Hi
I am securing Skype-logs in a criminal case and are making a report for the court. I am securing the logs via Internet Evidence Finder.
I wonder if someone can give a description (preferably with sources) of what the message status "Sending" means.
I have looked in the v. 2.0 documentation, but I can't find anything about this. As far as I know the message status "Sent" means that the message is sent from user X, and that "Read" means that the message has been shown on user X's screen.
Its possible that the user X has been blocked by the other person before getting the message status "Sending" in this log, but there is no BLOCKED message-type in the log.
Thank you in advance.
- RCH
RCH,
Might be worth logging a support call with Magnet Forensics themselves to see if they can help. They've always been very helpful whenever I've had a problem.
Could the "Sending" message status be when the user who is due to receive the message has gone offline just as the message has been sent? Not sure how many of these "Sending" message status you have but if that is the explanation I wouldn't expect too many of them.
Cheers,
Chris
Hi RCH
Skype has a very complicated data structure and I would suggest that the only way you can fully understand what is going on is to get into the main.db with an sqlite database viewer.
I suspect that "Sending" as shown by IEF is their interpretation of a numerical status field so without knowing which field and what the numerical value they are applying a value to then it would be difficult to help further as it would be guess work.
For instance the messages table has 36 columns and the contacts table just under 100!!! There is a wealth of information in here including lots of status messages that compliments data recorded elsewhere. For instance there are hidden records in the messages table that record information re the beginning and end of a voice call, file transfer, voice messages etc.
If you would like fully functional a demo of my Forensci browser for SQLite (create reports/recover deleted records etc.) then please fill in the request from here
http//
Cheers
Paul
Hey RCH,
The message status "SENDING" is represented by status value 1 in the Skype main.db. Unfortunately Microsoft doesn't document this stuff very well so we're only able to interpret what we've uncovered in our testing. Paul is correct that there are a number of additional values that IEF will only give you the numerical value because we're not entirely sure what it represents.
SENT and READ are pretty obvious ones but SENDING was typically found in our test data when either the message was still in transit (perhaps a large file, or the network connection had disconnected).
Like I said, unfortunately there is no documentation on this from Microsoft (if you find any, please let me know) but this is what we've found in our testing.
Feel free to reach out if you have any more questions on here or over email.
Jamie
jamie-dot-mcquaid-at-magnetforensics-dot-com
If you choose to take up my offer for a demo then you can assign your own "conversions" for a given numeric field
Hi, RCH_DKE,
Please try
You can request a full free trial at