Skype Forensics Analysis – Experts Observations

The proprietary challenges & solutions for Skype forensics analysis is explained by experts. The methodology used for data collection & preservation are currently used by law enforcement and legal agencies for Skype investigation.

Skype is a secure Internet application that provides video/voice calling, instant messaging and many more options for instant communication. Skype works on peer-to peer architecture. It provides encrypted channel (Transport Layer Security) to protect the clients from spiteful activities. Skype is a well-known VoIP app that plays a vital role in today's communication arena.

Challenges in Skype Forensics Analysis

Skype uses strong encoding method such as TLS and Secure RTP to manage connection between its servers and clients. As a result, the misuse of Skype platform by cybercriminal to perform phishing, spamming, and other illegitimate activities has increased. It greatly challenges techies in Skype investigation how to decrypt and extract artifacts?

All the Android devices including Skype uses Random Access Memory and NAND flash memory to store the actions applied by users. RAM is volatile memory that consists of crucial information like encryption keys, account username and password. Instead, NAND flash memory is nonvolatile. This means, when the system is powered off or rebooted data can recover from NAND flash memory.

The aim of this Skype forensics analysis is to identify and extract database from seized device. However, now the question arises:

  • What type of data files are generated and stored on the machine?
  • Location of files?
  • Format of the data?
  • How to view, examine, and retrieve artifacts?

In order to answer the aforementioned questions, an investigator needs to perform in-depth analysis and approach to categorize and identify the expected evidence. Let us collect the Skype forensics analysis information via manual File System extraction:

  • Registry Keys
Skype Investigation

Skype Main.db File

While carrying out Skype forensics analysis, the main.db is Sqlite3 database file that consists of information about calls and messages with time interval, all members of call, lists of contacts, visited websites and many more.

Skype Log File Analysis

Skype Shared XML File

The shared.xml is XML formatted file with encoded entries. It stores the username of account and the last IP address used to connect Skype. During Skype investigation, simply open file on Notepad to check the timestamp of user activity.

Skype Forensics Analysis

Skype Config XML File

The config.xml is another file created by Skype in both Windows as well as Linux. This file contains crucial information related to Skype configuration. The UNIX timestamp field of the file shows time; when the user last used Skype with all corresponding contacts.

Skype Log File Analysis

Skype Chatsync Folder

In Skype investigation, chatsync folder stores history in .dat format. Under this folder many files are available that contain chats between SKYPE-USER and the time when last chat between two users ended.

Skype forensics analysis is an emerging field that attracts investigators. The evaluation shows that manual mechanism is not sufficient for detailed examination and extraction of evidence from database files. Investigators need to rely on Skype forensics tool to explore and recover digital evidence from VoIP applications. With the help of advanced technologies, it is possible to control illegal activates on social platform and prosecute the accused involved in such crimes.

The main.db file proves to be an outstanding repository of information during Skype investigations. Being a type of Sqlite3 database file, the main.db file can be examined for evidence carving via Sqlite Forensic Explorer. The software can be downloaded by clicking on the download button placed below.
Free Download