34-193-1-PB

Embed Size (px)

Citation preview

  • 8/10/2019 34-193-1-PB

    1/75

    University of Derby

    School of Computing & Mathematics

    A project completed as part of the requirements for the

    BSc !ons" Computer #orensics and Security

    entitled

    S$ype #orensics

    By

    Daniel Castle

    d%castle'unimail%derby%ac%u$

    daniel(castle'hotmail%co%u$

    in the years )** + )*,

    mailto:[email protected]:[email protected]:[email protected]:[email protected]
  • 8/10/2019 34-193-1-PB

    2/75

    Abstract

    This project takes a look into the world of one of the most popular VoIP applications used

    today Skype. The methods by which Skype transmits data over the internet and between

    clients has been frequently eamined! to discover any potential data leaks. "n area that hasnot received much attention! is that of the local data stored on computer systems by Skype.

    This project takes a look into just this area! takin# time to locate and eamine the types of

    information that can be found on the stora#e media of these devices. "s a result of this

    preliminary eamination! a software tool will be developed to automate this process for future

    investi#ations.

    Pa#e $ %

  • 8/10/2019 34-193-1-PB

    3/75

  • 8/10/2019 34-193-1-PB

    4/75

    .able of Contents

    "bstract.......................................................................................................................................%

    "cknowled#ements...................................................................................................................../

    Table of 'ontents........................................................................................................................0

    Table of ,i#ures...........................................................................................................................1

    'hapter % Introduction and Specification................................................................................2

    %.% Introduction.......................................................................................................................2

    %./ "ims and bjectives..........................................................................................................2

    'hapter / 3iterature 4eview....................................................................................................5

    /.% 3iterature 4eview..............................................................................................................5

    /./ 6rief verview of 7ow Skype 'lients 'onnect...............................................................5

    /.0 ther 4esearch 'onducted in this "rea............................................................................5

    /.0.% Skype ,in#erprint.......................................................................................................5

    /.0./ 'lient8side Skype ,orensics "n verview..............................................................9

    /.1 Similar "pplications..........................................................................................................9

    /.1.% :fire............................................................................................................................9

    /.1./ ;oo#le 7an#outs........................................................................................................9

    /.2

    /.A "pplication 4esearch.........................................................................................................>

    'hapter 0 8 *ethodolo#y............................................................................................................A

    0.% *ethodolo#y.....................................................................................................................A

    0.%.% *anual Investi#ation of =indows -evice..................................................................A

    0.%./ *anual Investi#ation of "ndroid -evices..................................................................A

    0.%.0 "pplication -esi#n.....................................................................................................A

    Pa#e $ 0

  • 8/10/2019 34-193-1-PB

    5/75

    0.%.1 'odin# of "pplication.................................................................................................A

    0.%.2 "nalysis of "pplication...............................................................................................A

    0.%.5 "pplication Testin#.....................................................................................................A

    'hapter 1 "nalysis and -esi#n..............................................................................................%%

    1.% Preliminary Investi#ation................................................................................................%%

    1.%.%

  • 8/10/2019 34-193-1-PB

    6/75

    5.0 4esults of

  • 8/10/2019 34-193-1-PB

    7/75

  • 8/10/2019 34-193-1-PB

    8/75

    Chapter / 0ntroduction and Specification

    %.% Introduction

    ver recent years! the methods by which people communicate with one another have chan#ed

    dramatically. ,rom hand written letters! electronic tele#raphs and telephone calls! to the

    di#ital a#e of emails! instant messa#es and Voice over IP &VoIP( communication. Voice over

    IP! or VoIPE

    ?is a method for takin#analo#ue audio si#nals! like the kind you hear when you talk

    on the phone! and turnin# them into di#ital data that can be transmitted over the

    Internet.@ &4oos and Valdes! /C%/(.

    There are currently a variety of different VoIP clients available for use! and there are a number

    of different types of VoIP client. There are applications that require users to connect to a

    server to communicate! such as Teamspeak and Ventrilo! that are primarily desi#ned to allow

    for lar#er numbers of people to communicate with one another simultaneously. There are also

    applications that work in a one8to8one style of communication &in the same manner as an

    ordinary phone call(. "n eample of this type of application is also one of the most

    commonly used today! and that is Skype.

    win# to the tremendous advances in the area of VoIP in recent years! the technolo#y hasmoved on from bein# primarily utilised for personal use! to bein# widely used by many

    businesses for thin#s such as in8house telephony! meetin#s between multiple parties across a

    number of locations and for video conferences.

    "lthou#h VoIP is a very practical and! in most cases! a relatively cheap method of

    communicatin# with multiple people! there is one key factor that is a major point of interest to

    manyE the security of the data bein# transmitted between VoIP clients.

    "s mentioned earlier! Skype is one of the most popular VoIP applications available! boastin# a

    user base of more than /AA million people around the world! as of )une /C%0 &Swider! /C%0(.

  • 8/10/2019 34-193-1-PB

    9/75

    conversation between a mother and her son is intercepted and viewed by an unpermitted

    individual! this could be seen as a breach of the privacy of these two users! but it is unlikely

    that much harm would be caused by this breach. n the other hand! if a conversation between

    the mana#in# director and the finance controller of a company were to be intercepted! it is

    entirely possible that the unauthorised individual could be privy to confidential! business

    critical information. nce they have obtained this knowled#e! what they do with it is down to

    them! whether they keep it to themselves! use it for blackmail! or sell it on to a competitor.

    ;iven the above scenario! it is clear why a lar#e number of people have looked into

    interceptin# and decryptin# the data that is transmitted over a network by Skype. "lthou#h

    this is an etremely important area for security to be eamined! it is not the only one. "s

    Skype has to be installed on a computer system for it to be run! it is lo#ical to assume that

    there must be some data stored locally on the computer system in question.

    %./ "ims and bjectives

    The main aim for this project is to locate and eamine the artefacts left behind on computer

    systems by the popular application ?Skype@. nce any potentially useful artefacts have been

    located and eamined! a software tool will be developed to automatically #ather the key

    artefacts from the computer system in use! to assist with the eamination of past Skype

    communications.

    To achieve this aim! four key objectives will be metF

    8 4esearch re#ardin# how Skype works and the structure of the Skype application! both on

    =indows and on "ndroid! will be carried out! alon#side research on past investi#ations

    carried out in this field.

    8 ,orensic artefacts left behind by Skype will be located and eamined manually! both on a

    =indows system and "ndroid devices.

    8 " software tool will then be developed! with the ability to #ather the potentially useful

    artefacts left behind by Skype on a =indows computer system.

    8 The tool will then be tested on a number of systems! to ensure that it #athers the relevant

    artefacts discovered durin# the manual investi#ation.

    Pa#e $ >

  • 8/10/2019 34-193-1-PB

    10/75

    Chapter ) / 1iterature 2evie-

    /.% 3iterature 4eview

    Guestions re#ardin# the security of data sent and received between Skype clients are not

    uncommon! with a number of investi#ations bein# carried out to see what sort of data can be

    intercepted whilst it is bein# sent over a network. "lthou#h this is quite a popular area of

    investi#ation! much less research has been done into data stored locally on systems runnin#

    the Skype client. win# to the secrecy surroundin# the network protocols used by Skype! and

    due to the encryption methods used both whilst transmittin# data over a network and storin# it

    on local systems! it is very difficult to intercept and utilise Skype data whilst it is bein#

    transmitted! or to even read some data stored locally on Skype8enabled computer systems.

