Previous week I was sitting and
wondering how much information we leave behind us whenever we use any
public system for our personal work. For example In India it's very
common to visit a Cyber Cafe, we visit over there and login into certain
social accounts, do our work, chat with someone and log out from the
application. We think we have done enough. But this is not the case in
real Scenario. Ok, lets come through a different angle. How this knowledge will work in positive aspects !!!
In this high-tech world variety of Software crimes are taking place. So the computer forensics has become a vital part in the corporate world. There can be theft of the data from an organization in which case the organization may sustain heavy losses. For this purpose computer forensics are used as they help in tracking the criminal.
Let's start Digging:
First we will look into a Windows System. You can find Skype Directory in the following location.
C:\Users\<user>\AppData\Roaming\Skype
 |
| Skype Folder with User Directories |
As you can see we are in the Skype directory, and also three folders marked above are the user directories who all are using Skype on this particular System.
In the above figure there is a XML file named shared. It is a configuration type file so first we will analyze this XML file in any Editor e.g. Notepad ++.
In the first line itself in this file we see the timestamp which is showing a value 1413742717.116 This is a Unix style timestamp so we will convert it to readable format.
If you scroll down a little bit in that shared.xml file you will see on HostCache Tag. Hostcache is nothing but the IP node of the skype.
The IP starts after 0400050041050200 it means 6FDD4A1D9C49 is the IP address. We can Convert this Hexadecimal value to decimal to find out the IP address.
Now it is the time to dig deeper as we will enter into one of the user directory, In this tutorial I will be entering into test.forensics for tutorial purposes.
As can be seen in above figure we are under test.forensics directory. In this directory we can some files and folders there. Inside
the user directory are mostly chat, call, and voicemail logs, all split
across multiple files and combining data from multiple sessions and
dates. The first folder is chatsync which contains history in dat
format. Under this folder each file contains
one or more chats between SKYPE-USER and one other user, the timestamp
showing the time the last chat ended. The full chat history between
those two users may be spread out over several *.dat files.
bistats.db, dc.db, griffin.db, keyval.db these files are skype metadata. config.xml contains the current configuration and contact list for the account holder. config.lck contains account creation date, If SKYPE-USER’s account was created on this computer, this will be the account creation date. Main.db is the main file which has spicy stuff stored in it which we will cover later.
First analysis we will start from the config.xml file, let us
open this file. We can see another timestamp here under LastSync tag. So
convert it in readable format as we did previously.
In the same config.xml file we can find many information such as Last IP country, Last login time, Account Creation Date(if account is created on the same computer), Name of the connecting Friends. Finding these information is a task for you.
We will continue our Digging Activity in the next Tutorial where we will try to look into the database, if we can extract something very critical.
Till then, Stay Tuned and keep Digging...
Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the system. Don't try to bypass someone's privacy as it does not come under the Ethical Activity. Keep Remembering the saying..
In the above figure there is a XML file named shared. It is a configuration type file so first we will analyze this XML file in any Editor e.g. Notepad ++.
In the first line itself in this file we see the timestamp which is showing a value 1413742717.116 This is a Unix style timestamp so we will convert it to readable format.
The IP starts after 0400050041050200 it means 6FDD4A1D9C49 is the IP address. We can Convert this Hexadecimal value to decimal to find out the IP address.
 |
| test.forensics User Directory |
bistats.db, dc.db, griffin.db, keyval.db these files are skype metadata. config.xml contains the current configuration and contact list for the account holder. config.lck contains account creation date, If SKYPE-USER’s account was created on this computer, this will be the account creation date. Main.db is the main file which has spicy stuff stored in it which we will cover later.
In the same config.xml file we can find many information such as Last IP country, Last login time, Account Creation Date(if account is created on the same computer), Name of the connecting Friends. Finding these information is a task for you.
We will continue our Digging Activity in the next Tutorial where we will try to look into the database, if we can extract something very critical.
Till then, Stay Tuned and keep Digging...
Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the system. Don't try to bypass someone's privacy as it does not come under the Ethical Activity. Keep Remembering the saying..
