Skype Forensics Tools

Posted on by admin
  1. Home Forum Index Mobile Phone Forensics Skype For desktop All Forums Mobile Phone Forensics Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.).
  2. Mar 31, 2014  This is a small tool that can be used to investigate Skype user accounts stored in your PC. First of all, let’s learn how to investigate data manually. This is a very easy to understand article. I hope you have a basic understanding of SQL. All the data is stored in the main.db file related to.

Skype also has an Internet connection box, so that you can convert your regular telephone to use the internet for your telephone service. As forensics perspective it can give us a lot of information which can be present as evidence in court of law. Need of Computer Forensics in today’s world.

This is a small tool that can be used to investigate Skype user accounts stored in your PC. First of all, let’s learn how to investigate data manually. This is a very easy to understand article. I hope you have a basic understanding of SQL. All the data is stored in the main.db file related to each user in separate folders.

Windows:

C:Users<user>AppDataRoamingSkype

Linux:

/home/<user>/.Skype/

OS X:

/home/<user>/.Skype/

Overview of the Database

Let’s investigate the main.db in a hex editor.

Skype Forensic Tools

The header of the file indicates that this is a SQLite based file. We can open this file using SQLite and start exploring.

Open the main.db file using sqlite3. To view the tables run this query:

This query would return all the tables in the database from the schema of the database. Out of these we are interested in the data in the Accounts, Contacts, Calls, Conversions and Messages tables.

Profile of the User

To investigate the profile of the specific user, run this query. I hope you can understand these simple queries.

We are selecting those columns from the table Accounts. The date and time is stored using the POSIX time stamp. We need to return this value into a human readable format. So we have to use the function datetime() in SQLite and pass the argument ‘unixepoch’.

Contacts

To dump the contacts use this query.

Calls

To dump all the calls of the user run this query.

Skype Forensics Tools

If the ‘is_incoming’ column returns ‘1’ it means the call was an incoming call. If it returns ‘0’ it means the call was an outgoing call.

Messages

To dump all the messages, run this query. We are not interested in data consisting of <partlist alt=””>.

If the ‘dialog_partner’ columns are equal to ‘author’ it means the message is FROM ‘author’. If the ‘dialog_partner’ columns are not equal to ‘author’ it means the message is TO ‘dialog_partner’.

You can see one result, “hi”, which is a message.

Automation

So now I think you know how to investigate a Skype database file and what is happening behind the scenes. I thought of writing a small tool to automate this. http://osandamalith.github.io/SkypeFreak/

Features

  • Fully open source
  • Cross-platform. Works on Windows, Linux and OS X
  • Written in Python 2.7
  • Can write to a file and extract data easily

Available Options:

  1. Profile
  2. Contact
  3. Calls
  4. Messages
  5. Generate a Full Report

To investigate the profile, enter 1 and you will see the profile details nicely formatted.

All returned data can be written to a file.

The calls can be retrieved, including incoming or outgoing, in a detailed manner.

The messages can be viewed nicely in a clear format.

You can easily generate the whole report a text file by entering option 5 and giving a file name.

Thank you for reading this short article about the tool. I hope now you have a good idea about Skype forensics.