Summary

This article describes common approaches used for the recovery of cleared Skype histories and deleted chat logs, and discusses methods and techniques for recovering evidence from cleared and damaged SQLite databases.

Introduction

It is difficult to underestimate popularity of Skype. Hundreds of millions of people use Skype every day, generating a lot of potential evidence.

Recent versions of Skype are using SQLite databases to keep all history items. Chat logs, information about voice calls made and received, and a lot of other information is available in these SQLite databases. Accessing and analyzing this evidence is essential for many investigations involving a seized PC.

At this time, there are lots of tools that can be used to view and analyze SQLite databases. These tools range from freeware utilities to fully featured and highly expensive forensic suites. While viewing records an existing, healthy SQLite database is not a big deal, performing a forensic analysis of such database has quite different requirements.

Suspects may and do destroy evidence by clearing chat histories and/or physically deleting Skype logs. At this point, only dedicated forensic tools can still be used to recover deleted databases and extract evidence from cleared Skype logs.

In this article, we’ll look at tools, methods and techniques used by forensic specialists to handle evidence contained in cleared Skype histories and deleted SQLite databases, particularly those located on formatted or repartitioned hard drives or discovered in the computer’s volatile memory.

How Skype Stores History Logs

Before we begin analyzing Skype databases, let’s have a brief look at how Skype keeps its records.

Skype maintains a main database in a file named “main.db”. In addition, Skype stores information about its activities in temporary “.dat” files. These files have alphanumerical names such as 0181a0a519e2c304.dat Skype uses SQLite database format and SQLite engine to keep its records. As a result, certain SQLite-specific considerations are applicable to Skype databases. As an example, records being deleted (“cleared”) from a Skype history are not erased immediately. Instead, they are temporarily placed into a so-called “freelist”. The deleted records will not be kept in the freelist forever, but if an investigator is analyzing the database fairly soon after the user cleans Skype history, the chance of getting some or even most information back is reasonably high.

Having said that, it’s pretty obvious that any Skype analysis tool used in the course of a forensic investigation must be able to recognize and recover records kept in the freelist.

In this article, we’ll be using several tools to analyze a sample Skype database. Our tools of choice are (in alphabetical order):

Belkasoft Evidence Center 6.0.527

6.0.527 Chat Examiner 3.1.4455.18335

3.1.4455.18335 Epilog 1.2.1

1.2.1 Forensic Assistant 1.3.3

1.3.3 Internet Evidence Finder 6.2.0.0202

6.2.0.0202 Skype Extractor by Tim Coakley

by Tim Coakley SkypeAlyzer by Paul Sanderson

by Paul Sanderson SkypeLogview 1.12

Searching for Skype Histories

During the investigation, experts often use automated disk scanning facilities provided by forensic analysis tools to locate all available Skype databases. Different tools use different approaches, and may or may not be able to locate certain files.

To see how the tools from our shortlist will behave in the course of a forensic investigation, we have created a set of sample Skype databases. The first database (DB1) was a Skype database containing empty strings. The second file (DB2) was a temporary Skype file. The third file (DB3) was also a Skype temporary file, yet it was named “driver_3.stl” (that is, it did not follow the naming convention for Skype temporary files).

Then we used the tools from our list trying to locate these files and extract any evidence available. The results are provided below in Table 1.

Table 1

Results for DB1

Tool Result Belkasoft Evidence Center DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call Chat Examiner DB1 is not recognized as a SQLite database Epilog DB1 recognized as a SQLite database. Discovered 1 chat message, 1 call Forensic Assistant The tool crashed Internet Evidence Finder DB1 is not recognized as a SQLite database Skype Extractor DB1 recognized as a SQLite database. Discovered 2 chat messages, 1 call SkypeAlyzer DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call SkypeLogview DB1 is not recognized as a SQLite database

When analyzing the results for DB2 and DB3, we decided to put them into one table as the results were similar.

Table 2

Results for DB2, DB3

Tool Result Belkasoft Evidence Center DB2 and DB3 not recognized as valid Skype files. Chat Examiner DB2 and DB3 not recognized as valid Skype files. Epilog DB2 and DB3 not recognized as valid Skype files. Forensic Assistant DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages. DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages. Internet Evidence Finder DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages. DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages. Skype Extractor DB2 and DB3 not recognized as valid Skype files. SkypeAlyzer DB2 and DB3 not recognized as valid Skype files. SkypeLogview DB2 and DB3 not recognized as valid Skype files.

