless, I install the program and it worked equally well. The user interface was a bit kludgy but it seemed to have more features. The command line option (which comes with the paid version) would be useful for examinations to enable scripting.
Other options?
Perhaps you have come across other options? Please share. I installed (and promptly removed) the open source Yammy software because it ran a mini-webserver locally and required that Yahoo! IM was installed.
