Identifying the mes...
 
Notifications
Clear all

Identifying the message direction in Skype's Message table

9 Posts
5 Users
0 Likes
775 Views
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Hello,

I carved some deleted Skype records from a main.db file and all the record fields seem to be correctly read, including the last ones, so the records have certainly not been overwritten (I also validated the header and payload lengths and every offset matches), however I'm having some issues with the chatmsg_status field.

According to many websites chatmsg_status is supposed to have value 1/2 for outgoing messages and 3/4 for received messages but that doesn't seem to be always the case. Basically my problem is that there are messages where the author/sender is the Skype account owner yet the message is marked as incoming, way too many to be some coincidental corruption.

So the questions are is that an expected behavior? Does Skype accidentally saves those record incorrectly? Is my idea of basing the direction of the message on whether the author/sender is the Skype account owner really the most reliable way to determine the direction or is there any better way? Also is there any documentation I could attach as proof that those are still valid messages?

Thanks in advance for the attention,

Francesco

[EDIT] I finally found some time to make a nice print of all the messages where the value didn't match and I saw a pattern of first capital letters therefore the cause is very likely the synchronization of messages from other devices (phones, tablets, other computers, etc.). Since there are no ways to differentiate the messages that field is now unusable.

 
Posted : 15/11/2013 6:31 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
 

francesco,

My current role involves identifying the artifacts left by software as it executes on various systems (I know, dream job, right wink )

One thing I have picked up over the years is that open source and publisherd papers are a fantastic resource but they have their limitations, sometimes you just have to compare the results you have obtained with the results from commercial software. 8) [whisper] Sometimes this can be done using just a trial version of the software. roll

I don't know of any OS software that deals with Skype to any great degree but I do know where I would go to get the best information…

Paul Sanderson used to work for Dr Solomon (I think,) reverse engineering viruses and now has his own company, Sanderson Forensics. Paul wrote Kazalyser to analyse the P2P program Kazaa. Kazaa used their protocol to form the backbone to Skype which (we all know) has subsequently fallen in to the hands of Mike Rowe Soft. Paul wrote SkypeAlyser using his knowledge of Kazaa and reverse engineering. He has (I believe) kept it up to date since then.

Paul is a prolific poster to this forum so you should be able to locate him fairly easily. I do know Paul quite well and I do owe him a beer or two so I should declare my interest right now - Paul, those beers I owe you are hereby expunged with this posting D .

My advice is to do one of the following
1) buy Paul a beer (or two), the more you buy, the better the chance of getting the information you seek.
2) buy Skypealyser,
3) buy some other software that (claims) to decode Skype,
4) hope someone out there can answer your question (which I have to say, is refreshingly focused).

I have to declare that until I need to investigate Skype I can't provide you an answer myself, when I do need to investigate it however, you now know where I'll be going…

 
Posted : 19/11/2013 2:20 am
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

Hi Francesco,

I'm not one to ever want to get in the way of someone receiving free beer ) (and I'm sure Paul can offer some thoughts on this as well), but I would rely on the author/dialog_partner fields and your knowledge of who the local user is more than the chatmsg_status data. In my experience it can be somewhat unreliable (although I haven't seen total contradictory examples like you are seeing).

If you are able to share the raw data for one of the messages in question I can take a look and let you know if I see anything strange or provide any further insight. You can email me directly at jad(at)magnetforensics(dot)com.

Best regards,
Jad

 
Posted : 19/11/2013 9:33 am
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Hello and thanks for the answer. I gave a look at that software but as soon as I try opening a main.db it closes and I tried it on four different files. From some screenshots I found it doesn't seem to support that field, it seems to print a summary of the Messages table so I don't think it could be of much help in figuring this out.

Skype apparently creates records where the recipient sometimes is missing or where the username written in the "author" field doesn't seem to be the actual caller, sometimes for group chats/calls (that can be identified with participant_count) but sometimes also for no apparent reason (disconnected users?). I have the database files of both the sender and recipients that's why I noticed something was wrong though I don't have the required time and patience to test every single case especially since it's not really important to know who started the calls due to this not being a 'Scream' movie-like case.

The field doesn't seem to be important per-se (I wanted to use it to automatically identify the accounts used on the machines) but it would have been a nice validation for overwritten records though it works for validation just as well by checking simply whether it has one of the four allowed values (1-4).

That said I actually have a bigger (and moral) dilemma now, for this case I had to write both a carver library for the old DBB files, another carver library for SQLite records (that bruteforces SQLite record reads and returns records compatible with the CREATE TABLE schemas you feed it) and an utility that uses both to extract all the chat logs since long time ago, when I started working on the case I couldn't find any other software that would do the carving on the whole disk image, also I wouldn't have been authorized to buy one and ultimately I wouldn't have been sure all the records would have been carved (when writing my own software I had it output every piece of data with chatnames in it to verify no valid messages had been discarded). I wanted to release this either as freeware or open-source since I didn't want it to end up as an one-use tool though I'm pretty puzzled now whether it's a good idea to release it since it could hurt other software sales. Am I wrong?