    There are multiple reasons why this investi#ation is bein# conducted! the first of which is

    purely down to curiosity as to what sort of information Skype records! stores and uses. If we

    then consider the information that Skype is privy to such as the information required to

    create an account! which includes our email address! forename! surname and date of birth it

    can be quite concernin# to think that this personal information could be stored in an insecure

    manner. "lthou#h this is likely to be stored on SkypeHs secure servers! it is also possible that

    some of this data may be used by the Skype local client! which may mean that the data is

    stored locally on the userHs computer! in a directory created by Skype. "lthou#h this may not

    seem like an issue to the majority of people! it is likely to be much easier for an unscrupulous

    individual to #ain access to someoneHs personal computer and take this information from

    there! rather than accessin# SkypeHs servers! especially if the locally stored information is

    stored in plaintet and not encrypted or hidden in any way.

    ,urther to this! the Skype application for "ndroid devices will also be eamined! to discover

    how it handles the same data found on a =indows computer system. If the "ndroid

    application does not encrypt or hide this data in any way! then this could mean that people are

    walkin# around with lar#e amounts of personal information on their person! without them

    bein# aware that this information is accessible by any party that may #ain access to their

    phone.

    "nother reason for eaminin# the Skype application for "ndroid devices! is due to the

    security flaw that was discovered in the application back in /C%%. The Skype files that

    contain personal user details were left with insecure read and write permissions! and were also

    Pa#e $ A

  • 8/10/2019 34-193-1-PB

    11/75

    left unencrypted. This meant that any application could access and use these files and the data

    within them. This data includedE

    ?everythin# from your Skype username! contacts! profile! and instant messa#e lo#s to

    far more sensitive information! such as your account balance! full name! date of birth!

    address! phone numbers! e8mail address! your bio#raphy! and more. "lso at risk is

    similar data about your contacts.@ &'assavoy! /C%%(.

    The results of this investi#ation may be used for three key reasons. ,irstly! the information

    found will be used to assist in the development of a software tool that will automatically

    #ather any useful artefacts left behind by Skype on local systems. This could then be used to

    aid in the investi#ation of hard drives that may have been seied by authorities! from someone

    accused of committin# some form of ille#al activity.

    Secondly! if users are aware of what kinds of information are stored by an application! they

    may be more careful when usin# these applications. ,or eample! if Skype tet chat lo#s are

    stored in plaintet on the local system! people will be much more careful when discussin#

    confidential topics! such as bankin# information.

    ,inally! if a lar#e number of artefacts containin# personal user data are easily available! this

    could be shown to the Skype developers! in the hopes that it would prompt them to find

    another method by which the application could handle said data! whether it be by encryptin#

    the relevant data or by hidin# it in a more secure location on a =indows computer system.

    /./ 6rief verview of 7ow Skype 'lients 'onnect

    This overview of how the Skype application initiates a connection is taken from the Skype IT

    Administrators Guide! provided to network administrators by Skype themselves. "lthou#h it

    provides enou#h information to allow network administrators to confi#ure their network to

    allow for Skype network interaction! Skype are very careful not to mention any specifics

    about the functions of the protocols that Skype uses. win# to both this and the encryption

    systems used by Skype! it is very difficult to determine the eact details of how Skype

    functions.

    Skype uses a number of Peer8to8Peer nodes to connect the vast number of installations across

    the world to one another. The three types of nodes defined in the Skype IT Administrators

    Guide &/C%C( are ordinary nodes! supernodes and relay nodes. "n ordinary node purely runs

    the Skype client! as an everyday user would see and use it. Supernodes are ordinary nodes

    with a few etra functions. They are used for tasks such as searchin# for the locations of

    Pa#e $ %C

  • 8/10/2019 34-193-1-PB

    12/75

    other nodes that users may want to connect to. Supernodes are selected at random and are not

    dedicated! so a system may act as a supernode one day! but may just be an ordinary node the

    net. Jot all Skype8enabled systems can become a supernode! they must meet a list of

    specific requirements! such as havin# a public IP address. 4elay Jodes are used to ?relay

    media and si#nallin# information between nodes that otherwise canHt reach each other!

    normally because of firewall permissions or problems traversin# J"T.@ It is stressed that

    relay nodes are not able to view the information they are relayin#! they simply pass it on to

    the intended recipient.

    Figure 1. Diagram taken from the Skype IT Administrators Guide (Anon, 201!, to

    demonstrate the ro"e of ea#h node.

    To establish a connection between two clients! the Skype client on the ori#inatin# system will

    communicate with the peer network to ensure there is connectivity. It will also check that the

    out#oin# B-P port is available! and what type of address translation is utilised by the network

    it is runnin# on. nce the user selects the user they wish to call! the Skype client will check a

    number of standby connection paths for the one with the lowest latency and optimal

    bandwidth for connectin# to the Skype network. The ori#inatin# client will then reach out to

    a variety of supernodes on the network to try and locate the intended recipientHs network

    Pa#e $ %%

  • 8/10/2019 34-193-1-PB

    13/75

    address! as well as their associated supernodes. nce the intended receivin# client has been

    located! the ori#inatin# client will then attempt to initialise a session with the recipient. If the

    recipient is not accessible directly &due to network settin#s! firewall etc( then the client will

    attempt to initiate a connection via the peer8to8peer network to hopefully find a connection to

    the recipient that can bypass the blocka#e.

    /.0 ther 4esearch 'onducted in this "rea

    /.0.% Skype ,in#erprint

    The paper ?Skype ,in#erprint@ &-od#e! /CC>( addresses the topic of locally stored Skype data

    but! althou#h the findin#s are detailed! this investi#ation was carried out before *icrosoft

    acquired Skype in /C%%. *icrosoftHs acquisition of Skype brou#ht alon# a myriad of chan#es

    to the Skype client! includin# the method by which Skype stores data locally on computer

    systems.

    *uch like this paper! -od#eHs paper focuses onE

    ?an analysis of the information that can be #leaned from a Skype installation and use

    on a client system.@ &-od#e! /CC>(.

    Btilisin# a number of tests! -od#e checks to see if any useful information can be learned from

    the =indows 4e#istry as well as in the usual application installation locations! such as in

    Pro#ram ,iles and the "pplication -ata folder locations. The results of -od#eHs tests present

    a wide variety of results. *uch of the data found was either encrypted or encoded! but he was

    able to find certain data that was not! such as some of the confi#uration settin#s for the

    particular Skype client in use. 7e was also able to find data such as a summary of most recent

    tet8based instant messa#es sent! the default stora#e location for sent and received files! and

    information re#ardin# the current userHs contact list. -od#e lists the names of the files in

    which he found this information! many of which do not seem to be present in the current

    version of Skype &version 5.%1.5C.%C1(. The reason for this is not yet apparent! and will be

    investi#ated further.

    "ll in all! -od#eHs paper does a #ood job of detailin# the discoveries he made and the

    processes by which he made these discoveries. -espite the fact that some of the results in this

    paper are relatively irrelevant in the current version of Skype &such as files that no lon#er

    eist(! the locations in which a lot of his results appeared are still the same today! so these

    locations may still be a useful source of information.

    Pa#e $ %/

  • 8/10/2019 34-193-1-PB

    14/75

    The only issue to be raised! is the method by which -od#e manufactures the Skype clients he

    eamines. "s he is usin# ?fresh@ installs of the Skype client and #eneratin# data by usin#

    Skype in a step8by8step manner &first lo# on! first messa#e! first call etc(! it is possible that

    somethin# was missed out of the investi#ation. "lthou#h usin# a ?fresh@ install of Skype

    ensures that all the default settin#s are in place! this adds a manufactured twist to the

    investi#ation. If -od#e were to carry out this base investi#ation! and then follow it up with an

    investi#ation of an eistin# Skype account and client! the data collected would be real8world

    data! makin# the findin#s more relevant to a real8life investi#ation into a userHs Skype

    account.

