Forensics Journal - Stevenson University 2013 | Page 71
STEVENSON UNIVERSITY
During a forensic examination for Skype data, it is important for the
examiner to look for data in all possible locations. On scene responders should be made aware of the importance of capturing the RAM of
computers that are on, before this important data is lost forever.
FIGURE 8: Fragments Found in RAM Memory
AUTOMATED SKYPE FORENSIC TOOLS
As discussed previously, Skype data is mainly stored in SQLite database tables and can be decoded manually. However, with a large
amount of Skype data, this could be a time consuming and tedious
process. A standard forensic software suite like Forensic Toolkit,
Encase or Xways, will enable an examiner to find and view Skype
data. However finding Skype data outside of the normal, active,
Skype data files, in RAM or in “hiberfil.sys” is more difficult (Shafer,
Skype Data Experiments). Automated tools, specifically designed to
decode Skype data, make it easier to present Skype artifacts to the
investigator.
After an Internet search for Skype tools and discussions with other
forensic examiners, a list of automated Skype tools was compiled,
including Nirsoft’s SkypeLog View, Sanderson Forensics’ Skypealyzer,
Belkasoft’s Skype Analyzer, and Magnet Forensics’ Internet Evidence
Finder (Shafer, Skype and Digital Forensics). Each of these software
programs was tested against the experiment data to determine what
artifacts they would decode. When possible, the full version was
tested, however in some cases free demonstration versions were tested.
Usually, in a standard forensic examination of one machine, the
contents of text chats or usernames may be unknown, making RAM
searches more difficult. However, knowledge of the structure of the
Skype data artifacts will make it easier to review the RAM for those
artifacts. Figure 9 shows a fragment of a text chat in a standard HEX
view. The Skype user name, epoch date, and content of the chat are
all clearly viewable (Shafer, Skype Data Experiments). If the computer is on at the time of the search, capturing the RAM may reveal
Skype data artifacts that have not yet been saved to disk.
For the testing, each software program’s output was compared to the
screen captures and written logs kept during the experiments. Date
and times were checked for format and accuracy. A count was made
of the number of chats sent and received; number of phone calls sent
and received, etc. These were compared with each tool’s output. All
the Skype artifacts found during the manual decoding were looked
for in the tool’s reports. Table 1 lists all the artifacts available and
whether the tool was successful in obtaining this information (Shafer,
Skype Data Experiments).
FIGURE 9: Fragments in HEX Editor
Overall, the tools tested performed as expected. That is, each provided the output its publisher claimed it would provide. The output
of these tools was accurate for this limited test data set. The most
expensive tools did provide more information, but the low cost and
free tools did very well (see Table 1). Special attention should be paid
to the time zone information provided on the reports, as this was not
always clearly defined by time zone (Shafer, Skype Data Experiments).
Other potential sources of Skype data artifacts, which have not yet
been saved into normal Skype data files, are the Windows hibernation
file, “hiberfil.sys” and the Windows swap file, “pagefile.sys.” “Hiberfil.
sys” contains the RAM contents at the time the computer goes into
hibernation and can be found at the ɽ