A brief forensic consideration of the Microsoft Notification Protocol (MSNP). …
Microsoft's MSNP is an instant messaging protocol for use by the .NET Messenger Service and the instant messaging clients that connect to it, such as Windows Live Messenger (WLM). For this reason it is sometimes referred to as the WLM protocol or the Messenger protocol.
MSNP does not provide encryption. This can be mitigated with client-side encryption.
MSNP has gone through multiple versions. Beginning with MSNP16, Multiple Points of Presence (MPOP) is supported, allowing an account to be simultaneously logged in at multiple locations with chats replicated on all clients. Current open source implementations, however, are based on the older MSNP8 which does not support MPOP. If you log in to a second client, the first client is automatically logged out and is informed that "you have signed on from another location". The second client receives no such message.
This provides a tripwire with which to detect someone accessing your account. Using an open source client, when finished chatting set your presence to invisible instead of logging out. Leave the computer running. If an attacker enters your account, you will see that you have been logged out with the above message. Depending upon the client, you may be able to log the time of the occurrence.
MSNP on Wikipedia