    /.0./ 'lient8side Skype ,orensics "n verview

    The paper ?'lient8side Skype ,orensics "n verview@ &'reutbur#! +rK#er and *eiLner!

    /C%0( aims to hi#hli#ht and eplain the kinds of Skype user data that can be found on local

    computer systems! alon# with the tools that can be used to access this data. The authors carry

    out both a manual analysis of Skype data! and also utilise a number of widely available tools

    to help locate and interpret data &'reutbur#! +rK#er and *eiLner! /C%0(.

    The authors be#in by briefly introducin# the Skype application and #ive an overview of what

    it is! how a connection between peers is established! and the types of information that are

    stored by the application itself.

    The first method the authors use to analyse Skype data! is to manually search throu#h the

    Skype data files and to eamine them themselves! usin# #eneric tools such as a he editor.

    "lthou#h the information presented in this section of the paper is relatively informative! it

    seems to require the reader to have knowled#e on the subject prior to readin#. The authors

    talk about the different Skype files! such as main.db! with very little eplanation as to what

    the file is used for! and with no eplanation as to where it was found or how it was

    discovered.

    "lthou#h the information #iven durin# the manual analysis of Skype files is relatively brief!

    the authors provide more detail on the data found whilst utilisin# software tools! such as

    Skype3o#View and SG3iteSpy.

    verall! this paper does #ive some useful information re#ardin# the personal user data stored

    and utilised by Skype! but it seems to be more of a review of the software tools available!

    rather than an analysis of the data that can be found! whether manually or usin# tools. "lso!

    the authors seem to have a differin# definition of what a ?tool@ is. -urin# the manual

    Pa#e $ %0

  • 8/10/2019 34-193-1-PB

    15/75

    investi#ation part of their report! the authors make reference to openin# the main.db file in a

    he editorE $the main.d% data%ase fi"e, &hi#h is reada%"e in the (he'! editor, #ontains

    information). To the majority of people! a he editor is a software tool! albeit one with not

    much in the way of features. The authors also use a SG3ite reader in their tool8assisted

    section of the paper which! offers similar functionality to a he editor it is a software tool

    without much in the way of features! desi#ned primarily for the analysis of a specific type of

    database file.

    /.1 Similar "pplications

    "lthou#h there are not many applications out there that offer the same variety of functions in

    one packa#e that Skype does! there are many that offer similar functionality! such as instant

    messa#in# with the option for voice calls. ne such application is :fire.

    /.1.% :fire

    :fire is an instant messa#in# application that is primarily used by #amers! as it offers an in8

    #ame chat interface! allowin# users to communicate with friends whilst simultaneously

    playin# #ames! either by an instant messa#in# interface or via VoIP. " brief investi#ation will

    be carried out to discover how :fire stores its data as it offers very similar functionality to

    that of Skype! albeit with a few missin# features such as video conferencin#. "lso! owin# to

    the fact that :fire is focussed more on the instant messa#in# than VoIP! it will be interestin# to

    compare the stora#e of any :fire chat lo#s compared to Skype chat lo#s.

    "s with the majority of instant messa#in# clients! :fire provides the option to allow for chat

    lo#s to be created and stored on the local computer stora#e. "lthou#h users have the option to

    enable or disable this recordin# of conversations! upon installation of the :fire client! the chat

    lo##in# option is enabled by default. This can be seen by navi#atin# to the ?'hat options@

    menu. The moment a messa#e has been sent to or received from a contact on the userHs friend

    list! the chat lo# is #enerated. Bsers are able view the chat lo#s for each of their individual

    contacts by selectin# the ?View 'hat 7istory@ option within the desired contactHs chat

    window. Bsers also have the option of deletin# chat lo#s by selectin# the ?-elete 'hat

    7istory@ option in the same location as ?View 'hat 7istory@. "lthou#h the stora#e location

    for these chat lo#s is not advertised within :fire! a simple ;oo#le search for ?:fire chat lo#s

    stora#e location@ presents a link to a blo# post on the official :fire website that eplains

    eactly where to find the lo#sF ?:fire saves your chat lo#s to the "pplication -ata folder

    which is tied to your =indows user account. Specifically you can access the said folder by

    usin# shortcut ?*appdata*+fire+#hat"og@ &;-)one! /CCA(. "lthou#h this blo# post was

    Pa#e $ %1

  • 8/10/2019 34-193-1-PB

    16/75

    created nearly 2 years a#o! navi#atin# to this directory shows that this is still the stora#e

    location for :fireHs chat lo#s &"ppendi %(.

    =ithin this folder! :fire creates a separate folder for each user account that is used on the

    computer system in use. Then! within the user folder! a notepad &.tt( file is created to contain

    the conversations had with each individual user. If this file is then opened in notepad! or any

    word processor! we are able to see the entire contents of the conversations carried out between

    the two users! in plaintet &"ppendi /(.

    /.1./ ;oo#le 7an#outs

    "n application that is very similar to Skype is the relatively new ?;oo#le 7an#outs@!

    formerly known as ?;oo#le Talk@. ;oo#le 7an#outs offers very similar functionality to that

    of Skype! as it includes the options for instant messa#in#! video callin#! video conference

    callin# and so on. The main difference between ;oo#le 7an#outs and Skype! is that

    7an#outs is a browser8based application. This means that it can be run directly from the web

    browser that is currently in use! such as ;oo#le 'hrome. Skype on the other hand! uses a

    dedicated application that must be downloaded and installed before use.

    "lthou#h 7an#outs is browser8based! to enable the use of the VoIP functions! such as a video

    or voice call! the user is required to install a plu#in from ;oo#le! entitled

    ?;oo#leVoice"ndVideoSetup.ee@. The user is prompted to install this the first time they tryand initiate or connect to a VoIP call.

    The instant messa#in# portion of 7an#outs does not require any plu#ins or applications to be

    installed! users are able to access and use this function whenever they are on ;oo#leM. Bsers

    do have the option to install an add8on into the 'hrome browser that allows for 7an#outs to

    be used from anywhere! includin# the desktop of the computer system! without the need for

    the 'hrome browser to be open.

    "s 7an#outs does not require an installation of any application by default! it is unlikely that

    any instant messa#in# chat lo#s will be stored locally on the system in use. 7owever! once

    the user has installed the plu#in required for VoIP calls! data is stored on the local system!

    even if it is just the data left behind by this plu#in.

    "fter some investi#ation! the files created by the plu#in were found in $*AppData

    *+-o#a"+Goog"e+Goog"e Ta"k "ugin). The majority of the files in this directory and itHs

    subdirectories do not seem to store any data relevant to the system they are installed upon! as

    the ?-ate *odified@ is set to a time lon# before the plu#in was installed upon the system in

    Pa#e $ %2

  • 8/10/2019 34-193-1-PB

    17/75

    use. The main file that stands out is ?#tbplu#in.lo#@ which had a ?-ate *odified@ and time

    that match up with the last use of ;oo#le 7an#outs. penin# this file in JotepadMM reveals

    that the file is completely plaintet. "t the top of this file are number of records of failed

    attempts for 7an#outs to connect to the plu#in. Scrollin# to the end of the lo# file presents

    more interestin# information. This appears to be a lo# of successful connections of the plu#in

    to the 7an#outs application. ne line of plaintet contains information such as the username

    of the account bein# used! the domain on which the user was lo##ed in! and the browser that

    the user was usin# at the time. There is also another line that lists all of the audioDvideo

    devices connected to the system in question. n the particular system bein# used for this

    investi#ation! the make and model of the connection webcam! microphone! headphones and

    audio input devices were all listed.

    "lthou#h there was no record of any conversation lo#s produced by ;oo#le 7an#outs! the

    information that was found may still prove useful! whether this be for a lawful investi#ation

    or for unscrupulous means.

    /.2

  • 8/10/2019 34-193-1-PB

    18/75

    each user account. =ithin each individual user directory! there is a ?hidden folder@! or a

    folderDdirectory that is not visible by default! entitled ?"pp-ata@ which contains the user

    settin#s and some application data for applications used by that particular =indows user

    account.

    ,inally! the ?=indows@ directory contains the vast majority of the data used by the =indows

    operatin# system itself! such as the different lan#ua#es available! the fonts that can be used by

    the system! and pro#rams that come with the operatin# system! such as the calculator.

    To #ain access to the majority of the above directories! the user will need to have

    administrative privile#es on the computer system in use or! in the case of the ?Bsers@ folders!

    they will need to be the owner of the folder they are tryin# to view. ,or eample! the user on

    the account ?)ohn@ would be able to access that accountHs Bser folder! with or without

    administrator privle#es.

    "ny further hard drives installed within the physical system can be used for a variety of

    different tasks! dependant on how the user sets them up. ,or the most part! the directory

    structure of these etra drives will be determined by the user &"non! Bnknown '(.

    /.5

  • 8/10/2019 34-193-1-PB

    19/75

    device &"ppendi 0(. If the *icroS- card is removed from the device! the ?e'tSd/ard@

    folder remains in the root directory! but the contents of it are no lon#er there &"ppendi 1(.

    "s all data stored and used by the "ndroid operatin# system is also stored under this root

    directory! it would be lo#ical to assume that all data installed! used and #enerated by

    applications on the device must be stored here somewhere.

    "lthou#h this root directory in "ndroid contains everythin# stored or installed on the device

    in use! the lar#e majority of users will not be able to! and will not need to! #ain access to it.

    ,or a user to be able to #ain access to this root directory! they need to have special privile#es!

    or ?root@ access on the device.

    /.9 "ndroid ?4oot@ "ccess

    In the "ndroid world! the term ?root access@ is used to refer to the access of a special user

    account on the system that has system administrator privile#es! allowin# it access to all areas

    of the device! with permissions to make chan#es to any file or directory. It also provides

    functionality to allow certain applications to run with more permissions than they would

    ori#inally have &7offman! /C%/(.

    "s mentioned previously! the majority of users will not have ?root@ access on their "ndroid

    device. This is due to the fact that the lar#e majority of manufacturers do not enable ?root@

    access by default. The reasonin# for this is that with the ability to edit any file on the device!

    there is also the possibility for a user to edit a file on which the system depends! potentially

    breakin# their device &7offman! /C%/(.

    -urin# the eperiments carried out later in this project! a number of different "ndroid devices

    will be eamined in the attempt to find any Skype artefacts. ne of the devices bein#

    eamined! the Samsun# ;alay S0! will have ?root@ access and will be runnin# software that

    has been sli#htly customised compared to the "ndroid installation as it comes from the

    manufacturer. "nother device to be eamined! the ;oo#le Jeus 9 &/C%/(! will nothave

    ?root@ access! and runs the software that the manufacturer installed upon it. The reasonin#

    behind this is to determine if any Skype data is available on a device with ?root@ permissions!

    and if it is! to discover whether this data is also accessible on a device that does not have this

    same level of elevated privile#es.

    /.> Tools for eaminin# "ndroid -evices

    There are a number of tools available online to assist with the eamination of the internal filesof an "ndroid device! such as "ndroid 'ommander and "ndroid -ebu# 6rid#e &"-6(. The

    Pa#e $ %>

  • 8/10/2019 34-193-1-PB

    20/75

    tool that will be used durin# this investi#ation is "ndroid -ebu# 6rid#e. "ndroid -ebu#

    6rid#e is a tool created by the developers of "ndroid and is included in the "ndroid

    -evelopment Toolkit! for use by developers when creatin# applications or software for

    "ndroid devices. n the "ndroid -evelopers website! "-6 is defined asF

    ?a versatile command line tool that lets you communicate with an emulator instance or

    connected "ndroid8powered device. It is a client8server pro#ram that includes three

    componentsF

    - " client! which runs on your development machine. Nou can invoke a client from a

    shell by issuin# an adb command. ther "ndroid tools such as the "-T plu#in and

    --*S also create adb clients.

    - " server! which runs as a back#round process on your development machine. Theserver mana#es communication between the client and the adb daemon runnin# on an

    emulator or device.

    - " daemon! which runs as a back#round process on each emulator or device instance.@

    &"ndroid! Bnknown(

  • 8/10/2019 34-193-1-PB

    21/75

    to usin# one of the many other pro#rammin# lan#ua#es available! 'O was chosen for a

    number of reasons. The first of these reasons was due to prior knowled#e. 7avin# already

    used 'O in codin# projects! it made sense to start off utilisin# this knowled#e! with the

    possibility of adaptin# the application to another codin# lan#ua#e at a later date.

    "nother reason for choosin# 'O was for its compatibility. -espite the fact that it is ?desi#ned

    to be a platform independent product@ &"non! Bnknown -( it is primarily used with

    =indows! owin# to the fact that it is a *icrosoft product. "lso! owin# to the fact that this is

    the third iteration of the ?'8,amily@ of pro#rammin# lan#ua#es! with ' and 'MM bein# the

    two previous lan#ua#es! there is a certain feelin# of refinement to 'O.

    ,inally! the object8oriented nature of 'O &*icrosoft! Bnknown(made it an appealin# lan#ua#e

    to use! due to the fact that this would make it easier to modify the pro#ram in the future!

    should there be any new artefacts added or discovered in Skype that may be useful.

    Pa#e $ /C

  • 8/10/2019 34-193-1-PB

    22/75

    Chapter 3 + Methodology

    0.% *ethodolo#y

    The formal method by which this investi#ation will be carried out will be a qualitative format!

    rather than quantitative. The reason for the decision upon this type of research method! is so

    that more time can be spent in the investi#ation phase! allowin# for more focussed results.

    To be#in the investi#ation! a Skype installation on a =indows system will be eamined! in an

    attempt to find any useful artefacts. =indows has been chosen as the primary operatin#

    system for this project as it is currently the most popular operatin# system in use today &"non!

    /C%1(. The first step in this eamination will be to look throu#h the most common locations

    in which applications are likely to store their data! such as Pro#ram ,iles! Pro#ram ,iles

    &>5(! and the "pplication -ata folder. If! or when! any useful artefacts are located! a copy of

    them will be created so as to allow for closer eamination of the data! usin# any tools required

    to view them.

    "fter the eamination of the =indows installation of Skype has been completed! an

    eamination of an installation of Skype on two "ndroid devices will be carried out. "ndroid

    has been chosen as the secondary operatin# system for this investi#ation as it is the most used

    mobile operatin# system! especially in

  • 8/10/2019 34-193-1-PB

    23/75

    Subsequently! a software tool will be desi#ned and developed! with the aim of it bein# able to

    replicate the useful artefacts discovered in the previous investi#ation! without it causin# any

    modification to the ori#inal artefacts. This tool will be developed for use on =indows

    systems! a#ain because =indows is the most popular operatin# system in use today &"non!

    /C%1(.

    0.%.% *anual Investi#ation of =indows -evice

    To be#in the manual eamination of a =indows installation of Skype! the ?rogram Fi"es@!

    ?rogram Fi"es ('3!@ and ?AppData@ directories will be eamined. The eamination will be

    focussed around these directories because they are the key areas in which applications store

    their data on =indows systems. These directories will firstly be eamined for any si#n

    potential Skype repositories and! followin# on from this! any potential Skype stora#e

    locations found will be eamined more closely. "ny data then found to be potentially useful

    will be eamined and analysed in further detail. This eamination will be carried out

    manually! with the use of tools required to read certain files! such as JotepadMM for

    confi#uration files.

    nce any data has been located and analysed! the locations in which this data is found will be

    compared to the locations which others have found useful in the past! such as in Skype

    Fingerprint&-od#e! /CC>(.

    0.%./ *anual Investi#ation of "ndroid -evices

    The first "ndroid device to be eamined will be the Samsun# ;alay S0. The reason for

    eaminin# this device first is due to the fact that it has root permissions. =ith root

    permissions! the eamination will be much more detailed! as there will be no stora#e areas

    into which access is restricted. Btilisin# this elevated access! the hope is to find any Skype

    artefacts available! and note down the location in which these are stored. nce this is done!

    the second "ndroid device! the Jeus 9! will be eamined to see if the results found on the

    ;alay S0 can be replicated on a device with default permissions.

    The first method by which the "ndroid devices will be eamined! is by utilisin# a #eneric file

    eplorer application from the ;oo#le Play Store. This file eplorer will allow for the

    eamination and navi#ation of the files stored on the device in use. nce a file eplorer is

    chosen! a brief eamination of the internal and eternal stora#e &if applicable( of each device

    will be carried out! to see if any Skype data is stored in any obvious locations. "fter this brief

    inspection! research will be carried out re#ardin# the install location for applications!alon#side investi#ation bein# done to confirm the information presented in the research.

    Pa#e $ //

  • 8/10/2019 34-193-1-PB

    24/75

    If possible! the Skype "P+ file &the installation packa#e for the Skype "ndroid application(

    will be copied onto another computer system and decompiled usin# any required tools. This

    should then allow for the eamination of the files within the installation packa#e in the hopes

    that it will identify the locations on "ndroid in which Skype data is stored.

    0.%.0 "pplication -esi#n

    Bsin# the data collected from the manual eaminations of the =indows and "ndroid devices!

    a desi#n will be formed for the creation of the proposed application. This desi#n will consist

    of plans for the functionality! aesthetics and usability of the application itself! alon# with

    proposed methods of meetin# each desi#n requirement.

    0.%.1 'odin# of "pplication

    nce the application has been desi#ned! the codin# of the application will be#in. The codin#

    process will #o throu#h a number of sta#es. To be#in with! a very basic user interface will be

    created! purely for testin# the application as it is developed. The functionality will then be

    coded in a number of sta#es! startin# off with the variables all bein# hardcoded! to ensure the

    required function is possible. nce this has been completed and tested! the ability to add user

    input variables will be added and tested. nce all the required functionality has been

    implemented! then the user interface can be improved to make it easier for users to operate.

    0.%.2 "nalysis of "pplication"fter the application has been completed! the code will be reviewed and analysed! so as to

    ensure that it is all functionin# correctly! and that no obsolete code remains from any testin#

    and eperimentation that may occur durin# development.

    0.%.5 "pplication Testin#

    ,inally! once all codin# and analyses have been completed! a number of eperiments will be

    carried out so as to test the completed application and to ensure that the intended functionality

    is present! and also to ensure the functionality is present on computer systems runnin#

    different variations of =indows! and comprised of different hardware components.

    Pa#e $ /0

  • 8/10/2019 34-193-1-PB

    25/75

    examination of a Skype installation on a Windows System

    Manual examination of a Skype installation on rst Android device

    Manual examination of a Skype installation on second Android Device

    Comparison of Android device results

    Comparison of results across operating systems

    Design of software tool

    Coding of software tool

    Analysis of software tool

    Testing of software tool

    Figure 2. 4aterfa"" mode" representing the methodo"ogy.

    Pa#e $ /1

  • 8/10/2019 34-193-1-PB

    26/75

    Chapter , / Analysis and Design

    1.% Preliminary Investi#ation

    Prior to desi#nin# the application that will collect the useful Skype artefacts! a manual

    investi#ation is to be carried out! so as to identify the locations in which files were stored! and

    to determine which files were to be collected.

    Bnlike in -od#eHs paper &/CC>(! the Skype clients used in this investi#ation will notbe a

    completely new install! and will be ?live@ clients that have been used on a daily basis for quite

    some time. These accounts will be used so as to simulate the information that can be found

    from the Skype client of an avera#e user.

    1.%.%

  • 8/10/2019 34-193-1-PB

    27/75

    within ?-o#a"@ simply contains a subdirectory entitled ?Apps@. =ithin this directory! is

    another! entitled ?"ogin@! alon# with an .md2 file! also entitled ?"ogin@. The ?"ogin@ directory

    seems to contain the data etracted from the ?"ogin@ archive found previously. The .md2 file

    simply contains the md2 hash value &or the ?fin#erprint@( for the ori#inal archive.

    The Skype data stored within the ?8oaming@ directory is by far the most interestin# &full pathF

    /+7sers+Danie"+AppData+8oaming+Skype(. =ithin this directory there are a number of

    subdirectories! alon# with three individual files &"ppendi %1(. The majority of the

    subdirectories! alon# with the individual files! do not seem to hold much in the way of useful

    information. The one useful directory here is the one that uses a Skype username as the title!

    which in this investi#ation was ?dcastleA%@.

    =ithin the Skype user directory! there are a myriad of subdirectories and individual files. The

    first directory of interest was the ?#hatsyn#@ folder. =ithin this folder! there appears a

    varyin# number of folders! each with a two character lon# name! that seems to be a mi of

    letters and numbers. "lthou#h some of these directories contain no data! the ones that do

    contain information are etremely useful. 6y openin# the .dat files found within these folders

    in JotepadMM &the name of each file is comprised of random numbers and letters(! we are

    presented with what seems to be lar#e amount of encoded data &"ppendi %2(. "lthou#h this

    was what it looked like at first #lance! a more detailed eamination of the tet shows that

    there is plaintet in places between the encoded data. This plaintet data seems to consist of

    the conversation history between any users that were part of a Skype call or instant messa#in#

    session at that particular time. ,or eample! in one particular file bein# eamined! the

    username ?dcastleA%@ was found! alon# with a number of links to various different websites

    &"ppendi %5( that had been sent by the user.

    6rowsin# throu#h the remainin# directories within the Skype user folder does not present any

    useful data as the majority of the directories were either empty! or the files that were found

    tended to be encoded.

    The individual files contained in this directory are where the majority of the useful

    information comes from. =hen opened in JotepadMM! the ?#onfig.'m"@ file presented a lar#e

    amount of information about the user account bein# eamined. "lthou#h some data! such as

    the last used dateDtime! is encoded! there is also an etensive amount of plaintet data. ,or

    eample! one of the first noticeable pieces of information was a plaintet list of all the

    usernames for the contacts in that user accountHs address book. "lthou#h these usernames arein plaintet! any usernames with a full stop within it has a random combination of two

    Pa#e $ /5

  • 8/10/2019 34-193-1-PB

    28/75

    characters followin# the full stop. ne such eample of this! is that ?john.smith@ becomes

    ?john.0"smith@ &name chan#ed to protect the privacy of the user(.

    The ?#onfig.'m"@ file also contains a list of all video input devices connected to the system!

    alon# with any audio inputDoutput devices connected. This list not only shows that there are

    devices present! but also #ives the make and model of each device! provided that that

    information is available to the system itself. The devices listed here do not always have to be

    physical. ,or eample! on the system bein# eamined! a virtual surround sound tool is

    installed. This tool is listed as an audio output device.

