Differentiating Sky...
 
Notifications
Clear all

Differentiating Skype artefacts on an iPhone and Desktop

7 Posts
4 Users
0 Likes
687 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Hi.

I have a bit of a puzzler. I have an iPhone 5 that has loads of Skype conversation/messages etc on it, but the person also has a PC and the Main.DB on that looks to be the same.

I've been asked to confirm whether the conversations took place on the iPhone. However, after running my own tests on a desktop version of Skype, it instantly synced to my iPhone without asking and the DBs looks identical.

Does anybody know if its possible to identify where the conversations took place, any tables maybe in the database that differentiate?

Thanks.
4R

 
Posted : 10/06/2014 9:43 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I think, that you can look for timestamps chatsync files and timestamps from maid.db.

 
Posted : 11/06/2014 8:43 am
(@mcman)
Posts: 189
Estimable Member
 

I'd have to agree with Igor's mention of the chatsync folder, that's probably where you want to look. The chatsync files were created specifically to help deal with using multiple devices with one account so when a user answers a Skype call on their mobile, it doesn't continue to ring on their PC. In my limited research, both the main.db and chatsync folders had a lot of duplicate data but they weren't identical. Often chatsync had some extra artifacts that weren't found in the main.db (and vice versa, but they were both still valid message conversations). I don't have any definitive details as to how to separate which conversation came from what device but if the info is anywhere, the chatsync folder would be the first place I look.

Hope that helps.

 
Posted : 11/06/2014 6:41 pm
(@francesco)
Posts: 79
Trusted Member
 

If I remember well there should be a difference in the "chatmsg_status" field sent messages should have a "sent" value only if they were sent on the device where the main.db came from. Check if those values are different.

 
Posted : 11/06/2014 8:12 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Apologies for late reply. Been basking in the sun on annual leave 8)

I will take a look at the Chatsync and Main.db and focus on these to check the differences.

It would be nice if there was a table in there that noted if it was a mobile device or desktop (but that would be too easy then!)

I'll keep delving and hopefully something will come up that as plain as the nose on my face (or in other terms, than can be easily explained to CPS and or Defence! (thats the difficult part!)

Thanks.

 
Posted : 19/06/2014 5:26 pm
(@francesco)
Posts: 79
Trusted Member
 

Are we talking about voice conversations or messages? Because voice conversations should have a field with call informations including device details somewhere.

 
Posted : 19/06/2014 5:53 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

From what I've got so far, we are mainly concerned about messages, but I think calls will some into it at some point.

 
Posted : 19/06/2014 6:47 pm
Share: