Forensics Journal - Stevenson University 2013 | Page 71

STEVENSON UNIVERSITY During a forensic examination for Skype data, it is important for the examiner to look for data in all possible locations. On scene responders should be made aware of the importance of capturing the RAM of computers that are on, before this important data is lost forever. FIGURE 8: Fragments Found in RAM Memory AUTOMATED SKYPE FORENSIC TOOLS As discussed previously, Skype data is mainly stored in SQLite database tables and can be decoded manually. However, with a large amount of Skype data, this could be a time consuming and tedious process. A standard forensic software suite like Forensic Toolkit, Encase or Xways, will enable an examiner to find and view Skype data. However finding Skype data outside of the normal, active, Skype data files, in RAM or in “hiberfil.sys” is more difficult (Shafer, Skype Data Experiments). Automated tools, specifically designed to decode Skype data, make it easier to present Skype artifacts to the investigator. After an Internet search for Skype tools and discussions with other forensic examiners, a list of automated Skype tools was compiled, including Nirsoft’s SkypeLog View, Sanderson Forensics’ Skypealyzer, Belkasoft’s Skype Analyzer, and Magnet Forensics’ Internet Evidence Finder (Shafer, Skype and Digital Forensics). Each of these software programs was tested against the experiment data to determine what artifacts they would decode. When possible, the full version was tested, however in some cases free demonstration versions were tested. Usually, in a standard forensic examination of one machine, the contents of text chats or usernames may be unknown, making RAM searches more difficult. However, knowledge of the structure of the Skype data artifacts will make it easier to review the RAM for those artifacts. Figure 9 shows a fragment of a text chat in a standard HEX view. The Skype user name, epoch date, and content of the chat are all clearly viewable (Shafer, Skype Data Experiments). If the computer is on at the time of the search, capturing the RAM may reveal Skype data artifacts that have not yet been saved to disk. For the testing, each software program’s output was compared to the screen captures and written logs kept during the experiments. Date and times were checked for format and accuracy. A count was made of the number of chats sent and received; number of phone calls sent and received, etc. These were compared with each tool’s output. All the Skype artifacts found during the manual decoding were looked for in the tool’s reports. Table 1 lists all the artifacts available and whether the tool was successful in obtaining this information (Shafer, Skype Data Experiments). FIGURE 9: Fragments in HEX Editor Overall, the tools tested performed as expected. That is, each provided the output its publisher claimed it would provide. The output of these tools was accurate for this limited test data set. The most expensive tools did provide more information, but the low cost and free tools did very well (see Table 1). Special attention should be paid to the time zone information provided on the reports, as this was not always clearly defined by time zone (Shafer, Skype Data Experiments). Other potential sources of Skype data artifacts, which have not yet been saved into normal Skype data files, are the Windows hibernation file, “hiberfil.sys” and the Windows swap file, “pagefile.sys.” “Hiberfil. sys” contains the RAM contents at the time the computer goes into hibernation and can be found at the ɽ