A forensic consideration of Skype.
THE SKYPE CLIENT
The client apparently enables chat logging by default. TODO: Confirm this, and document where in the client configuration to look.
TODO: Finish this section.
THE SKYPE CLIENT’S PER-USER FILES
Where Skype stores its per-user configuration and data files is operating system-dependent:
- Linux: ~/.Skype/SKYPE-USER/
- Windows XP and previous: C:\Documents and Settings\WINDOWS-USER\Application Data\Skype\SKYPE-USER\
- Windows Vista and later: C:\Users\WINDOWS-USER\AppData\Roaming\Skype\SKYPE-USER\
Throughout the rest of this document I shall assume the Linux location; change as necessary for your installation.
Because the Skype client stores user data in the home directory of the current computer user, consider the possibility that the same person may have used Skype while logged in on that computer as a different computer user. Example: Alice and Bob each have their own Skype accounts, alice-s and bob-s. They share a Windows computer on which they each have their own user accounts, alice-w and bob-w. The computer also has the default Windows accounts Guest and Administrator. Each often finds the computer logged in to the other’s Windows account and uses it rather than bothering to log out and back on. This will result in Skype user data for Bob being not only in C:\Users\bob-w\ but also in C:\Users\alice-w\ (and possibly in other Windows accounts as well). Thus a thorough search for Bob’s Skype user data on that computer would require looking in the user directories of all computer users.
On Windows, you can view all Windows accounts and the time each account was last logged in to with dir %SystemDrive%\Users. You need not have administrative privileges to view this.
Opening the Skype per-user directory we see something like:
~/.Skype/ SKYPE-USERNAME/ chatsync/ */ Multiple directories; * = 2 alphanumeric characters *.dat Multiple files; * = 16 alphanumeric characters dyncontent/ bundle.dat httpfe/ cookies.dat voicemail/ *.dat * = 27 alphanumeric characters bistats.db bistats.db-journal call*.dbb * = multiple of 256 callmember*.dbb * = multiple of 256 chat*.dbb Multiple files; * = multiple of 256 chatmember*.dbb * = multiple of 256 chatmsg*.dbb Multiple files; * = multiple of 256 config.lck config.xml contactgroup*.dbb * = multiple of 256 conversation*.dbb * = multiple of 256 dc.db dc.db-journal index2.dat main.db main.db-journal main.lock participant*.dbb * = multiple of 256 profile*.dbb * = multiple of 256 transfer*.dbb Multiple files; * = multiple of 256 user*.dbb Multiple files; * = multiple of 256 voicemail*.dbb * = multiple of 256
Not all directories and files are present in all installations, presumably depending upon what activities the user has performed. Files are unencrypted binary data, despite Skype’s claim to the contrary. Those files I know the purpose of are described below.
The first level contains directories for each Skype user that has ever used this computer. Because it has unencrypted personal data, if I must use Skype on an untrusted computer, I delete the directory with my Skype username when I am finished. BleachBit Portable is a handy tool for this job.
Inside the user directory are mostly chat, call, and voicemail logs, all split across multiple files and combining data from multiple sessions and dates. Files are binary encoded but not encrypted, so you can easily get a gist of their contents with the Linux command strings, e.g. strings chatmsg256.dbb.
chatsync/*/*.dat are chat history files. Each file contains one or more chats between SKYPE-USER and one other user, the timestamp showing the time the last chat ended. The full chat history between those two users may be spread out over several *.dat files.
callmember*.dbb is the call history, oldest call first.
chatmsg*.dbb are redundant chat history files. Unlike *.dat files, a single chatmsg*.dbb file contains multiple chats with multiple users. chatmsg*.dbb files sometimes contain text not found in *.dat files.
config.xml contains the current configuration and contact list for the account holder. On Linux, this file is chown’ed to root every minute.
conversation*.dbb and participant*.dbb are redundant lists of Skype users that SKYPE-USER has attempted to chat with.
profile*.dbb is SKYPE-USER’s profile information.
transfer*.dbb list the pathnames of all received files.
user*.dbb contain profile information for SKYPE-USER’s contacts.
Excepting config.xml, data is not removed from the above files if a contact is removed.
Presumably one of the above files stores the client’s chat logging configuration, but I have not been able to find it.
The above files are legible enough for informal use, but if you need properly formatted data with timestamps — for legal proceedings, say — your best bet is to copy ~./Skype/SKYPE-USERNAME/ to another computer with Skype installed and log in to Skype as the user in question. It will probably be easier to obtain the user’s password than reconstruct the data.
If none of the above meets your needs, there are applications that attempt to reconstruct this data without need for the password. I have tested none of these and no doubt there are others, but for what it’s worth:
- Belkasoft Skype Analyzer: Proprietary, $50. Windows only. Extracts chat, call, voicemail and SMS history, and contacts.
- Skype Chat Message Backup: Open source. Exports Skype chat messages into HTML files.
- Skypr: Windows only. Unknown license; no cost. Extracts the chat logs. Beta; no activity since 2008.
- SkyypReader: Open source. Creates printable files from Skype logs.
If I were testing a free trial of such a tool I’d see how it handles Skype configuration data harvested from different public kiosks running different versions of the Skype client before putting down any money.
The timestamps of files and directories will reveal the time certain actions were taken on that computer:
- When Skype was installed: ~/.Skype/shared.lck
- When Skype was most recently used by any user: ~/.Skype/
- SKYPE-USER’s first login: ~/.Skype/SKYPE-USER/config.lck. If SKYPE-USER’s account was created on this computer, this will be the account creation date.
- SKYPE-USER’s most recent login: ~/.Skype/SKYPE-USER/
- SKYPE-USER’s most recent voice call: ~/.Skype/SKYPE-USER/call*.dbb
- SKYPE-USER’s most recent chat: ~/.Skype/SKYPE-USER/chatsync/. The text of that chat is in the subdirectory that has the same timestamp.
Skype does not store passwords locally.
When a user logs in for the first time on any given Skype installation, his contact list is downloaded to the local machine. A contact’s avatar, however, is only downloaded when that contact is seen online for the first time. Thus the presence of a nondefault avatar indicates that SKYPE_USER has seen that contact online using that Skype installation.
The Skype client does not always show all chats. Chats older than six months seem most likely to be supressed. This online tool (Internet Explorer only) makes them visible. The developer warns “If you wish to retain the ACTUAL dates that a Skype chat had a last message “Activity”, don’t use this utility, because all your Skype chats will show today as the last time a message was sent after the utility is run.” Also see other tools in “Other Examples Done In Internet Explorer” at the bottom of the page.
Skype’s user search is poor and should not be relied upon. For example, neither searching for “foo” nor “bar” will reliably find the user “foobar”. Nor do the sort fields controls in the results window work reliably.
THE SKYPE PROTOCOL
Skype claims to encrypt chat, voice, and video transmission, but given that Skype falsely claims to encrypt local logs, I am skeptical. In any case, traffic analysis works even through the encryption.
Skype allows the same user to be logged in on multiple computers simultaneously. Due to a bug, chats from the later-opened instance sometimes pop up on the first opened-instance, or chats on one instance pop up upon logging in to a new instance.
Users report that the Skype protocol compares your chat history against that of the person you are chatting with to make sure that no messages have been lost. Any missing messages on either end are shared between Skype instances. They also report that this behavior is intermittent and apparently cannot be forced manually.
GENERAL FORENSIC NOTES
As is the case with any forensic work, be careful to preserve timestamps when you copy files. In Windows, robocopy preserves timestamps on files by default and can optionally preserve timestamps on directories. For example, this copies the current Windows user’s Skype directory to the current directory, preserving file and directory timestamps, suppresses stdout and stderr, and logs the operation:
robocopy "%appdata%\Skype" skype /copy:DT /dcopy:T /e /np /log:skype_log.txt /r:1 /w:1 >nul 2>&1
In Linux, the cp command preserves timestamps if used with the -a option. For example, this copies a Skype directory from a mounted storage device to a Linux box:
cp -a /media/SOURCE-DEVICE/skype /path/to/destination
Skype Extras contains a (very) few forensically useful items hidden among the dross
There are Skype-related projects at Ohloh and SourceForge
Skype-related applications at Softlandmark
There are applications for recording Skype audio and video