Hi,
I am trying to get my head around where the Skype timestamps come from within the main.db file that Skype creates.
I have used SkypeLogView created by Nirsoft and extracted the log file (main.db). My initial thought was the timestamps given relate to the time set in the BIOS at the time of 'chat'.
I have two Skype logs from different computers relating to the same user account and both have identical text within them. This I can understand. However, when I look at the identical text, the time difference between them varies.
When I look at the text on one log file the difference is 7 seconds (when i say the difference I mean the difference between one line of text and the line directly below it), however when I look at the same text on the other log file the difference is greater. I could understand if the difference was consistant as this would have backed up my initial belief of it relating to the BIOS time, however, I cant understand why there is a variation in the difernce of time.
Can anyone help - Please let me know if I haven't explained myself properly
Many Thanks
Hey,
Assuming I understood your question correctly….
First thing to remember is Skype message timestamps are based on system time, variation in the system time will result in messages being stamped "incorrectly".
Secondly, Skype is susceptible to network lag. The time between two messages across two different machines is most likely going to be a little different. The message needs time to send and may not be received instantly.
My guess, it probably took 7 seconds longer on the network.
1) Machine A sends message, message sent stamped at current system time.
2) Message enters network…. (3 seconds spent in tubes)
3) Machine B receives message, message received stamped at current system time - 3 seconds later.
4) Machine A sends another messages, stamped at current system time.
5) Message enters network…. (9 seconds spent in tubes)
6) Machine B receives message, stamped at current system time - 9 seconds later.
(Machine A - SEND)<134415> Hello
(Machine A - SEND)<134418> How are you?
——————-INTERNET——————
(Machine B - RECV)<134418> Hello
(Machine B - RECV)<134427> How are you?
Machine A message difference 3 seconds
Machine B message difference 9 seconds
The second message simply spent more time on the network than the first one causing the issue you are seeing.
To prove what I am saying entirely wrong, where is the lag occurring? If the receiving machine is always behind and never ahead my theory may be correct. If the sending machine is ever behind the receiving machine my theory is wrong and it appears you may have gremlins in your network! 😉
Hope that's some help. Keep us updated on what you find!
Hi - Thanks for the reply
That makes perfect sense, however………
The difference between log A and log B is over an hour. My initial theory was that the system clock for one of the drives was set to be an hour earlier than the other, that leaves only a few seconds unaccountable for- and going by your last reply that would make sense as these seconds could be the time lag whilst going from A to B. However, the BIOS for both computers was correct at the time of the investigation meaning that my heory of one computer being set an hour earlier than the other was wrong.
It may well just be one of those things that I will have to give in to…..
Chris
Chris,
What is/was the geographic location of each of the computers? What were the time zone settings of each?
I'm a little off base anyway, just gave it a go now.
Sent a message at 1815 from one PC and then logged in at 1825 on another PC. The timestamp appears to have been transmitted with the message as the machine that was powered off still stamped the messages at 1815, regardless of the fact that the messages were received 10 minutes later!
keydet89 Sorry for the late reply, the mahcines were all base in the UK and runnin off UTC time.
Ive been doing a bit of testing and it appears that the time is based on the system time. I played around with the BIOS and that seemed to make no diference if the system time was set correctly and vice versa.
It all makes sense to me, just can't understand why I am getting such large variations in the suspects drives. I can only draw the conclusion / assumption that the system time on the drive(s) must have been set wrong at the time of the conversations, other than that I'm stuck.
Chris
keydet89
Come to think of it, the person with whom the suspect was commmunicating with is based in the US. I initially thought that the time diference may be down to the duration it took for the messages to reach eachother. Going back to my original point; if the system clock of the suspect was set an hour earlier, then the few seconds discrepancies could be down to the distance the data had to travel, though Im not too convinced?
If a person, who was a recipient, was not online at the time message is sent, they will not receive it until both persons are online. This might explain the difference.