Forensics Journal - Stevenson University 2013 | Page 68
FORENSICS JOURNAL
The messages table, in “main.db”, stores even more information about
the chat sessions, including another record of each message sent and
received. Figure 3 shows part of two entries in the messages table, as
well as the corresponding screen shot of the actual Skype chat session.
The “dialog_partner” field provides the Skype name, “two.skype2”
that “Joseph Skyperuser” was chatting with. The “timestamp” field
can be converted from epoch time to the correct Eastern Daylight
time. The messages sent and received are stored in the “body_xml”
field (Shafer, Skype Data Experiments).
“1348928951,” in the “timestamp” field seen in Figure 1, can be
converted to “9/29/2012 14:29:11 GMT” (Fogt).
FIGURE 1: Data in Chats Table
FIGURE 3: Explanation of Messages Table
CHAT SESSIONS
By default, all chat sessions are stored in several data files. In the
Skype user’s “Chats” table (see Figure 1), each row contains information on a single chat session. Each chat participant is listed, as well as
the start time of the chat, and the name of the “.dat” file which contains the actual chat conversation. These “.dat” files are kept in the
“chatsync” folder. In Figure 2, the subfolders of “joseph.skyperuser”’s
chatsync folder are shown in the upper left. Each subfolder is named
with the first two characters of the “.dat” file which it contains. The
“dbpath” field of the “chats” table contains the name of the “.dat” file,
which contains the actual chats sent and received. The arrows indicate the corresponding “dbpath” entry in Figure 2. At the bottom of
Figure 2, the text contents of “5cb3750ba3767302.dat” are displayed.
These correspond to the picture taken of the actual chat in progress,
displayed in the background. This chat data can easily be decoded
with any forensic program (Shafer, Skype Data Experiments).
Each Skype user has a full name, a user name, and a hexadecimal
account number that is used by the Skype service. The messages
table shows this hexadecimal account number in the “chatname” field
(Shafer, Skype Data Experiments). During a forensic examination
of multiple computers, searching the other computers for any of the
hexadecimal account numbers found on computer one may show partial chats in unallocated or free disk space. A subpoena can be sent to
Skype for the account information using any of these Skype user IDs.
FIGURE 2: Explanation of Chat Data
VOICE AND VIDEO CALLS
Unfortunately, unlike the chat messages which are stored by default,
the content of Skype voice or video calls is not recorded. In storing
call sessions, Skype keeps both transactional voice and video calls
records in the same table. The date and time of the calls, duration,
participants and video settings, \