Skype forensics

A forensic consideration of Skype.

THE SKYPE CLIENT
The client apparently enables chat logging by default. TODO: Confirm this, and document where in the client configuration to look.

TODO: Finish this section.

THE SKYPE CLIENT’S PER-USER FILES
Where Skype stores its per-user configuration and data files is operating system-dependent:

  • Linux: ~/.Skype/SKYPE-USER/
  • Windows XP and previous: C:\Documents and Settings\WINDOWS-USER\Application Data\Skype\SKYPE-USER\
  • Windows Vista and later: C:\Users\WINDOWS-USER\AppData\Roaming\Skype\SKYPE-USER\

Throughout the rest of this document I shall assume the Linux location; change as necessary for your installation.

Because the Skype client stores user data in the home directory of the current computer user, consider the possibility that the same person may have used Skype while logged in on that computer as a different computer user. Example: Alice and Bob each have their own Skype accounts, alice-s and bob-s. They share a Windows computer on which they each have their own user accounts, alice-w and bob-w. The computer also has the default Windows accounts Guest and Administrator. Each often finds the computer logged in to the other’s Windows account and uses it rather than bothering to log out and back on. This will result in Skype user data for Bob being not only in C:\Users\bob-w\ but also in C:\Users\alice-w\ (and possibly in other Windows accounts as well). Thus a thorough search for Bob’s Skype user data on that computer would require looking in the user directories of all computer users.

On Windows, you can view all Windows accounts and the time each account was last logged in to with dir %SystemDrive%\Users. You need not have administrative privileges to view this.

Opening the Skype per-user directory we see something like:

~/.Skype/
    SKYPE-USERNAME/
     chatsync/
      */                Multiple directories; * = 2 alphanumeric characters
       *.dat            Multiple files; * = 16 alphanumeric characters
     dyncontent/
      bundle.dat
     httpfe/
      cookies.dat
     voicemail/
      *.dat             * = 27 alphanumeric characters
     bistats.db
     bistats.db-journal
     call*.dbb          * = multiple of 256
     callmember*.dbb    * = multiple of 256
     chat*.dbb          Multiple files; * = multiple of 256
     chatmember*.dbb    * = multiple of 256
     chatmsg*.dbb       Multiple files; * = multiple of 256
     config.lck
     config.xml
     contactgroup*.dbb  * = multiple of 256
     conversation*.dbb  * = multiple of 256
     dc.db
     dc.db-journal
     index2.dat
     main.db
     main.db-journal
     main.lock
     participant*.dbb   * = multiple of 256
     profile*.dbb       * = multiple of 256
     transfer*.dbb      Multiple files; * = multiple of 256
     user*.dbb          Multiple files; * = multiple of 256
     voicemail*.dbb     * = multiple of 256

Not all directories and files are present in all installations, presumably depending upon what activities the user has performed. Files are unencrypted binary data, despite Skype’s claim to the contrary. Those files I know the purpose of are described below.

The first level contains directories for each Skype user that has ever used this computer. Because it has unencrypted personal data, if I must use Skype on an untrusted computer, I delete the directory with my Skype username when I am finished. BleachBit Portable is a handy tool for this job.

Inside the user directory are mostly chat, call, and voicemail logs, all split across multiple files and combining data from multiple sessions and dates. Files are binary encoded but not encrypted, so you can easily get a gist of their contents with the Linux command strings, e.g. strings chatmsg256.dbb.

chatsync/*/*.dat are chat history files. Each file contains one or more chats between SKYPE-USER and one other user, the timestamp showing the time the last chat ended. The full chat history between those two users may be spread out over several *.dat files.

callmember*.dbb is the call history, oldest call first.

chatmsg*.dbb are redundant chat history files. Unlike *.dat files, a single chatmsg*.dbb file contains multiple chats with multiple users. chatmsg*.dbb files sometimes contain text not found in *.dat files.

config.xml contains the current configuration and contact list for the account holder. On Linux, this file is chown’ed to root every minute.

conversation*.dbb and participant*.dbb are redundant lists of Skype users that SKYPE-USER has attempted to chat with.

profile*.dbb is SKYPE-USER’s profile information.

transfer*.dbb list the pathnames of all received files.

user*.dbb contain profile information for SKYPE-USER’s contacts.

Excepting config.xml, data is not removed from the above files if a contact is removed.

Presumably one of the above files stores the client’s chat logging configuration, but I have not been able to find it.

The above files are legible enough for informal use, but if you need properly formatted data with timestamps — for legal proceedings, say — your best bet is to copy ~./Skype/SKYPE-USERNAME/ to another computer with Skype installed and log in to Skype as the user in question. It will probably be easier to obtain the user’s password than reconstruct the data.

If none of the above meets your needs, there are applications that attempt to reconstruct this data without need for the password. I have tested none of these and no doubt there are others, but for what it’s worth:

  • Belkasoft Skype Analyzer: Proprietary, $50. Windows only. Extracts chat, call, voicemail and SMS history, and contacts.
  • Skype Chat Message Backup: Open source. Exports Skype chat messages into HTML files.
  • Skypr: Windows only. Unknown license; no cost. Extracts the chat logs. Beta; no activity since 2008.
  • SkyypReader: Open source. Creates printable files from Skype logs.

If I were testing a free trial of such a tool I’d see how it handles Skype configuration data harvested from different public kiosks running different versions of the Skype client before putting down any money.

The timestamps of files and directories will reveal the time certain actions were taken on that computer:

  • When Skype was installed: ~/.Skype/shared.lck
  • When Skype was most recently used by any user: ~/.Skype/
  • SKYPE-USER’s first login: ~/.Skype/SKYPE-USER/config.lck. If SKYPE-USER’s account was created on this computer, this will be the account creation date.
  • SKYPE-USER’s most recent login: ~/.Skype/SKYPE-USER/
  • SKYPE-USER’s most recent voice call: ~/.Skype/SKYPE-USER/call*.dbb
  • SKYPE-USER’s most recent chat: ~/.Skype/SKYPE-USER/chatsync/. The text of that chat is in the subdirectory that has the same timestamp.

Skype does not store passwords locally.

When a user logs in for the first time on any given Skype installation, his contact list is downloaded to the local machine. A contact’s avatar, however, is only downloaded when that contact is seen online for the first time. Thus the presence of a nondefault avatar indicates that SKYPE_USER has seen that contact online using that Skype installation.

The Skype client does not always show all chats. Chats older than six months seem most likely to be supressed. This online tool (Internet Explorer only) makes them visible. The developer warns “If you wish to retain the ACTUAL dates that a Skype chat had a last message “Activity”, don’t use this utility, because all your Skype chats will show today as the last time a message was sent after the utility is run.” Also see other tools in “Other Examples Done In Internet Explorer” at the bottom of the page.

Skype’s user search is poor and should not be relied upon. For example, neither searching for “foo” nor “bar” will reliably find the user “foobar”. Nor do the sort fields controls in the results window work reliably.

THE SKYPE PROTOCOL
Skype claims to encrypt chat, voice, and video transmission, but given that Skype falsely claims to encrypt local logs, I am skeptical. In any case, traffic analysis works even through the encryption.

Skype allows the same user to be logged in on multiple computers simultaneously. Due to a bug, chats from the later-opened instance sometimes pop up on the first opened-instance, or chats on one instance pop up upon logging in to a new instance.

Users report that the Skype protocol compares your chat history against that of the person you are chatting with to make sure that no messages have been lost. Any missing messages on either end are shared between Skype instances. They also report that this behavior is intermittent and apparently cannot be forced manually.

GENERAL FORENSIC NOTES
As is the case with any forensic work, be careful to preserve timestamps when you copy files. In Windows, robocopy preserves timestamps on files by default and can optionally preserve timestamps on directories. For example, this copies the current Windows user’s Skype directory to the current directory, preserving file and directory timestamps, suppresses stdout and stderr, and logs the operation:

robocopy "%appdata%\Skype" skype /copy:DT /dcopy:T /e /np /log:skype_log.txt /r:1 /w:1 >nul 2>&1

In Linux, the cp command preserves timestamps if used with the -a option. For example, this copies a Skype directory from a mounted storage device to a Linux box:

cp -a /media/SOURCE-DEVICE/skype /path/to/destination

REFERENCES
Skype Extras contains a (very) few forensically useful items hidden among the dross
There are Skype-related projects at Ohloh and SourceForge
Skype-related applications at Softlandmark
There are applications for recording Skype audio and video

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

4 Responses to Skype forensics

  1. anonymous says:

    Ares writes:Thanks a lot for this documentation!I have tried to read the chatsync filed using the reader from itsecuritylab.eu, but without success. I only get a list of files, but no actual messages. It seems that these files are completely binary, with only the names of the conversation partners in readable ASCII. Is it possible that the file format has changed?I could successfully read tha main.db using sqlite. However, it does not contain messages which were deleted by the sender. Is there any way to recover these messages, either from parts of the main.db which have been marked as "deleted" (and thus don't show up in the database view) or from the (apparently binary) chatsync files?

  2. wpost says:

    The last time I revisited this issue, April 2013, I was able to successfully extract text from chatsync files using the Linux command strings. If I recall correctly, those files were created using the then-latest stable versions of Skype for Linux and Windows, but I'm afraid I didn't document the version numbers. I should start doing that, because as you say, file formats may change.That was a good idea you had to use sqlite to inspect main.db. Next time I revisit this issue I'll give it a try. I'm no database guru, so I'm afraid I don't know how to get around parts being marked as deleted. All I can think of is a workaround — get your hands on a backup of main.db that predates the sender's having deleted the messages of interest. Expanding on this, that sounds like a good reason to add at least main.db (better, all of Skype's configuration and user files) to your regular backup set.

  3. tcikoritys says:

    Just tried this on full disk backup images from a few years ago. These were Gentoo and Debian partitions. Everything is there as expected, except main.db. I know I wouldn’t have deleted it. Could there be some other way Skype for Linux wrote chat history?

    • Warren Post says:

      That’s odd. I don’t recall seeing an installation without main.db, and I am unaware of whether or not there have been versions of Skype that could have not produced this file. If you find the answer to this riddle, please write back, as you have made me curious.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s