Chapter 9: Spying on Chat and Instant Messages – Cyber Spying Tracking Your Family's (Sometimes) Secret Online Lives

Chapter 9

Spying on Chat and Instant Messages

Do You Like Older Men?

— Dozens of chat partners


Chat and instant messaging (IM) are quickly becoming two of the most popular methods of online communication. The convenience of an instant response has helped fill the communication gap left between e-mail and traditional conversation methods such as phone calls. IM has migrated from the computer and become ubiquitous, because it can be accessed from handhelds, cell phones, and pagers. It offers the intimacy of a one-on-one conversation without the pressure of a face-to-face discussion. It is also a good method of meeting new people and widening your social circle. The ambience of a chat room can vary from support group, technical chat, and church group to a singles bar. In each of these situations, a person can enter a crowded room and participate, usually only identified by as much or as little information as they wish to provide. Online chats are amazing phenomena; they are literally conversations with dozens to hundreds of simultaneous participants. A live discussion of this scale is something that is nearly impossible with prior methods of communication.

After entering a chat room, users are exposed to dozens of other chat participants from around the world with whom they can individually engage without any of the complications that would accompany an in-real-life (IRL) meeting. While many people would hesitate to approach a total stranger to discuss intimate details of their lives, it seems to happen quite frequently with IM. The perceived anonymity offered by IM and chat makes people more open about the many topics they will discuss.

Unlike e-mail where the message becomes a record for the sender and receiver, chat and IMs appear evanescent. They are hard to record and their use is difficult to prove. Still, chat and IMs are important parts of someone’s online life, and collecting and analyzing them are critical steps in determining a person’s profile. This chapter helps readers collect and analyze IMs and chats using different forensic and live collection techniques.

What Is Instant Messaging?

Since the beginning of time, speech (of one form or another) has been one of the most useful forms of communication available. This method is so useful that we have invested billions of dollars to ensure that we have the ability to speak to people anywhere, anytime. The phone industry has sprung up as a result of this effort. While phones have become smaller, more portable, and more convenient, they are not a complete communication solution; they still have several fundamental problems. For example, not every location is appropriate for a phone, and it is still difficult to have a phone conversation with more than a few people.

With the Internet revolution, e-mail promised a new and better way to communicate. It is faster than conventional mail (snail mail) and has much of the same formality and structure, but with more convenience. While it fills a niche as a good substitute for snail mail, e-mail does not completely offer the spontaneity and instantaneous response of talking. It is still mainly a one-way communication system. While someone can send e-mail, feedback depends on the responsiveness of the receiver as well as the mail infrastructure, which can vary depending on the Internet provider. So, while e-mail provided many useful services upon its invention, virtual meetings and conversations were still necessary.

Chat is a development that filled in the gaps between phone conversations and e-mail. It offers many opportunities not available with previous communication methods. One of the earliest chat applications is a program called Talk that runs on multiuser UNIX machines. Talk allows two users to send simple text messages back and forth to each other. As the world’s personal computing paradigm shifted from logging into a multiuser machine, many new personal IM and chat applications were developed, each adding more functionality and capability. These applications allowed people to simulate being logged into one of the large multiuser systems from a personal computer so that they could talk with other users on the IM network.

As of this writing, there are several different and very popular IM networks. Unlike e-mail, which transmits across a common protocol to seamlessly travel between Hotmail, Yahoo, and so on, today’s instant-messaging networks operate in isolation. Communication on a network is in a proprietary protocol, meaning that its method of IM is unique to it. Each messaging service has its own client that users exercise to log onto the network, view other online users, chat in “rooms,” and send other users private messages (PMs). The most popular IM networks are AOL’s AOL Instant Messenger (AIM), Yahoo’s Messenger, and MSN Messenger. While all of these are closed systems with their own protocol, meaning that someone on AIM cannot communicate with someone on Yahoo, there are some programs that allow a user to sign into multiple accounts and multiple messaging systems at one site. We call these aggregators, and some good examples are the open sourced Gaim and Cerulean Studio’s Trillian and Trillian Pro.

Most of the popular IM software works by the same principles although it may differ in some of the lower-level protocols. When a user starts the IM program, it connects and logs onto a central server with a username and password. The server then passes the messaging program the most up-to-date buddy list. A buddy list is a list of all of the accounts that person wants to keep in touch with. By having another person’s account in the buddy list, you can quickly send them IMs. The buddy list also gives you a user’s status, how long they have been online, how long they have been active, if they are away from the computer, and sometimes their personal “away” messages explaining where they are and what they are doing.

Some IM protocols allow you to add whomever you wish and some require permission from your buddy before they are added to your list. The buddy list is like the high-tech speed dialer of IM except it is stored in the server and not on the end client. This is similar to having your cell phone number directory saved with your wireless provider so that you can use anyone else’s phone to access it.

To chat, you either click on a buddy entry to bring up a chat window or enter a chat room. In the bottom of the window is the area in which to type your message. After typing the message and selecting the Send button, your text is sent to your buddy. In actuality, with most clients, the messages are not sent directly to your buddy, but to an intermediate server where the message is then relayed. For the most part, this is transparent to the end user and makes very little difference.

