Skype Forensics — Extracting Evidence

Ever since the advent of communication platforms such as social networking, instant messengers, etc., there has been a considerable development to evolve with better alternatives. In order to pave the wheels of communication, Voice over Internet Protocol (VoIP) started getting used to fulfilling it seamlessly.  VoIP communication is technically an alternative to telephonic communication and is also referred to as IP Telephony or Internet Telephony. It replaces the use of phone numbers and cables by leveraging communication via Internet Protocols.

What is a Skype and What Features Does it Provide

Skype stands amongst the most extensively used VoIP services that allow millions of people to make free video calls, instant messages, voice chats, file transfer, and screen sharing. Primarily it uses a peer-to-peer connection medium rather than following the conventional client-server model based communication. Peer to peer communication ensures a highly secure and decentralized method of communication. Leveraging the fact that the whole communication system is decentralized and files are getting stored locally, it is manually possible to carry out the deep excavation of Skype usage data.

With the augmentation of user dependability and trust over a decade, Skype has led to a higher chance of being misused to extract Intellectual Information, commit Cybercrime, stalking, espionage, etc unethically. At this point, familiarity with technology and artefacts storage serves as a treasure chest for an investigator towards discovering probative evidence.

Skype Forensic Analysis

Skype basically uses SQLite database to maintain a repository of information about user accounts, contacts, chats, voice calls initiated and received, and lots of other viable information. It stores all information is in the main.db file and these files are lightweight database files. From a forensic perspective, it can give us a lot of information that can be used as essential evidence. But suspects may and do destroy this evidence by clearing chat histories or physically deleting Skype logs.

However,  Skype databases aren’t deleted completely, they are just shifted from active to inactive mode. Deleted Information can be carved out using raw editors/hex editors which might serve as inculpatory evidence against a fact or incident.

While investigating a particular application, it becomes almost certain to look for evidence at common sources of app trails such as temporary files, local & roaming application data, default profile folder, etc.

Fornicators can uncover crucial evidence by primarily investigating the database (main.db file) left behind by Skype which gets stored at the following location:

Windows 7: –

OR RUN 
 
Windows XP: –

LINUX :-

Android:-
/data/data/com.skype.raider/databases/main.db

Facts to ponder Upon: The main.db file maintains all information about user accounts. In addition, Skype stores its activity information in temporary “.dat” files. The Main.db file primarily consists of multiple tables which constitute user information in particular ids and fields. Experts can view the database tables and entries by using some professional tool or by using simple hex editors which becomes troublesome to comprehend easily.

Analysis of Cardinal Artifacts Found Within Skype database Main.db File:

Account:

The “Accounts” table is the place where complete details of Skype user accounts are stored. The table enumerates useful columns such as skype name (Skype username), Emails, Profile Timestamp, Time zone, avatar Image, registration timestamp, etc. Thus, confirming essential information against primary user identity.

Calls :

Calls Table lists the number of calls in which the primary user has participated. Listed With host and audience it serves as a pointer towards the remote users or participants. Call_Name ID provisions and maps to the Call_Name column in the CallMembers table which creates a complete reconstruction of the call timeline. The calls table also maintains UNIX Timestamps for each and every call made by the particular user.

Contacts :

The contacts table maintains user contacts with their Skype names, display names and miscellaneous details they have provided while registering with Skype. Primarily information such as Location, mobile # languages, country, province, city, emails, etc. can be uncovered here.

Chat Messages :

Skype stores all its chat messages in two locations; the main.db file & chatsync folder. Complete conversations and individual & group chats are stored in ChatSync folders which consist .dat files. The Main.db consists of pointers to the Chatsync .dat files which are used by the application to cross-reference/retrieve chat history respectively.

Transfers:

While investigating, monitoring Skype transfers should result in uncovering crucial data while reconstructing a scenario. File transfers can be used to detect any illicit exchange of user data, by extracting information from the table. The transfers table provides complete details of files shared or downloaded by the user with attributes such as FileName, Size, Path etc. It also provisions Partner_Handle(Skype Names), Display names, etc. information of the remote party respectively. Further, it remaps to other tables such as Participants and Conversations by using Convo_ID which fills the blanks thoroughly.

Chatsync Folder :

• Amongst the whole Skype user folder; the first folder that gets holds of our attention is Chatsync. It contains the complete user chat history in .dat format. The DAT files follow a sixteen varchar (alphanumeric) string as a naming convention which gets cross-referenced in multiple main.db tables while retrieving chat messages. These DAT files constitute complete conversation history, participants, and complete chat messages with their timestamps and a read receipt or status of messages. The time-stamps are noted in UNIX format, the investigator requires conversion of the input string for complete legibility.
•  Bistats.db, dc.db, griffin.db, keyvl.db consists of miscellaneous Skype application metadata. The Config.xml file contains the current application configuration details and contact list for the account folder. The config.lck file contains the account creation date details respectively.

Conclusion

The main.db file contains these and many other such tables consisting of information, crucial from an investigative point of view. Several commercial solutions offer Analysis of the DB file. However, SQLite Database File Viewer can be employed, for examining the tables completely in an investigation friendly manner to parse and carve many of the artefacts found in these locations.