Hi can anyone help?
I've recovered some Skype chat logs - all have a .dat file extension when viewed in FTK - from Unallocated space, near the top of each one is a string which looks like this
#myuser/$anotheruser;nnnnnnnnnnnnnnnn
myuser = the Skype username of the person I'm investigating
anotheruser = the Skype name of whoever he's chatting to
nnnnnnnnnnnnnnnn is an apparently randon alphanumeric string, at first I thought all examples were 16 characters and so might represent a date but (a) DCode can't do anything with any of the examples, (b) and on checking I note that one of the 18 fragments only has 15 characters.
So (a) does anyone know if there's any date info typically left in Skype files and (b) does anyonw know what, if anything, these random alphanumeric strings represent?
XP SP3, not sure of the version of Skype as the user had removed it or UnInstalled it.
Cheers
hey
have you been able to get the <username>.db/dbb file???
have you been able to get the <username>.db/dbb file???
Thanks, found a main.db and ran Belkasoft IM Analyzer past it, finds all the deleted chats and puts date/time on them
Should have thought this through myself oops but thanks for the pointer
Peter
Bumping existing thread rather than creating a new one on skype, in the "main.db" sqlite database is a table called "transfers" which appears to contain records of file transfers between the local user and other users. Has anyone had any luck with interpreting this data.
In some of the records, the filepath is blank and I'm presuming that these are received files, but other than this there doesnt seem to be any way of distinguishing sent files from received files, and frankly this approach seems a little presumptive.
Also, has anyone spent any time reverse engineering the chatsync files? I'm working on it now and making some progress but I'd like to avoid reinventing the wheel if possible. Tried using skype chatsync reader but that doesnt differentiate between who said what, so thats not really evidentially brilliant.
If you get any luck with the chatsync work, let me know - i'm currently looking into this myself.
Cheers,
I'll be back in the office wednesday to carry on with my research, preliminary findings so far are that each record is structured as follows
<incrementing counter, message id?> (4 bytes)
<god knows> (4 bytes)
<unix timestamp> (4 bytes)
170ish bytes of ?
<sender id? seems to have one byte that increments> (8 bytes)
0x03 0x02 delimiter
<message in ascii>
null terminator
______________________________ end of record
God knows what the preamble means or what the stuff at the end means, still got a lot of work to do on this obviously, but it does look like there is a sender ID field which with a bit of manual work you can use to differentiate sent messages from received messages.
Ok, so found a few new things, firstly the length of the record header seems to vary depending on the length of the chat message and I think also based on the names of the people involved.
Secondly, it looks like the 13-16th byte of each record contains 21 for sent messages, and 20 for received messages. There are also some occurences of 00, perhaps some kind of file transfer?
17th-20th byte seems to contain the relative offset to the next message
At this point I think I have enough to write a script to parse these and identify who said what. Which is all I wanted tbh.
Update; Script complete, everyone who helped out should have a copy of the source in their PMs.
Bumping existing thread rather than creating a new one on skype, in the "main.db" sqlite database is a table called "transfers" which appears to contain records of file transfers between the local user and other users. Has anyone had any luck with interpreting this data.
In some of the records, the filepath is blank and I'm presuming that these are received files, but other than this there doesnt seem to be any way of distinguishing sent files from received files, and frankly this approach seems a little presumptive.
Also, has anyone spent any time reverse engineering the chatsync files? I'm working on it now and making some progress but I'd like to avoid reinventing the wheel if possible. Tried using skype chatsync reader but that doesnt differentiate between who said what, so thats not really evidentially brilliant.
Belkasoft did some chatsync analysis and included it into our tools Forensic IM Analyzer and Belkasoft Evidence Center. You can try these tools from our site.
However, let me warn you, that chatsync is not a full record of conversations. It may (and may not!) contain some part of communication. Direction of messages can be retrieved from chatsync.
I appreciate the information, but I've done the RE work already and written an enscript to handle the donkey work for me P
Is your product free? If so, I'll probably have a look - you've put more than a few days work into it unlike me.
I appreciate the information, but I've done the RE work already and written an enscript to handle the donkey work for me P
Is your product free? If so, I'll probably have a look - you've put more than a few days work into it unlike me.
It is not free, but it has a free demo version. Also, for academic purpose we can issue time-restricted full license. Please contact us at contact@belkasoft.com if you wish to test the product.