Types of Chat and Instant Messaging

For the most part, we cover the big three IM clients: AIM, Yahoo, and MSN. These are the most popular among home computer users. There are two other protocols that are worth mentioning: Internet Relay Chat (IRC) and ICQ (I Seek You). IRC is used mostly by technical people, and ICQ is of historical interest, but both have played a significant role in shaping the chat and IM landscape.

When preparing to spy on someone’s IM, it is a good idea to identify which clients they use. Like e-mail, an individual can have multiple IM accounts, one for each service, or multiple accounts for the same service. Correct identification of which clients and which accounts your mark uses is necessary for collecting his or her information.


IM clients seem to be in a continual state of flux. They are always being updated because the newest features are quickly integrated. As a result, things are not always where they used to be, and some capability is removed, while other is added. Keep this in mind when you try the commands and menu options we recommend. Since messenger clients change fast, some of the specific directions may be outdated by the time the book is printed. It is more important to keep the concepts in mind, which should remain the same for a long time. Use the Web or other resources to help you find implementation-specific instructions.


IRC was the first cross-Internet chat system to become popular. It started at the University of Oulu in Finland in 1988. After a few years of growing pains, people in different Internet-connected locations begin using it to chat with each other. While originally started on multiuser UNIX machines, there are IRC clients for Microsoft Windows that allow people to connect to IRC servers and chat. One very popular Windows client is MIRC (

IRC consists of many isolated networks, each with its own set of rules, guidelines, culture, and dedicated members. Three of the most popular networks are EFnet (, Undernet (, and DALnet ( Each network has many channels, which are similar to “chat rooms” found in modern IM clients. Each channel allows dozens of users to join, chat, PM each other, and transfer files. Because of its origins on UNIX bulletin board systems, IRC has a very rich, but somewhat complex command set. In addition, unlike chat rooms on other networks, IRC has implemented a pecking order of sorts on its members. Each room has at least one member with Operator (generally referred to as “ops”) status. This person is responsible for maintaining order within the channel by forcibly removing, banning, or filtering disruptive participants. While it is still a very popular method of communication, and the different IRC networks still see substantial amounts of traffic, most people have embraced the more friendly IM clients.


ICQ is the clever phonetic spelling of I Seek You. It is the oldest of the PC-based IM networks. Released in November 1996, it has amassed over 180 million users. Unlike the other IM networks, ICQ does not use user names; instead, when people register, they receive a unique ICQ number with which to identify themselves. In 1998, America Online (AOL) purchased ICQ’s parent company, Mirabelis. AIM now incorporates ICQ and can communicate with ICQ accounts. You can still go to and get a new ICQ account, but it has waned in popularity in comparison with the newer IM clients.


Clients are the applications that enable you to connect to the different IM networks. While they all work fundamentally the same way (you create an account, log in, populate your buddy list, and either chat with them or enter “chat rooms”), there are a few small differences. Each has the same basic functionality (chat, buddy lists, PMs) and usually the same advanced functionality (Web cams, voice, file transfer), but each works on its own network. AIM clients cannot speak with Yahoo or MSN clients and vice versa. Each of these tools also comes with a raft of add-ons that add tool bars, set your home page, and give you e-mail alerts.


AIM may be the most popular of all of the messaging protocols and clients. Once accessible just to those who used AOL for their Internet connectivity, it has been opened up for all users. It can now be used on cell phones, palm pilots, and other portable platforms. Like all of the IM services, users create accounts and log into the AIM servers, which store and synchronize buddy lists. When users want to transfer pictures or files they can connect directly to their buddy. AIM also has screen name-linking in which several different online names can be collected and used simultaneously on one account.


Yahoo Messenger is similar to the other IM networks and includes buddy lists, emoticons, and the ability to hide your status from certain people. Yahoo has also included the capability to send voice via speakers and microphone. As with other IM networks, Yahoo provides the ability to send photos and files. Yahoo Messenger is very integrated with the other services that Yahoo provides, such as Yahoo Mail and the Yahoo Browser Toolbar.


Microsoft’s MSN Messenger is the company’s entry into the chat wars. MSN Messenger is integrated in Microsoft’s other Internet services, such as Hotmail. Like AIM and Yahoo, MSN Messenger also incorporates Web cams and voice so that two people can view each other while chatting. MSN Messenger allows users to set their online status, and, like others, can exclude certain people from knowledge of that status. MSN Messenger is also becoming more integrated with the Windows environment. Despite its placement in the Windows operating system (OS), it still has not surpassed AOL’s AIM in popularity.


Aggregators are special IM clients. They do not have their own protocols and servers, but instead allow you to combine your accounts from other IM clients. Multiple accounts from Yahoo, AIM, MSN, and in some cases ICQ can be collected together and treated as one. Your contacts from each messenger are aggregated together into one unified buddy list, which gets around some of the problems previously mentioned. While it does not fix the fact that different types cannot talk to each other (AIM still cannot message Yahoo or MSN), aggregators make it somewhat appear that way.

In addition, the aggregators may be less intrusive than the traditional clients, as they do not install the slew of “extras” that each other messenger comes with. Since the aggregator itself is a complete tool and not trying to promote an Internet portal, they do not come with or install extra search bars, modify your home page, or add programs to your system tray.


