±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 4
New Yesterday: 6
Overall: 27389
Visitors: 58

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Differentiating Skype artefacts on an iPhone and Desktop

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Tue Jun 10, 2014 10:43 am

Hi.

I have a bit of a puzzler. I have an iPhone 5 that has loads of Skype conversation/messages etc on it, but the person also has a PC and the Main.DB on that looks to be the same.

I've been asked to confirm whether the conversations took place on the iPhone. However, after running my own tests on a desktop version of Skype, it instantly synced to my iPhone without asking and the DBs looks identical.

Does anybody know if its possible to identify where the conversations took place, any tables maybe in the database that differentiate?


Thanks.
4R  

4Rensics
Senior Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Tue Jun 10, 2014 9:43 pm

I think, that you can look for timestamps chatsync files and timestamps from maid.db.
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

Igor_Michailov
Senior Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Wed Jun 11, 2014 7:41 am

I'd have to agree with Igor's mention of the chatsync folder, that's probably where you want to look. The chatsync files were created specifically to help deal with using multiple devices with one account so when a user answers a Skype call on their mobile, it doesn't continue to ring on their PC. In my limited research, both the main.db and chatsync folders had a lot of duplicate data but they weren't identical. Often chatsync had some extra artifacts that weren't found in the main.db (and vice versa, but they were both still valid message conversations). I don't have any definitive details as to how to separate which conversation came from what device but if the info is anywhere, the chatsync folder would be the first place I look.

Hope that helps.  

mcman
Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Wed Jun 11, 2014 9:12 am

If I remember well there should be a difference in the "chatmsg_status" field: sent messages should have a "sent" value only if they were sent on the device where the main.db came from. Check if those values are different.  

francesco
Senior Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Thu Jun 19, 2014 6:26 am

Apologies for late reply. Been basking in the sun on annual leave Cool

I will take a look at the Chatsync and Main.db and focus on these to check the differences.

It would be nice if there was a table in there that noted if it was a mobile device or desktop (but that would be too easy then!)

I'll keep delving and hopefully something will come up that as plain as the nose on my face (or in other terms, than can be easily explained to CPS and or Defence! (thats the difficult part!)


Thanks.  

4Rensics
Senior Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Thu Jun 19, 2014 6:53 am

Are we talking about voice conversations or messages? Because voice conversations should have a field with call informations including device details somewhere.  

francesco
Senior Member
 
 
  

Re: Differentiating Skype artefacts on an iPhone and Desktop

Post Posted: Thu Jun 19, 2014 7:47 am

From what I've got so far, we are mainly concerned about messages, but I think calls will some into it at some point.  

4Rensics
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1