Forensics Journal - Stevenson University 2013

FORENSICS JOURNAL The messages table, in “main.db”, stores even more information about the chat sessions, including another record of each message sent and received. Figure 3 shows part of two entries in the messages table, as well as the corresponding screen shot of the actual Skype chat session. The “dialog_partner” field provides the Skype name, “two.skype2” that “Joseph Skyperuser” was chatting with. The “timestamp” field can be converted from epoch time to the correct Eastern Daylight time. The messages sent and received are stored in the “body_xml” field (Shafer, Skype Data Experiments). “1348928951,” in the “timestamp” field seen in Figure 1, can be converted to “9/29/2012 14:29:11 GMT” (Fogt). FIGURE 1: Data in Chats Table FIGURE 3: Explanation of Messages Table CHAT SESSIONS By default, all chat sessions are stored in several data files. In the Skype user’s “Chats” table (see Figure 1), each row contains information on a single chat session. Each chat participant is listed, as well as the start time of the chat, and the name of the “.dat” file which contains the actual chat conversation. These “.dat” files are kept in the “chatsync” folder. In Figure 2, the subfolders of “joseph.skyperuser”’s chatsync folder are shown in the upper left. Each subfolder is named with the first two characters of the “.dat” file which it contains. The “dbpath” field of the “chats” table contains the name of the “.dat” file, which contains the actual chats sent and received. The arrows indicate the corresponding “dbpath” entry in Figure 2. At the bottom of Figure 2, the text contents of “5cb3750ba3767302.dat” are displayed. These correspond to the picture taken of the actual chat in progress, displayed in the background. This chat data can easily be decoded with any forensic program (Shafer, Skype Data Experiments). Each Skype user has a full name, a user name, and a hexadecimal account number that is used by the Skype service. The messages table shows this hexadecimal account number in the “chatname” field (Shafer, Skype Data Experiments). During a forensic examination of multiple computers, searching the other computers for any of the hexadecimal account numbers found on computer one may show partial chats in unallocated or free disk space. A subpoena can be sent to Skype for the account information using any of these Skype user IDs. FIGURE 2: Explanation of Chat Data VOICE AND VIDEO CALLS Unfortunately, unlike the chat messages which are stored by default, the content of Skype voice or video calls is not recorded. In storing call sessions, Skype keeps both transactional voice and video calls records in the same table. The date and time of the calls, duration, participants and video settings, \

Forensics Journal - Stevenson University 2013 | Page 68