Gaim is an open-source program that supports multiple messaging protocols. People who use the Gaim client can access AOL Instant Messaging, Yahoo Instant Messaging, MSN Messenger, IRC, and several other more obscure networks from the same client. Gaim also allows a user to log into a single service with multiple identities. This allows one user to have multiple identities such as both DirtyLarry and DirtyLarry001 on AIM or another service at the same time. More important, it allows for a person to be logged into multiple messaging services at once. Gaim incorporates most of the features of the regular messaging program, but is currently lacking in its ability to handle video, voice, and some of the more advanced capabilities that the IM clients offer. Because it is an open source project, work is being continually done to enhance its capability. For basic chat and messaging on many services, Gaim is an excellent tool to use. It is important to notice if your mark is using Gaim, as this will change some of the ways the collection is carried out.


Trillian and Trillian Pro are products from Cerulean Studios. Like Gaim, it is an IM aggregator. It is currently popular among people with many chat clients, and its power and easy installation also make it a popular choice of users. It comes packaged in a single executable, which requires installing a base executable and several “plugins.” Because of this, its user base appears to be more widespread in the Windows world than Gaim.

The basic version of Trillian is downloadable for free, and the professional version is available for a small fee. Like Gaim, Trillian can connect to the main IM networks. It can log on with multiple identities to each network at the same time. It can be used to transfer files, and has a rich plug-in system that allows it to do everything from showing the weather to alerting its users to their new mail. Additionally, Trillian can be used to access chat rooms from the many different IM services. Trillian aims to provide every feature that the IM clients provide and add features that enhance the experience. Trillian is popular because it allows one program to take the place of multiple programs and helps simplify a user’s workspace.

Tips and Tricks …

Please Hack Me Now!

Determining when a computer is on and when it is not being used are two very important details. For example, you might want to know if someone is away from his or her keyboard if you plan to access his or her computer remotely with virtual network computing or another tool, or if you need to physically get to it to swap out keyloggers. On the other hand, you may only want to turn on your screen-capture software when someone is actually using the computer. All of these scenarios require that you know when your mark is online and ideally also when your mark’s computer is left idle or active online.

Thanks to IM, we have a crude form of that capability. Have you ever looked at your AOL, Yahoo, or MSN messenger buddy list? This is a great way to tell if your mark’s computer is online. Many people have their instant messenger tools set to “auto start” with their computers. If your buddy is online, you know his or her computer is up. Also, most messengers can let you now if your buddy is idle (has not done anything on the computer for a period of time) or is away (idle for a long period of time). This is great information to have, and can be obtained for free just by putting your mark on your buddy list.

Actually getting your mark on your buddy list may be a slightly more challenging issue depending on the chat network he or she uses. How you do this will depend on what IM clients your target uses. You must first identify the IM client(s) your mark uses and the account ID on each one. It is a good idea to keep track of all of them, in case your mark stops using one particular service (this is where having Gaim or Trillian comes in handy). If your target uses AIM, you are in luck, as it lets you add anyone to your buddy list without your target knowing. Yahoo sends your mark a message saying someone is trying to add him or her to a list and makes it your target’s decision whether to let himself of herself be added. In addition, Yahoo has an “invisible” mode, enabling you to appear online to some users and invisible to others. MSN is similar to Yahoo in that it queries your target to ensure that you want your target to add you, and lets you decide if the person adding you can tell if you are online. If you are dealing with one of the trickier messengers, you may have to do some social engineering to get your mark to let you add him or her to your list. Use your imagination and try to create an online identity that would appeal to them, and build up enough of a “relationship” so that your target feels comfortable letting you add him or her to your list. If that does not work, a fake identity may be a great way to learn more about your mark.

Collecting Passwords and Buddy Lists

While there is a lot of information that can be gleaned from IM conversations, there are some situations where just having knowledge of who is on your mark’s buddy list may be sufficient. This piece of information alone can shed valuable light onto the composition and nature of your target’s online relationships; after all, these are the people your mark feels are worth having only a click away. Also, depending on the messenger service, it can be useful to have block/ignore lists as well. Once obtained, it may be necessary to impersonate your mark to determine some of his or her contacts’ relevance and relationship with your mark. This impersonation usually requires your mark’s password, another important piece of data to collect. In some cases, the password is hidden and scrambled in registry settings; in others, it sits in a plain text file.

Collecting the Buddy List and Password from AIM

Chapter 6 covered the process for obtaining the buddy list from AIM. Obtaining the password is a slightly trickier procedure. Versions of AIM older than 4.7 stored the scrambled passwords in the Windows registry. Version 4.8 and higher store a hash of the password. A hash is the result of feeding the password into a one-way function, meaning that it is mathematically impossible to recover the password from the hash. So, if your mark is using an old version of AIM, there is a chance you might be able to recover the password. To determine the version, go to the AIM window and select Help | About AOL® Instant Messenger. A dialogue box should pop up giving numerous tidbits of information, along with the version number. A Google search on AIM password recovery will show several tools that will uncover the password. While this would be a fortunate scenario, it is a highly unlikely one. As of the writing of this book, the current version of AIM is 5.9, and it will most likely be much higher by the time this book is printed. The best bet for actually acquiring a password is to use a hardware or software keystroke logger. In addition to installing one, a good idea is to pull up the client and type in an incorrect password. Since many clients automatically save the last password typed, you need to modify the one stored to ensure that your mark enters the correct one the next time he or she logs on.

Collecting the Buddy List and Password from Yahoo

Like AIM, viewing the Yahoo Messenger’s buddy list is covered in Chapter 6. Like AIM, Yahoo passwords are not stored or transmitted in plain text. Similarly, using a keystroke logger is the best advice for collecting this information.

Collecting the Buddy List and Password from MSN

MSN uses Microsoft’s .NET passport as the basis for its authentication. Like AIM and Yahoo, the password for MSN is not stored or transmitted in plain text. However, since it relies on .NET passport, access to your target’s account is usually enough to get MSN to log on.

Another very useful option of MSN is the ability to save a contacts list By going to Contacts | Save Contact List. Using this capability, you can take a list of buddies/contacts from your mark’s computer and load them on a different computer for analysis.

Collecting the Buddy List and Password from Gaim

Since Gaim is not distributed by the owners of the IM networks and must interact with more than one network, it is more efficient for Gaim to store its own buddy and password lists. Gaim stores all of its information in easy-to-view .xml configuration files. XML files are a type of markup language that is relatively easy to understand and which can be opened by most Web browsers. This is the program you want your mark using. If you have any influence at all, steer your mark this way. There are two files of interest: accounts.xml, which has all of the IM accounts and their corresponding passwords and blist.xml, which is a copy of the buddy list for each account. There are basically two ways to find the XML files that you are looking for—manually, if you know where they are, or by searching the entire hard drive for them. We discuss both methods along with their trade-offs.

Manual Location of Files

The default location of Gaim’s XML files can be found by opening explorer.exe and browsing to the following location:

C:\Documents and Settings\<Your Marks Account>\Application Data\.gaim\

Both files should be there and accessible using Notepad or most any other text-viewing application. This requires one of two things to be true: the user has not marked his or her files as private, which is often the case. Or, if they are marked as private, you must be looking for these files from an administrator account or from the same account as your mark. While this method depends on permissions and is a little trickier than the next one we discuss, it allows you to locate the Gaim configuration directory for your mark, which also contains other useful information. In addition, should the nomenclature for the file names change, you can examine the files in the directory one by one, looking for the correct information.

Automatic Location of Files

Use Microsoft’s or Google’s search tool and look for blist.xml and accounts.xml. To broaden your search and find even more potentially interesting files, a search for *.xml in Microsoft’s tool or xml in Google’s should produce useful results. Like the previous method, this one also depends on file permissions. Once you have found the files, their contents should be plainly visible. The following example shows the accounts.xml file for a Gaim user. As you can see from this example, account names and their corresponding passwords (when stored) are both clearly visible. In this example, the account name is “sarahevans1988,” and the password is “gatorade.”

0’ encoding=‘UTF-8’ ?>




<name>sarahevans1988</name> <password>gatorade</password> <settings>

<setting name=‘check-mail’ type=‘bool’>0</setting>

<setting name= ‘server’ type=‘string’></setting>

<setting name=‘encoding’ type=‘string’>ISO-8859-1</setting>

<setting name=‘port’ type=‘int’>5190</setting>


<settings ui=‘gtk-gaim’>

<setting name=‘auto-login’ type=‘bool’>1</setting>




In the next example, we show you the type of information that you can retrieve from a stored buddy list. This example shows you the blist.xml file for “SarahEvans1988.”

rsion=‘1.0’ encoding=‘UTF-8’ ?>

<gaim version=“1”>


<group name=“Recent Buddies”>

<setting name=“collapsed” type=“bool”>0</setting>


<buddy account=“sarahevans1988” proto=“prploscar”>





<buddy account=“sarahevans1988” proto=“prploscar”>





<buddy account=“sarahevans1988” proto=“prploscar”>





<group name=“Contacts”>

<setting name=“collapsed” type=“bool”>0</setting>




<account proto=“prpl-oscar” name=“sarahevans1988” mode=“1”>




From this file, we see that Sarah does not have many buddies added. In true life examples, it is not unusual for people (especially teenagers) to have hundreds of entries in the file. Also, besides just learning the names “dirtylarry001,” “chuckypoo100,” and “sk8gurl,” we have learned that each entry is under the group listing “Recent Buddies.” Many people categorize their buddy lists into several groups (i.e., “Friends,” “Work,” “Hookups,” and so forth), which can be descriptive in its own way.

Collecting the Buddy List and Password from Trillian

Similar to Gaim, Trillian stores its buddy list on the computer (via the server). You can retrieve this list by browsing to:

C:\Program Files\Trillian\users\default\Buddies.xml.

However, unlike Gaim, this list does not contain the password of the user. Instead, the password is stored encoded in an .ini file for each service. For the popular ones we are monitoring, the files are:

C:\Program Files\Trillan\users\global\default\aim.ini

C:\Program Files\Trillan\users\global\default\msn.ini

C:\Program Files\Trillan\users\global\default\yahoo.ini

In these files, we are searching for a line similar to password=9447F5AB4BE7BFF7. Instead of encrypting the password, Trillian uses a two-character encoding scheme to scramble them. There are several programs that will break this encoding for you (including one available on our Web site), but to give you a better idea of how they work, we have included Table 9.1, which we can use to break the password in our aim.ini file). The top row contains the characters from our file, and the left-hand row contains the decoded plain text. You just need to match up the two character letters from the top row with the correct letter.

Table 9.1

Sample of a Table to Decode Trillian Passwords

If you followed this exercise, you should have determined that 94 = g, 47 = a, F5 = t, AB = o, 4B = r, E7 = a, BF = d, and F7 = e. The result is that we now know that the password for this account is “gatorade.” Next, we turn our attention to the collection of the actual communications between chatters.

Collecting Chat and Instant Messages

Collecting information on the chat sessions that your mark is conducting can be done in several ways. Most of the popular chat programs come with the capability to save a log file of the conversation. While some people may enable this to keep a record of their conversations, a lot of people never bother with this setting. This is a great place to keep track of chat, because a thorough log can yield all types of useful information. When logging is not an option, either because the program does not have the capability, or because you cannot physically access the machine, sniffing becomes the other alternative. Most chat is still in plain text and can easily be picked up with sniffers.

Collecting through Logging

Most IM clients can be configured to log all of their traffic. This is an excellent feature that can help you in your spying efforts. Very few users pay attention to the maze of preferences that most clients offer, and turning on logging is generally a very quiet and unobtrusive option that has a low risk factor. Even if someone were to discover that logging was enabled for his or her messenger, it does not immediately point the finger at anyone, or indicate that spying has occurred.

Setting Up Logging with AIM

AIM does not come with a method to log all of the chats. However, there are many extensions and add-ons to AIM that will provide this functionality. If your mark has installed them, it may be possible to log his or her chats. It is also possible (as demonstrated in Chapter 6) to use the Google Desktop Search Tool to log and view AIM chats. Also, several packages such as Parent Tools for AIM <add other packages> offer a logging capability.

Setting Up Logging with Yahoo

The first step is to log into the person’s account and start Yahoo Messenger. Then you need to bring up the Preferences menu. This can be done either by selecting Messenger | Preferences or Control + Shift + P. After the Preferences menu is shown, select the Archives option on the left. After toggling on the Archives option, logging will be activated. You can then exit Yahoo Messenger and log off of the account. Log files are saved for a duration of 10 days as .dat files in the following location:

C:\Documents and Settings\<Mark’s Account>\Application

Data\Yahoo!\Messsenger\Profiles\<Mark’s Yahoo ID>\

The contents of this directory can be copied to be viewed at your leisure later. Unfortunately, Yahoo does not store the data in clear text and in order to read the files you must use Yahoo’s built-in viewer, which requires you to be logged in. Since this is a risky option, we prefer to use a tool called Archive_Reader.exe. This tool can be found either at its home site,, or from our Web site. For Archive Reader to work, you must also have Yahoo Messenger installed and the .dat files placed in a valid account’s log directory.

Setting Up Logging with MSN

Only the newer version of MSN Messenger has the ability to log chat files. If your mark is using Messenger v6 or higher you are in luck. After starting Messenger and logging in, the options can be accessed by selecting Tools | Options | Messages | Message History. Select the check box next to “Automatically keep a history of my conversations.” MSN Messenger will now log all of the conversations and place the log files in the following location:

C:\Documents and Settings\<Mark’s Account>\My Documents\My Received Files\<User ID>\History\sender.xml.

Note that the User ID will be the Messenger ID and some additional names. The .xml files can be viewed by double clicking on them, or opening them in a word processor such as Notepad or Wordpad.


After you have collected log files, buddy lists, and passwords, you may be eager to immediately view them. Keep in mind that by opening the files on your target’s machine you are leaving a history behind. If you open a .xml buddy list using Wordpad, the name of that buddy list will be left for the next person that uses Wordpad to see.

Instead, get a small Universal Serial Bus (USB) drive and copy the files to it. Take them somewhere else and view them on a computer that you feel is reasonably secure, or that you can reasonably clean up so that anyone seeing it will have a hard time determining what you have done on it.

Setting Up Logging with Gaim

Gaim logging is very easy to toggle on. Proceed by logging into your mark’s account and start the Gaim program. Once the Gaim program is started, select the Preferences button on the window, which will pop up a window with menus. Select the Logging tab to bring up the logging options. Under Message Logs, select the check boxes next to “Log All Instant Messages” and “Log all Chats.” You can also select the format it will save them in: .txt (view with Notepad) or .html (view with a Web browser). Finally, select Close to exit the window. Once logging is enabled, it will work for all of the messenger networks. Gaim will automatically log the files under:

C:\documents and settings\<Mark’s Account>\Application


C:\documents and settings\<Mark’s Account>\Application


C:\documents and settings\<Mark’s Account>\Application


In these examples, “Userid” is the name that your target uses to log into the service, and “sender” is the account of the person that they are communicating with. The stored logs can then be copied and viewed at a later date.

Setting Up Logging with Trillian

Trillian, like its counterpart Gaim, can log all of the messages and chats for all of the messaging protocols. To set up the Trillian logging, first start the program. Next, bring up the menu window which is done by clicking on the green globe at the base of the Trillian window. From this menu, select Preferences and the Message History tab. This will allow you to select what is logged to a file and where that file is to be stored. By default, Trillian stores the log files in:

C:\Documents and Settings\<Mark’s Account>\logs\<service>\

In this example, service is AIM, Yahoo, MSN or whatever IM service your mark is using. Trillian stores its log files as text files, which enables them to be viewed with Notepad.

Collecting through Sniffing

While sniffing may not be able to get passwords for you anymore, it can still obtain most messages and chats, which are still (mostly) done in the clear. Although some clients have encryption built in, it is usually not by default (although this is changing with Trillian). In addition, encryption currently only works between two of the same client.

For sniffing, we recommend using Snort to collect and Ethereal for analysis. Ethereal has many different protocol filters, which are tools that allow it to sort out different types of traffic. AIM, Yahoo, and MSN are all included in its list of protocol filters, and their traffic can easily be isolated for analysis. For example, you can utilize these filters by typing aim, msnms for MSN or ymsg and yhoo for Yahoo in the filter bar, as we did in example Figure 9.1. It should also be noted that you can combine them with the words “and” or “or.”

Figure 9.1 Using Ethereal’s Filters to Isolate IM Traffic

Once you have found a protocol you want to watch, you can more closely examine it by right-clicking on a packet and selecting “Follow TCP Stream.” While all of the content is there, most IM traffic is not as straightforward to interpret as email or Web traffic is. As Figure 9.2, demonstrates, the left-hand side of the stream shows the question from Pikewerks to Sarah asking: “Can you babysit tonight?” The right-hand section shows the response where Sarah replies: “No, sorry, I have a date with Larry.”

Figure 9.2 Using Ethereal’s “Follow TCP Stream” to Analyze an IM Advanced Collection

Advanced Collection

Sometimes it is possible to use a new technology in a way that is unintended to help us achieve our goals. One of these is IMSmarter (, which is a tool released by Coceve Inc. IMSmarter works with existing IM clients and makes them more useful (or as the name indicates, smarter). It is currently a beta version, which means that the IMSmarter service may change in usability and functionality. The IMSmarter tool allows you to log into a Web page to view copies of your chats, search through your chat histories, and set it up to send you reminders. All of these capabilities, while useful to most IM users, are also very useful to those of us who wish to spy on IM users.

IMSmarter automatically logs IMs. It works by altering the Instant Messenger client’s configurations to use the IMSmarter as a proxy. This basically means that when configured, the IMSmarter servers sit between IM clients and their original servers. Because of its convenient location, the IMSmarter server can now see all traffic between a particular IM client and the IM server. This is how the IMSmarter service is able to log all of the IM traffic.

One of the advantages of IMSmarter is that it logs all of the IMs on its Web site, and is accessed by a Web browser. For most IM users, this translates to a convenient place to collect and search through their records should they ever need to recall a previous IM session. For you as a spy, this means you now have a convenient place to collect all of your mark’s IM traffic and search through it. Of course IMSmarter was never designed for this type of surreptitious use; it is intended that only the person who actually owns the accounts will have the messages logged.

To set up IMSmarter you first need several prerequisites.

 Access to your mark’s computer

 A list of IM clients your mark uses

 The ID and password for each IM client you wish to route through IMSmarter

Once you have this information, log onto a computer and bring up in a Web browser. First, you need to create an account for yourself. Select the “Get Started Now” button and answer the questions about the OS and clients you will be attacking. Figure 9.3 shows us selecting to configure AIM, MSN, and Yahoo with IMSmarter.

Figure 9.3 IMSmarter Setup Screen

After you have made your selection, the Web site will give you a Web page explaining how to configure each client. Print them out and take them with you. Now that you have instructions, the next few steps will have to be performed on your mark’s computer. Log on and one –by one configure the clients as instructed. After each is configured, the dangerous part occurs. You must log into the IM network for each client; within a minute or two, IMSmarter will send you a message telling you to create an account. Once you are done, you may want to open up the browser history (done through the “History” button on most browsers) and delete the IMSmarter and all related Web sites.

Once you have IMSmarter configured and running, you can log onto the account that you have created and view the logs. Figure 9.4 shows a screenshot of an IMSmarter account. In it, you can search for the messages that have been sent and received with the registered IM clients. You can also see the status of the different accounts; it shows if your mark is currently logged into any of them. Figure 9.5 shows how IMSmarter can be used to search and view chats by different criteria.

Figure 9.4 IMSmarter Main Page

Figure 9.5 IMSmarter Used to Search through Logged Chats


IMSmarter is a beta tool and so the functionality may change. It was observed that the IMSmarter adds itself to the MSN Messenger buddy list when the user logs on. Therefore, using IMSmarter with MSN Messenger might not be a good idea. However, this behavior may change as it is still a beta version.