    "n additional useful piece of information found within this particular file is the file transfer

    directory used by the user. 6etween the Q,iletransfer-irR ta#s! the full file transfer path is

    listed. In this case! the path was ?/+7sers+Danie"+Desktop+@. "t the end of the document the

    default file transfer directory is listed! in this case as

    ?/+7sers+Danie"+AppData+8oaming+Skype+9y Skype 8e#ei:ed Fi"es+@.

    The final file found that contains useful information is by far the most useful. The ?main.d%@

    file! found within the Skype user folder! is a SG3ite database file and thus must be opened

    within a SG3ite database editor to be viewed. In this investi#ation! the tool used was ?SG3ite

    6rowser@. =ithin this database file! an etensive amount of data is stored. "lthou#h a

    number of sections of the database do not hold much useful data! others hold plenty.

    The first section containin# detailed information is the ?;ideos@ table. =ithin this table! there

    is a record of each time a video stream was initiated. Jot only does this file identify when a

    video stream was initiated! it also identifies a device I- for the device used! and if the video

    session was a video conversation or a screen sharin# session. In the cases where it was a

    screen sharin# session! the dimensions of the screen shared is also recorded! althou#h this is

    only the case when the user bein# eamined has broadcast their screen! rather than viewin#

    another userHs screen.

    The net useful table is that of the ?/a""9em%ers@ table. =ithin this table! a record is kept of

    each of the calls the user has been a part of! alon# with the username and display name of the

    users with whom the call was initiated. Skype also keeps a record of the duration of the call!

    but the timeframe used is not specified. The lo#ical assumption for the timeframe would be

    that of seconds! but this cannot be #uaranteed. ,inally! the ?/a""9em%ers@ table also keeps a

    record of the IP address of the other participants of the recorded conversations.

    Pa#e $ /9

  • 8/10/2019 34-193-1-PB

    29/75

    The $/on:ersations)table contains similar information to that already seen in previous

    tables! but it also has the added record of the username and display name of anyone that the

    current user has been in conversations with! even if they are not on one anotherHs contact lists.

    The ?;ideo9essages@ table is only populated if a video messa#e is recorded and sent to

    someone usin# the built in Skype function. If a video has been sent from the account bein#

    eamined! there is no record of the user to whom it was sent! just a confirmation that it was

    sent from the user account in question. If a video has been received! the username for the user

    that sent the video is displayed. =ithin this table! there are two sections that are most

    important! the first of which is ?:od6path@. =ithin this column! a B43 is stored that! when

    copied into a web browser! displays an online version of the video sent or received. "lthou#h

    this is useful! testin# showed that this link is only valid for around /1 hours! after which it is

    no lon#er available. The other useful column is ?"o#a"6path@ which! as the name su##ests!

    provides the local path for any video messa#es sent from the computer bein# eamined. In

    this eample! the location was

    ?/+7sers+Danie"+AppData+-o#a"+Temp+:idm1?

  • 8/10/2019 34-193-1-PB

    30/75

    ,inally! the ?9essages@ table contains a record of the majority of messa#es sent and received

    via the Skype instant messa#in# function! alon# with the users who were involved with each

    messa#e. "lthou#h the messa#es are stored individually rather than in conversations! the

    majority of them are easy to read and to follow on from.

    "lthou#h there are other files and directories stored within the Skype user folder! the data

    stored within them is either encoded or does not provide much in the way of useful

    information.

    1.%./

  • 8/10/2019 34-193-1-PB

    31/75

    either encrypted or corrupt &"ppendi 2(! makin# the majority of the data available relatively

    useless as the majority of it is unreadable. -espite this! the ?Search@ function was utilised to

    try and find the term ?Install@! but to no avail.

    win# to this! it seemed lo#ical to try to locate a pro#ram that was able to reverse8en#ineer

    "ndroid application packa#es properly. This is where "P+Tool comes in. "P+Tool is a

    community8developed tool for use in decompilin# "ndroid .apk files. In the words of the

    developerE

    ?It "P+Tool is a tool for reverse en#ineerin# 0rd party! closed! binary "ndroid apps.

    It can decode resources to nearly ori#inal form and rebuild them after makin# some

    modificationsU@ &Tumbleson! Bnknown(.

    Btilisin# "P+Tool! the #om.skype.raider51.apkfile was fully decompiled. "lthou#h this

    seemed to produce less files than when they were etracted usin# 9ip! the missin# files did

    not seem to have much relevance! as they appear to be files #enerated at compilation of the

    .apk file. nce decompiled! the "ndroid*anifest.ml file was once a#ain opened in

    JotepadMM. This time round! all of the data was in plaintet and or#anised correctly. Jothin#

    more than a quick #lance over the code was needed to find the declaration of the install

    location! featured in the second line of the code &"ppendi 5(. The declaration

    $androidinsta""-o#ation)auto)is the code which the "ndroid operatin# system reads todetermine where to place the application files. "lthou#h it states ?auto@! which means very

    little to the avera#e person! a pa#e on the "ndroid developer website details each of the three

    possible variables for this declaration and defines what each of them means. The ?auto@

    variable is defined asF

    ?The application may be installed on the eternal stora#e! but the system will install

    the application on the internal stora#e by default. If the internal stora#e is full! then the

    system will install it on the eternal stora#e. nce installed! the user can move the

    application to either internal or eternal stora#e throu#h the system settin#s.@

    &"ndroid! Bnknown 6(.

    "lthou#h this defines that the data will be stored on either the internal or eternal stora#e of

    the device in use! we are still unaware as to where eactly the application data is stored. "

    quick search online for ?"ndroid application default data stora#e@ returns a multitude of

    results! consistin# primarily of forums that indicate that the default stora#e location is

    $@data@data@Ba#kage Came)&Iy! /C%0(. 6y navi#atin# to this location on the rooted

    Pa#e $ 0C

  • 8/10/2019 34-193-1-PB

    32/75

    Samsun# ;alay S0! this is proven to be true &"ppendi 9(. 6y searchin# throu#h the

    multitude of folders for the Skype packa#e om.skype.raider ! as defined by the title of the

    .apk file located earlier(! data stored and utilised by the Skype application can be found. "t

    first #lance! the directory structure for the Skype application files on "ndroid looks different

    to that of the directory structure found durin# the =indows eamination. This impression is

    #iven by the first set of directories presented when accessin# the #om.skype.raider directory.

    The directories displayed are ?app6&e%:ie&)! $#a#he)! ?fi"es)! $"i%) and ?shared6prefs)

    &"ppendi >(. "lthou#h the majority of these folders store encoded data! the ?fi"es@ directory

    brin#s up a set of files and directories similar to that found on a =indows system runnin#

    Skype &"ppendi A(. "lthou#h not all the directories found on the =indows version of Skype

    can be found on the "ndroid version! the one that contained the most useful artefacts was still

    presentE the user account folder! in this case entitled ?dcastleA%@. =ithin this folder! we find avery similar structure to that of the =indows version of Skype! with files such as ?main.db@

    bein# used to store the same majority of the user account information.

    nce this information had been located on an "ndroid device with full ?root@ permissions! an

    investi#ation was to be carried out to see whether or not this data is accessible on an "ndroid

    device with the permissions set at default by the manufacturer. In this particular instance! the

    device in use will be an "sus Jeus 9 /C%0 edition. 6y usin# the same application!