 
Posted : 19/11/2013 9:38 am
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Hi Francesco,

I'm not one to ever want to get in the way of someone receiving free beer ) (and I'm sure Paul can offer some thoughts on this as well), but I would rely on the author/dialog_partner fields and your knowledge of who the local user is more than the chatmsg_status data. In my experience it can be somewhat unreliable (although I haven't seen total contradictory examples like you are seeing).

If you are able to share the raw data for one of the messages in question I can take a look and let you know if I see anything strange or provide any further insight. You can email me directly at jad(at)magnetforensics(dot)com.

Best regards,
Jad

Sorry, I started writing the previous without noticing your answer. Yes in the end that's what I looked at and gave up on the idea of identifying the user accounts. Now I only check that field because it always comes after the messages (at least in the table schemas I've found) so it helps identifying the partially overwritten records.

I don't really think there's anything strange in those records, they really seem to have been saved that way, some are still actually referenced (active) in the database and I found them on all the machines I've analyzed. There are also some other weird things I noticed, for example in some calls "author" and "dialog-partner" are the same (most likely all dropped calls), sometimes the author is missing, sometimes the dialog-partner is missing in messages too (disconnected or invisible user?), and those are just the ones I remember. All the records have been saved that way though since the header and payload sizes all match perfectly. I have been pretty obsessive at validating everything in several ways to hopefully avoid ending up roasted in court but there are certainly lots of weird things going on when Skype saves those records, I wish I had the time to try and reproduce all the cases but setting up the virtual machines and multiple accounts required would be really time consuming.

 
Posted : 19/11/2013 10:22 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hello and thanks for the answer. I gave a look at that software but as soon as I try opening a main.db it closes and I tried it on four different files. From some screenshots I found it doesn't seem to support that field, it seems to print a summary of the Messages table so I don't think it could be of much help in figuring this out.

I do wish people who notice a bug in my code would tell me rather than letting me find out through forums like this ) Could you please tell me which version of SkypeAlyzer where you using? I would like to get to the bottom of this.

Could you supply the main.db for testing - I appreciate you said you tried SkypeAlzyer on multiple db's but I can't reproduce that problem here.

And in answer to your question, as jad says, there are multiple methods of determining the direction of a message - the chatmsg_status is one of them. I don't use it, but without checking through my notes I can't remember if there is a reason for this.

Thanks

 
Posted : 19/11/2013 11:51 pm
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Hello and thanks for the answer. I gave a look at that software but as soon as I try opening a main.db it closes and I tried it on four different files. From some screenshots I found it doesn't seem to support that field, it seems to print a summary of the Messages table so I don't think it could be of much help in figuring this out.

I do wish people who notice a bug in my code would tell me rather than letting me find out through forums like this ) Could you please tell me which version of SkypeAlyzer where you using? I would like to get to the bottom of this.

Could you supply the main.db for testing - I appreciate you said you tried SkypeAlzyer on multiple db's but I can't reproduce that problem here.

And in answer to your question, as jad says, there are multiple methods of determining the direction of a message - the chatmsg_status is one of them. I don't use it, but without checking through my notes I can't remember if there is a reason for this.

Thanks

The about window says 1.2.32, it's the demo version I downloaded from the official website. I simply installed it, created a new case and loaded the main.db, once the main.db starts loading the main window closes, no error messages or anything. I also tried the application in a virtual machine with XP (thinking Windows 8.1 was the problem) but the application closed the same way. The log file (SkypeAlyzer_1.csl?) says as last message that there was an error loading the main.db file.

I tried it again, this time with my personal main.db file (latest Skype 6.10), same result. If you say it usually works I presume it could be some issue in the trial restrictions or some issues with the UTF8 encoding used for italian text?

I can't send you those main.db files since those contain sensitive data however I just created a new Skype install just to have a clean main.db file, with this file it also crashes so I'm sending it to you so you can test whether it's the file or something else. If you think it's something else I can give you access to the virtual machine I used for the tests if you think it can help.

 
Posted : 20/11/2013 5:02 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Thanks Francesco I'll have a look today and see what I can find out.

Paul

 
Posted : 20/11/2013 2:09 pm
(@belkasoft)
Posts: 169
Estimable Member
 

I tried to solve the original question, but after spending a few minutes typing I decided to just recommend trying our tool, which implements everything I tried to describe. Evidence Center can acquire everything from Skype logs, including deleted records stored in so-called "freelist" areas (I'm pretty sure that the way we implemented freelist analysis in our tool is rather unique).

 
Posted : 20/11/2013 4:58 pm
Share: