Blog

Skype Forensics — Extracting Evidence

Olivia Dehaviland | September 29th, 2017 | Updates

Ever since the advent of communication platforms such as social networking, instant messengers, etc. there has been a considerable development to evolve with better alternatives. In order pave the wheels of communication, Voice over Internet Protocol (VoIP) started getting used to fulfill it seamlessly.  VoIP communication, is technically an alternative to telephonic communication is also referred to as IP Telephony or Internet Telephony. It replaces the use of phone numbers and cables by leveraging communication via Internet Protocols. Skype stands amongst the most extensively used VoIP services that allow millions of people to make free video calls, instant messages, voice chats, file transfer, and screen sharing. Primarily it uses peer-to-peer connection medium rather than following the conventional client-server model based communication. Peer to peer communication ensures a highly secure and decentralized method of communication. Leveraging the fact that the whole communication system is decentralized and files are getting stored locally, it is manually possible to carry out deep excavation of Skype usage data.

With augmentation of user dependability and trust over a decade, Skype has lead towards a higher chance of being misused to extract Intellectual Information, commit Cybercrime, stalking, espionage, etc unethically. At this point, familiarity with technology and artifacts storage serves as a treasure chest for an investigator towards discovering probative evidence.

Skype basically uses SQLite database to maintain a repository of information about user accounts, contacts, chats, voice calls initiated and received, and lots of other viable information. All information is stored in main.db file and these files are lightweight database files. On a forensic perspective, it can give us a lot of information which can be used as an essential evidence. But suspects may and do destroy this evidence by clearing chat histories or physically deleting Skype logs.

skype-main-db

However,  Skype databases aren’t deleted completely, they are just shifted from active to inactive mode. Deleted Information can be carved out using raw editors/hex editors which might serve as an inculpatory evidence against a fact or incident.

While investigating on a particular application, it becomes almost certain to look for evidence at common sources of app trails such as temporary files, local & roaming application data, default profile folder, etc.

Forensicators can uncover crucial evidence by primarily investigating database (main.db file) left behind by Skype which gets stored at the following location:

Windows 7: –
main-db-location
OR RUN 
main-db-location-run 
Windows XP: –
main-db-location-xp
LINUX :-
main-db-location-linux
Android:-
/data/data/com.skype.raider/databases/main.db

Facts to ponder Upon: The main.db file maintains all information about user accounts. In addition, Skype stores its activity information in temporary “.dat” files. The Main.db file primarily consists of multiple tables which constitute user information in particular ids and fields. Experts can view the database tables and entries by using some professional tool or by using simple hex editors which becomes troublesome to comprehend easily.

Analysis of Cardinal Artifacts Found Within Skype database Main.db File:

Account:

“Accounts” table is the place where complete details of Skype user accounts are stored. The table enumerates useful columns such as skypename (Skype username), Emails, Profile Timestamp, Time zone, avatar Image, registration timestamp, etc. thus confirming essential information against primary user identity.

skype-accounts

Calls :

Calls Table lists the number of calls in which the primary user has participated. Listed With host and audience it serves as a pointer towards the remote users or participants. Call_Name ID provisions and maps to the Call_Name column in the CallMembers table which creates a complete reconstruction of call timeline. Calls table also maintains UNIX Timestamps for each and every call made by the particular user.

main-db-calls

Contacts :

Contacts table maintains user contacts with their Skypenames, display names and miscellaneous details they have provided while registering with Skype. Primarily information such as Location, mobile # languages, country, province, city, emails, etc. can be uncovered here.

main-db-contacts

Chat Messages :

Skype stores all its chat messages in two locations; the main.db file & chatsync folder. Complete conversations, individual & group chats are stored in ChatSync folders which consist .dat files. The Main.db consists pointers to the Chatsync .dat files which are used by the application to cross reference/retrieve chat history respectively.

skype-chatsync

Transfers:

While investigating, monitoring Skype transfers should result in uncovering crucial data while reconstructing a scenario. File transfers can be used to detect any illicit exchange of user data, by extracting information from the table. Transfers table provides complete details of files shared or downloaded by the user with attributes such as FileName, Size, Path etc. It also provisions Partner_Handle(Skype Names), Display names, etc. information of the remote party respectively. Further, it remaps to other tables such as Participants and Conversations by using Convo_ID which fills the blanks thoroughly.

skype-transfers

Chatsync Folder :

  • Amongst the whole Skype user folder; the first folder that gets holds of our attention is Chatsync. It contains the complete user chat history in .dat format. The DAT files follow a sixteen varchar (alphanumeric) string as a naming convention which gets cross-referenced in multiple main.db tables while retrieving chat messages. These DAT files constitute complete conversation history, participants, complete chat messages with their timestamps and a read receipt or status of messages. The time-stamps are noted in UNIX format, investigator requires conversion of the input string for complete legibility.sample-chatsync-file
  •  Bistats.db, dc.db, griffin.db, keyvl.db consists miscellaneous Skype application metadata. The Config.xml file contains the current application configuration details and contact list for the account folder. The config.lck file contains the account creation date details respectively.skype-config-xml

Conclusion: The main.db file contains these and many other such tables consisting of information, crucial from an investigative point of view. Analysis of the DB file is offered by a number of commercial solutions. However, SQLite Database File Viewer can be employed, for examining the tables completely in an investigation friendly manner to parse and carve many of the artifacts found in these locations.