Hi,
as PaulSanderson said
"On a Windows XP system
\documents and settings\<user name>\application data\skype\<skype user name>
Windows 7
C\Users\<user name>\AppData\Roaming\Skype\<skype user name>
Mac
library/application support/skype/<user name>"
Then you will need to get the file named "main.db" which is simply a sqlite database file.
You will find chat information on the table "Messages"
A simple "SELECT timestamp, author, body_xml from Messages" and you will get basic information )
Internet Evidence Finder is a good tool, but does not find all records. I had a case recently where IEF recovered a single Skype Chat record and I managed to recover 500+ records.
Don't get me wrong, I'm not slating it, but I have noticed a reliance on this tool which can be dangerous.
500 missed? What version of IEF missed that many? Did you notify JadSoftware of the glitch? I'm sure they would like to fix the problem.
Latest version, V5.4.1 .Like I said, I'm not having a go at IEF which I use regularly and is an excellent tool, but I am try to advocate away from this approach that seems to be creeping in of running tools and if they don't find anything assuming its not there.
Our tool, Belkasoft Evidence Center has comprehensive Skype analysis not just dbb and db extraction, but also chatsync analysis, carving for deleted Skype chats and search for Skype artifacts in hibernation and page files. I think, this is the most advanced Skype analysis tool existing. You can try it free at belkasoft.com.
It's a good approach to get away from, but should be used in every facet of CF work.
If you get a drive in and scan it with AV, are you only going to use one AV? Just like you can't just say well Encase or FTK told me this, you need to cross validate with other software.
All the newer people who are just now starting to get into CF work can't afford multiple tools so they go to court saying that this is the date and time associated with this file, closed case. However, we all know that 2 different pieces of software will report a different time for the same file, so which one do you believe?
This is when investigation comes into play and figuring out how to think without boundries, putting yourself into the users shoes. Another reason why it's nice to have information about the person you are examining.
Latest version, V5.4.1 .Like I said, I'm not having a go at IEF which I use regularly and is an excellent tool, but I am try to advocate away from this approach that seems to be creeping in of running tools and if they don't find anything assuming its not there.
I'm sure it's local
Latest version, V5.4.1 .Like I said, I'm not having a go at IEF which I use regularly and is an excellent tool, but I am try to advocate away from this approach that seems to be creeping in of running tools and if they don't find anything assuming its not there.
Do you know which version of Skype was used for the messages missed by IEF? We now have support for older versions of Skype with v5.5, which might be why it wasn't found with v5.4 (not supported yet).
We definitely want to hear from our users when something doesn't work as it should or some data is missed. If you are able to try v5.5 and let me know if that solved the problem, that would be great. If there's still any issues, please open a support ticket at http//support.jadsoftware.com .
Thanks!
Jad
It's a good approach to get away from, but should be used in every facet of CF work.
If you get a drive in and scan it with AV, are you only going to use one AV? Just like you can't just say well Encase or FTK told me this, you need to cross validate with other software.
All the newer people who are just now starting to get into CF work can't afford multiple tools so they go to court saying that this is the date and time associated with this file, closed case. However, we all know that 2 different pieces of software will report a different time for the same file, so which one do you believe?
This is when investigation comes into play and figuring out how to think without boundries, putting yourself into the users shoes. Another reason why it's nice to have information about the person you are examining.
Couldn't agree more cross validation is one of the core principals of good forensic work, often overlooked because of pressure for fast results from courts/investigators etc..