Forensics Journal - Stevenson University 2013 | Page 69
STEVENSON UNIVERSITY
and the call in the third column is incoming. The “host_identity”
and “current_video_audience” fields show the participants in the call,
but the “is_incoming” field needs to be referenced to determine who
was calling whom. The date and time that a call began is stored as
epoch time in “begin_timestamp” (Shafer, Skype Data Experiments).
FIGURE 5: Explanation of Transfers Table
FIGURE 4: Explanation of Calls Table
SMS MESSAGES
As a paid feature of Skype, users may send SMS text messages to a cell
phone. They can even record a cell phone number to receive SMS
replies (Skype, Inc.). Skype tracks the phone number the SMS text
message was sent to, as well as the message itself, in both the “messages” and “SMSes” tables of “main.db.” Figure 6 shows the relevant
fields of the “messages” table. In the “chatname” field, the sender of
the SMS message, in this case “skyperuser,” is displayed, along with
the phone number the SMS message was sent to, “1805-555-1212
(Shafer, Skype Data Experiments).”
CONTACTS
The Skype contact list is stored in the contacts table of “main.db.”
Every Skype user can enter a host of demographic information such as
country, language, gender, phone numbers, email and addresses. Of
course, this information is not checked for accuracy or truthfulness.
When a user is logged into Skype, the information for each contact
is updated (Shafer, Skype Data Experiments). Since this information
is self-entered, it may be helpful in proving intent in certain types of
investigations.
FIGURE 6: SMS Messages
The avatar that the user selected is stored, as blob data, in the “avatar_image” field. As previously mentioned, this image data is stored
as standard JPEG data, which can be carved out and made viewable
(Shafer, Skype Data Experiments).
FILE TRANSFERS
During a chat, group chat, voice, video or conference call, Skype
enables the participants to send and receive files. The person receiving
the file must click to accept the file being sent, therefore files are not
received blindly (Shafer, Skype Data Experiments). The information
may help prove knowledge for any case in which “knowing” possession is important, such as child-pornography, trade-secret theft or
espionage.
The “timestamp” field displays the date and time in epoch time. The
content of the message itself can be seen in the “body_xml” field.
The phone number that the SMS message was sent to is repeated in
multiple locations, including the “body_xml,” “identities,” and “dialog_partner” fields (Shafer, Skype Data Experiments).
The “SMSes” table tracks more usage and billing information on the
SMS message, and phone number that the SMS was sent to is again
stored. However, this time it is stored in the “target_number” field of
this table. The “reply_to_number” will display the SMS phone number the user entered in Skype to receive SMS replies, and the “body”
field will display the content of the message itself. Furthermore, each
SMS message will have a blob “target_statuses” field, which can be
viewed in HEX. This blob again contains the target phone number
(Shafer, Skype Data Experiments). With multiple locations for target
Skype tracks the file transfers in the transfers table of “main.db.” If a
file was sent, the “type” field will contain a “2” as seen in Figure 5. A
received file is marked with a “1.” The starting and ending time of
the file transfer, in epoch time, as well as the file name is recorded (see
Figure 5). The “filepath” information is the storage location on the
computer that is being examined, i.e. “joseph.skyperuser”’s computer.
When a file is sent to multiple people during a group chat or conference call, multiple entries are made in the transfers table. One entry
exists for each recipient (Shafer, Skype Data Experiments).
68