Using the IMSmarter service as a means of logging your mark’s IMs is one more tool in your arsenal. There are risks in using this as a spy tool because it is fairly easy to discover, merely by having the mark look at his or her client’s configuration. IMSmarter service will occasionally send your mark messages in an attempt to be helpful. While a legitimate user of IMSmarter may appreciate that, those of us coercing it to help us spy might frown on this. Hopefully, an unwitting target will dismiss the IMSmarter messages as spam. Finally, if your mark is already a member of IMSmarter, or tries to become a member, the fact that your mark’s account names are already registered will produce some problems. If your target creates an account, he or she may be surprised to see that his or her IM accounts are already associated with an IMSmareter account. These risks are all things to keep in mind when considering using IMSmarter as a spy tool. As the IMSmarter service becomes more mature, additional features may be added. In the end, while risky, we believe that this tool has potential and that it can be useful with other means of collection fail.


Back in Chapter 6, we demonstrated how Google desktop can be used to collect and search IM conversations. Do not forget to include this in your spy arsenal when you are contemplating how to collect this type of traffic. We encourage you to review this section of the chapter to see if it meets your needs.


Sometimes the most successful tactic is to just go for broke and talk to your mark and their contacts. While this usually carries the most risk, it can also reap the highest reward. If you have the mark’s accounts and passwords, you have the option of logging onto the Internet as them and interacting with their buddies and contacts. This gives you the option of determining the extent of any online relationship.

The risks of impersonating your mark cannot be understated. They come from all sides; thus, impersonating your mark should not be done without careful application of the SLEUTH methodology. In addition, it is probably a good idea to make sure you have an extremely good understanding of your mark. Know what your target likes and does not like, as well as his or her views on some of the big issues of the day. Since you will be acting like your mark, be prepared to be your target, even if this means expressing views and ideas that you personally find distasteful.

The first and most obvious risk is that you will be found out. If this happens, your whole spy operation is compromised. This can occur if one of your mark’s contacts speaks to your mark at a later date about a conversation that the contact “believes” the two had. Depending on how suspicious your mark is, this can be a big red flag showing that something is wrong.

In addition, you should be careful of the timing of your impersonation. It should closely correlate with a time your mark would normally be online. For example, if you log on very late at night, after your mark goes to bed, you run the risk of one of his contacts possibly telling him “you sure were up late last night” the next day at work. You may also want to be sure your mark is not out doing something that all the contacts are aware of. “I thought you played basketball every Tuesday” is an innocent comment that could come from any curious contact and be presented to either you or your mark. If you get this type of question, you might be able to carefully handle it. If your mark gets it, there is another cause of suspicion.

Another risk that must be managed is that your mark could log in from another location. AIM, for instance, would send them a message that they were logged on from another location. While some people would probably discount this with a simple statement such as “Oh, I must have left it on at work/school,” it is still a risk factor that you should be aware of.

However great the risks may be of impersonating your mark, it may be the only way to conclusively determine the context of some relationships. Only talking to the mark’s buddies will give you the opportunity to elicit information that may not appear in the normal course of spying. It will also give you the opportunity to see who is interested in your mark. Since some messaging clients allow you to send a message as soon as someone logs on, merely logging on will initiate conversation. This could be a good indicator that someone is up to no good. In the course of writing this book, several people added our 16-year-old identity “Sarah” to their buddy lists. Whenever she logs in, they send her messages. This would not be bad except that 30-year-old men have no business picking up 16-year-old girls. The best way to determine if someone is being “cyber-stalked” is to impersonate that person.

With knowledge of some of the known risks, carefully make the decision on whether you want to impersonate them or not. If you decide that the risk is worth the reward, be sure to mitigate them at every opportunity. This means that if you use your target’s account and machine to log on, be sure to clean up your tracks. Turn off logging before you chat, or if you forget, make sure to delete any logs that you have created. Do not hold conversations that are too deep or that will be memorable to any of your mark’s buddies. And if you are asked a difficult or unusual question, do not be afraid to fake a quick disconnect.

Impersonating your mark provides a unique opportunity to interact with the people whom you are worried about. It is a very high risk versus a reward payoff. In many cases, it gives you the edge and needed information you cannot obtain from collection and analysis. However, since the human factor is involved, and there are many unknowns at play, careless application of this technique can send your entire spy operations tumbling down. Use impersonation as necessary, but use with caution.

Tips and Tricks …

Let’s All Get Together

Ok, you plan on using a Trillian or Gaim to impersonate your mark. We recommend that you install and use whichever one you do not currently use for personal reasons. Why, you ask? Trillian has a bad habit of merging buddy lists, meaning that all of your buddies could be added to your mark’s account. The next time your mark legitimately logs in, his or her list could be populated with all of your friends. This is a bad situation. As always in the spy business, caution is the name of the game; make sure to separate your business from your pleasure.

Case Study: Chat

IM has become the way that teens and many other tech-savvy demographics prefer to communicate. Many teenagers no longer spend hours on the phone. Instead, they spend hours in front of their PC chatting away with not one, but usually dozens of their friends at once. With online chat as the place for casual and sometimes not-so-causal conversation, much can be learned about someone while they chat.


The parents of two high-school-aged girls receive from one the rumor that the other has an eating disorder. Worried about the very serious condition, they use their knowledge to gather information to prepare them to either confront their daughter and handle the problem or comfortably put the rumor to rest.