  • 8/10/2019 34-193-1-PB

    33/75

    directory was shown! which displayed a list of the same files and directories seen on the

    Jeus 9 via

  • 8/10/2019 34-193-1-PB

    34/75

    usernames for each position! and populate them itself. The second! more feasible alternative!

    and the one with which the pro#ram will be desi#ned! is to allow the user to input the two

    usernames. Jot only would this be a more reasonable method to code! it also drastically

    reduces the chance of the pro#ram takin# data from the wron# locations. "lthou#h the

    automated feature could be implemented! the risk of an error would be far too hi#h! especially

    if it were to be used in the intended situations! for eample as part of an investi#ation for a

    court case.

    1./.0 "esthetics

    The aesthetics for this application are not of major concern at this point! owin# to the fact that

    the only tasks carried out within the application are the input of two variables! and the

    initiation of the duplication process. "s this application is relatively quick to use! the

    aesthetics are not somethin# that will be focused on in detail at the present time! as the

    functionality is more of a priority. The aesthetics used will be that of a default =indows

    ,orms application.

    The idea for the #eneral look of the application will be to have two tet boes into which the

    user will be required to enter the appropriate username! as requested by tet placed net to the

    bo. There will be a sin#le labelled button on the application for the user to initiate the

    duplication procedure. There will also be some instructions within the application! so as to

    direct a first time user on how to operate the pro#ram effectively.

    "n additional reason for the simplistic look and feel of the application is so it feeds into the

    usability.

    1./.1 Bsability

    The usability of the application is of relative importance! as the idea behind the application is

    to make it quicker and easier for users to #ain access to the required files. 6y desi#nin# the

    application with a simple look and feel! it should make it much easier for the user to

    understand and use. The addition of instructions will also assist with the usability.

    Pa#e $ 00

  • 8/10/2019 34-193-1-PB

    35/75

    Chapter 4 / Application Analysis and 56periments

    2.% "pplication "nalysis

    2.%.% "pplication verview

    Figure . A s#reenshot of the app"i#ation front5end design.

    In #eneral! the creation of the application was in line with the proposed desi#n. "s stated! the

    application has the functionality to accept user input for the =indows and Skype usernames!

    and uses this information alon# with coded data to compile the tar#et directory for the

    duplicated files! alon# with the directory to which the files and data needs to be copied. Bpon

    inputtin# the two variables! the user simply needs to click the ?'lick to Initiate "rtefact

    -uplication@ button for the pro#ram to combine all the relevant variables! and to copy the

    Skype artefacts to the tar#et location.

    The only area where the application has differed from the plan is that it has two buttons in

    place of the proposed two tet boes. The decision to use buttons in the place of tet boes

    was made due to the fact that the code used to accept user input was tri##erin# the openin# of

    additional tet boes! resultin# in the user havin# to input the required data twice. 6y usin#

    buttons! the user is able to click and tri##er a sin#le tetbo! into which the relevant username

    is entered and thus assi#ned to the relevant variable.

    2.%./ 7ow the "pplication =orks

    &To see the full code! please see appendi %9.(

    Pa#e $ 01

  • 8/10/2019 34-193-1-PB

    36/75

    Bpon runnin# the completed application! the user is prompted to #rant administrator

    privile#es. This access level is required so as to allow the copyin# of the required files from

    theAppDatadirectory. To enable the application to request the administrator privile#es that it

    needs! an ?app.manifest@ had to be added to the application! so as to allow the confi#uration

    of the level of access requested upon initialisation of the tool. nce the manifest was added!

    the ?requested

  • 8/10/2019 34-193-1-PB

    37/75

    ?chatsync@! so as to identify which files are to be copied! and the locations into which they

    should be duplicated.

    nce all the file paths have been compiled! the application checks to see if the destination

    directory ?Skype Artefa#ts@ eists in the tar#et location. If it does not! an ?if@ statement is

    used to instruct the application to create a folder in the destination directory with the name

    ?Skype Artefa#ts@.

    nce this directory has been created! the ?,ile.'opy@ commands are eecuted! instructin# the

    pro#ram to copy the identified files from the specified directories into the specified tar#et

    directory.

    nce the two files have been copied! the ?-irectory'opy@ section of code is eecuted. This

    section of code uses another ?if@ statement to check for the presence of a folder in the tar#et

    location entitled ?#hatsyn#@. nce a#ain! if the folder does not eist! one is created. nce the

    destination folder has been created! the ?file.Jame@ variable is combined with the

    ?dest-irJame@ variable! to create the full destination file path. Btilisin# the functionality of

    the ?foreach@ command! the ?file.Jame@ variable is populated with the name of each file

    found within the ?#hatsyn#@ folder. "nother ?if@ statement is then used to create any

    subdirectories found within the ?#hatsyn#@ folder. nce these subdirectories are created! the

    ?-irectory'opy@ command is eecuted to copy the files from their ori#inal subdirectorywithin the ?#hatsyn#@ directory into the correct subdirectory in the tar#et location.

    2./

  • 8/10/2019 34-193-1-PB

    38/75

    2./.% Test 6ed Systems

    The two computer systems on which my application will be tested are as followsF

    Test System %F

    The main =indows system that will be used for this eperiment is comprised of the followin#

    specificationsF

    ProcesserF "*- ,:8>02C

  • 8/10/2019 34-193-1-PB

    39/75

    2././

  • 8/10/2019 34-193-1-PB

    40/75

    Chapter 7 / 56periment 2esults

    5.% 4esults of

    confi#.ml 'FBsers-aniel"pp-ata4oam

    in#skypedcastleA%

    %5

    chatsync 'FBsers-aniel"pp-ata4oam

    in#skypedcastleA%

    122

    2d%dfC1a>1>ef10d.

    dat

    'FBsers-aniel"pp-ata4oam

    in#skypedcastleA%chatsync2d

    9

    Figure =. First ta%"e of resu"ts from first e'periment, #arried out on Test System 1.

    Copied #ile

    #ile 9ame 1ocation #ile Si:e ;B"

    main.db 'FBsers-aniel-esktopSkype

    "rtefacts

    %!25>

    confi#.ml 'FBsers-aniel-esktopSkype

    "rtefacts

    %5

    chatsync 'FBsers-aniel-esktopSkype

    "rtefacts

    122

    2d%dfC1a>1>ef10d.

    dat

    'FBsers-aniel-esktopSkype

    "rtefactschatsync2d

    9

    Figure >. Se#ond ta%"e of resu"ts from first e'periment, #arried out on Test System 1.

    Pa#e $ 0A

  • 8/10/2019 34-193-1-PB

    41/75

    5.%./ Test System /

    8riginal #ile

    #ile 9ame 1ocation #ile Si:e ;B"

    main.db 'FBsers-aniel"pp-ata

    4oamin#skypedcastleA%

    25C

    confi#.ml 'FBsers-aniel"pp-ata

    4oamin#skypedcastleA%

    %/

    bca1>ea1CCfCc%ff.dat 'FBsers-aniel"pp-ata

    4oamin#skypedcastleA%

    chatsync2d

    2

    A11f1dc/a>5fCfA2.dat 'FBsers-aniel"pp-ata

    4oamin#skypedcastleA%

    chatsync2d

    %1

    Figure 3. First ta%"e of resu"ts from first e'periment, #arried out on Test System 2.

    Copied #ile

    #ile 9ame 1ocation #ile Si:e ;B"

    main.db 'FBsers-aniel-esktop

    Skype "rtefacts

    25C

    confi#.ml 'FBsers-aniel-esktop

    Skype "rtefacts

    %/

    bca1>ea1CCfCc%ff.dat 'FBsers-aniel-esktop

    Skype

    "rtefactschatsyncbc

    2

    A11f1dc/a>5fCfA2.dat 'FBsers-aniel-esktop

    Skype

    "rtefactschatsyncA1

    %1

    Figure ?. Se#ond ta%"e of resu"ts from first e'periment, #arried out on Test System 2.