.

Recovering Cleared Skype Histories and Deleted SQLite Databases

In real life, the evidence often is not easily available. Deleted files, formatted hard drives, reinstalled operating systems, the use of privacy protection software and cleared histories are routinely encountered during investigations. As a result, a forensic tool working with Skype must be able to carve the hard drive (or disk image) for any remaining evidence. The ability to access deleted records in Skype/SQLite databases is a must as well.

For our test, we prepared a 250 GB disk image in the DD format. The disk was mounted with FTK Imager 3.1.3. The image was taken from a live system, and contained the following information:

– The operating system was first installed on Mar 16, 2011

– Skype was installed on Sep 28, 2012

– Skype was being actively used until the operating system was re-installed on January 16, 2013

– At the same time, the hard drive was formatted before having the new OS installed

– A different Skype instance was installed on Mar 5, 2013

– The system was in active use for 4 month until it was seized

Upon acquisition, the active copy of Skype “main.db” contained records going back to March 5th, 2013. It contained 29948 records, but did not contain information for 2012.

Our goal was attempting to recover old Skype records going all the way back to the initial instance.

Method 1: Using a Combination of Data Recovery and Forensic Tools

We used a data recovery tool Recover My Files 5.2.1.1964 to recover an old partition on the hard drive being acquired. However, the tools was unable to locate and recover Skype “main.db”. At the same time, the tool was able to recover a number of temporary files created by that old instance of Skype. In order to analyze the files, we used the following tools: Belkasoft Evidence Center, Forensic Assistant and Internet Evidence Finder .

As a result, Internet Evidence Finder was able to extract 21152 records; Forensic Assistant extracted 20395 records, Belkasoft Evidence Center extracted 5352 records. What’s important, all of these records belong to the period of interest before the new operating system was installed on January 16, 2013.

Method 2: Using Forensic Toolkits

Another method of recovering Skype data that goes missing involves carving of the fragments of SQLite databases used by the Skype instance of interest. The carving is a complex and time-consuming process. For that reason, it’s only implemented by few forensic tools. In our sample, only three products have the ability to carve SQLite databases: Belkasoft Evidence Center, Internet Evidence Finder and SkypeAlyzer. SkypeAlyzer was not tested but does have this facility.

To give an idea on how fast (or how slow) the carving process can be, here is our test bench configuration:

– Supermicro – X8DTH-6F-O motherboard with Intel i5520 chip set supporting Intel Xeon X5500 series CPUs

– Dual-CPU configuration with two Intel Xeon E5620 processors (2.4 GHz, 12 MB second-level cache)

– 48 GB DDR3 RAM (Kingston KVR1333D3D8R9S/4G DDR3-10600)

– NVIDIA Quadro2000 with 1 GB DDR5 RAM, PCIExpressx16

– Two HDDs Western Digital HDD SATA-II 2000Gb RE4, 7200 RPM, configured as a RAID1 array

– Four HDDs Seagate 2000 GB SAS Constellation ES 64Mb, 7200 RPM, configured as RAID0

– Windows 7 Ultimate 64-bit SP1

By no means is this a high-end configuration for a PC used in the course of forensic investigations. In our experience, this is a typical configuration for intended use in 2013.

We used the corresponding carving features of Internet Evidence Finder and Belkasoft Evidence Center to collect SQLite/Skype evidence. Both tools offer fully automated carving, so we timed the process from start to finish.

– Belkasoft Evidence Center: located 245,948 records in 110 minutes (2235 records per minute)

– Internet Evidence Finder: located 154,056 records in 190 minutes (811 records per minute)

Conclusion

We performed a series of tests using real-world scenarios to discover Skype evidence located in SQLite databases as well as temporary files produced by Skype using multiple forensic tools including Belkasoft Evidence Center, Chat Examiner, Epilog, Forensic Assistant, Internet Evidence Finder, Skype Extractor, SkypeAlyzer, SkypeLogview. We have experienced the following results:

– When analyzing corrupted and cleared Skype SQLite databases, Belkasoft Evidence Center and SkypeAlyzer revealed the most evidence.

– When analyzing temporary files produced by Skype, Belkasoft Evidence Center, Internet Evidence Finder and Forensic Assistant are the best tools.

– When carving the disk image for SQLite records Belkasoft Evidence Center and Internet Evidence Finder recover a similar number of records. However, Belkasoft Evidence Center demonstrates almost double the performance compared to Internet Evidence Finder.