Ron and Sherry had two girls that they both greatly loved. In their minds, their daughters were both perfect in every way. However, one day they received the shock of their life when Jane, their younger daughter, approached them with a problem.

She had apparently heard from other students at school that her sister, Alison, had a habit of throwing up after meals. Realizing the seriousness of the situation, and the fact she was in no way trained to handle such an issue, she went to her parents immediately.

Both of her parents were also taken aback by the news. While they wanted not to believe it, they also felt that the possibility did exist. After all, Alison was very thin and concerned with her image. Since this was a delicate and dangerous issue, they decided to get as much information as they possibly could first. What they were working with now was a third-hand rumor. If they were going to confront Alison, they wanted hard evidence. Of course, they could just ask her, but if she did have such a disorder it was something she was not even talking to her sister about. They did not want to risk scaring her and driving her to even more secrecy.

They made a plan to obtain as much information as they could and work from there. Alison, like most teenagers spent a lot of time IMing her friends. Both of her parents had her AIM identity added to their Trillian buddy lists. (They were actually using Trillian based on Alison’s’ recommendations.) The evening they heard the rumor from her sister, while they were doing their personal work, they kept an eye on Alison’s buddy icon waiting for it to go idle. Once it did, they knew she was not on the computer, and they would have an opportunity to use her machine. As they walked up the stairs they heard the shower. Good; she was not going anywhere for a while.

After sneaking quietly into her room, they quickly went to her computer, enabled logging on Trillian, and left. Two days later they waited for their daughter to enter the shower again. This time they took Ron’s USB drive with them and copied the last couple of days of Alison’s chat logs to it. They went back downstairs and loaded them up on their laptops. They quickly turned Microsoft’s search tool against the directory of chats, and began to search for different key words, “bulimia,” “vomit,” “food,” “throw up.” After a few dead ends they finally came across a chat where Alison touched on the subject:

Alison224: So I can’t believe Tom really likes me

Carol045: Yeah, but man is Jessica jealous.

Alison224: I know, that b***h. Can you believe she started telling people I have an eating disorder?

Carol045: She’s just jealous; she wishes she could be as thin as you.

Alison045: It’s nice and all, but I get teased about that all the time. I actually wouldn’t mind putting on a few pounds just to shut people up.

With those few lines of chat, Ron and Sherry felt like they had gotten enough information to make their decision. Since it was extremely unlikely that Alison was aware of their spying efforts, she was most likely speaking candidly and telling the truth. Along with the information from the chat log, they kept a very close eye on Alison over the next week, especially after meals. Failing to find any other evidence of an eating disorder, they dismissed what they heard as rumor, and stopped worrying about it.


Since they were dealing with a difficult topic, Alison’s parents had to approach it very carefully. Because they had received all of their information third-hand, they felt that they needed to have all the facts straight before they approached their daughter about her alleged problem. A mistake could force her into denial and even more secrecy.

While some people may question the approach that Alison’s parents took, it turned out to be effective. While worried about their daughter, they did not want to confront her with such a heavy issue unprepared. They used their knowledge of computer systems to collect some of Alison’s candid conversations with friends, to look for clues to the source of the supposed eating disorder. From their secret observations they received enough information to show that the problem was most likely a rumor. They felt secure that their information was correct, since by spying on their daughter without her knowledge, she was in a situation where she would have no reason to alter or hide the truth.


IM is quickly becoming a popular communication method for young and old alike. In many ways, it is like a telephone because coworkers, friends, and family can use it to communicate interactively and to stay in touch. However, unlike telephones where you can hear the voice of the person you are chatting with, messaging is much less attributable. Many times people speak without reservations on IM about things that they never could bring themselves to discuss in person or over a phone line. Further enabling this anonymity is the way that messaging facilitates anonymous meeting locations (e.g., chat rooms) where these thoughts are shared with absolute strangers. It is these secrets, and the fact that most teenagers will happily tell you that the acronym POS stands for Parent over Shoulder, that brings us to this chapter. The following are some of the key points that you should take away from reading this chapter:

 Messaging services AIM, Yahoo Messenger, and MSN Messenger operate on completely separate and isolated networks. Users on Yahoo Messenger cannot communicate with AIM users and vice versa.

 Aggregator clients such as Gaim and Trillian can be used to combine the account management of many different services into one common client. In addition, because these clients are freeware, you will not be bombarded with the advertising that is present in the other clients.

 If possible, add your target to your buddy list. You can (and should) use the idle time, away notice, sign-on, and sign-off, of your target to track him or her and decide when you can secretly access his or her machine without being detected.

 Most clients provide the option to automatically log all conversations. This is a useful option for you to secretly collect your target’s discussions.

 If you cannot access your target’s computer, but are located on the same subnet, you can use a sniffer to collect the conversations.

 IMSmarter offers a great method of collecting and searching through chat logs remotely without having to repeatedly go back to your target machine. However, its continual stream of messages make it a rather noisy and dangerous technique.

 When all else fails, you can either try to impersonate your target with a collected password, or you can try and establish communication with your target using an alias. Many law enforcement agencies use tactics like this to gather evidence of wrongdoing. For example, in child pornographer stings, the agents must pose as other child pornographers. There is a fine line between catching someone and coercing them.