    "s detailed in the results above! each of the files were copied to the correct destination

    &/+7sers+Danie"+Desktop+Skype Artefa#ts+( and were the same sie as the ori#inal files! on

    both test systems. "lthou#h this implies that each file was copied across correctly! this is not a

    #uarantee. The eperiment to check the *-2 hash sum will determine whether or not the

    files are eactly the same. 7ad any major problems occurred when copyin# across the files! it

    is likely that the user would be able to tell this simply by #lancin# at the newly copied files.

    Some of the most obvious si#ns that the copyin# of a file has #one awry are that the file type

    has chan#ed or been deleted! the name is different to that of the ori#inal file! or the file is

    Pa#e $ 1C

  • 8/10/2019 34-193-1-PB

    42/75

    simply not there. ,or eample! if the copyin# of the ?main.db@ file had #one drastically

    wron#! it is possible that the ?.db@ file etension would be missin#! leavin# the user with a file

    without a file etension. If this were to happen! the user may be able to manually add the file

    etension back on to the file! if they know what it is supposed to be. If this still does not

    work! then the file is likely to be corrupt and unusable.

    5./ 4esults of c/b/2252c2CACc510a10Ca/

    confi#.ml 2acC5f>11f05A91Af%29Afa%1Caa/c11

    Ccfc%/0ccdae9bf9.dat 0adeAf0%da5ce2c%e9/>>cc11A>cccee

    /aCa9bcb/%%Cd1c/.dat C190f12eC1%c%5da0A0a%f2c%>Ced0ACFigure . First ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 1.

    Copied #ile

    #ile 9ame MD4 !ash %/>c/b/2252c2CACc510a10Ca/

    confi#.ml 2acC5f>11f05A91Af%29Afa%1Caa/c11

    Ccfc%/0ccdae9bf9.dat 0adeAf0%da5ce2c%e9/>>cc11A>cccee

    /aCa9bcb/%%Cd1c/.dat C190f12eC1%c%5da0A0a%f2c%>Ced0AC

    Figure

  • 8/10/2019 34-193-1-PB

    43/75

    5././ Test System /

    8riginal #ile

    #ile 9ame MD4 !ash A10a52b2bAc12Aa/5290AA>2cc

    bca1>ea1CCfCc%ff.dat 0d59be0c%b1A>f2C2c/50aeae00>92fCA11f1dc/a>5fCfA2.dat acbac1/f5/0C90fccb>202A0aA>55>cf

    Figure 10. First ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 2.

    Copied #ile

    #ile 9ame MD4 !ash A10a52b2bAc12Aa/5290AA>2cc

    bca1>ea1CCfCc%ff.dat 0d59be0c%b1A>f2C2c/50aeae00>92fC

    A11f1dc/a>5fCfA2.dat acbac1/f5/0C90fccb>202A0aA>55>cfFigure 11. Se#ond ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 2.

    "s detailed in the above results! the *-2 hash values for each file that was checked is the

    same for both the ori#inal file and the copied file. This is precisely what the desired

    functionality was for this application! as it shows that no data within any of the files has

    chan#ed at all. If even % byte of data had been chan#ed within any of the files! the *-2 value

    would have been different between the ori#inal and copied files.

    "s the *-2 hash values remain the same between the ori#inal and copied files! the possible

    usa#es for this application have drastically increased. "s mentioned previously! if any data

    within ori#inal files is chan#ed in an investi#ation! the data is no lon#er classed as admissible!

    especially in a court of law. Jow it has been proven that the copied data is the same as the

    ori#inal data! this application could be used as part of official investi#ations involvin# the

    eamination of Skype files.

    5.0 4esults of

  • 8/10/2019 34-193-1-PB

    44/75

    Chapter = / Conclusion> 0mprovements and 2eflection

    9.% 'onclusion

    9.%.% "ims and bjectives

    In this section! the ori#inal aims and objectives set out at the be#innin# of this project will be

    split up individually! with an eplanation of how each one was met.

    ?The main aim for this project is to locate and eamine the artefacts left behind on

    computer systems by the popular application ?Skype@. nce any potentially useful

    artefacts have been located and eamined! a software tool will be developed to

    automatically #ather the key artefacts from the computer system in use! to assist with

    the eamination of past Skype communications.@

    In order to identify the useful artefacts #enerated by Skype! a manual investi#ation was

    carried out on both =indows and "ndroid devices. The conclusion of this was that Skype! on

    both operatin# systems! #enerates just a few files that contain potentially useful information!

    but one file in particular holds a vast amount of information that can be utilised for both

    lawful and unlawful means. The ?main.d%@ folder contains vast amounts of personal user

    data! such as full name! date of birth! telephone number! country of residence and so on. The

    majority of this information is willin#ly input by users! to add to their Skype profile.

    "lthou#h this information is willin#ly shared! the users only intend for it to be shared with the

    people they have approved to be on their contact list. The ?main.d%@ file that stores this data

    locally on computer systems is neither encrypted or password protected. This means that

    anybody with access to a computer with Skype installed! whether theirs or somebody elseHs!

    may be able to access the personal user information of all the contacts of any Skype account

    that has been used on that system. To access the file in question! the user either has to be able

    to #ain access to the =indows account of the Skype user! or they must have access to an

    account with administrator privile#es.

    This same file can be found on mobile devices runnin# the "ndroid operatin# system.

    "lthou#h this file can be located and accessed! this is dependent on the permissions allocated

    to that particular device. If the phone is used as it comes from the manufacturer! these Skype

    files are hidden away and inaccessible by users. n the other hand! if the device has been

    customised to have ?root@ permissions! these important Skype files are easily accessible and

    store the same information available on a =indows computer system.

    Pa#e $ 10

  • 8/10/2019 34-193-1-PB

    45/75

    The developed application carries out the tasks specified! and creates a copy of the ori#inal

    Skype artefacts that contain potentially useful information. "s verified in the eperiments

    carried out! the duplicate files are an eact match of the ori#inal! and do not cause any

    modification to the data stored within the ori#inal files.

    ?4esearch re#ardin# how Skype works and the structure of the Skype application! both

    on =indows 9 and on "ndroid will be carried out! alon#side research on past

    investi#ations carried out in this field.@

    "t the very be#innin# of this project! etensive research was carried out re#ardin# the

    functionality of Skype! on both operatin# systems! and on previous papers written on similar

    topics. 'ombinin# the research carried out in all three of these areas led to an understandin#

    re#ardin# how Skype functions! and where each operatin# system stores important application

    data.

    ?,orensic artefacts left behind by Skype will be located and eamined manually! both

    on a =indows system and "ndroid devices.@

    " detailed manual investi#ation was carried out on the Skype applications for both =indows

    and "ndroid! which lead to the identification of a number of files utilised by Skype. This then

    lead to a detailed eamination of all the files found! a few of which were identified to contain

    potentially useful information.

    ?" software tool will then be developed that will #ather the potentially useful artefacts

    left behind by Skype runnin# on a =indows computer system.@

    nce the artefacts had been identified! a software tool was developed with the functionality of

    bein# able to create an eact duplicate of these artefacts! without modifyin# the ori#inal files

    in any way.

    ?The tool will then be tested on a number of systems! to ensure that it #athers the

    relevant artefacts discovered durin# the manual investi#ation.@

    The software tool was finally tested on two different computer systems! one runnin# =indows

    9! and one runnin# =indows >.%! so as to ensure functionality on multiple systems! rather than

    just the system used to develop the application.

    9.%./ Improvements and 4ecommendations

    If this project were to be carried out a#ain! there are a number of recommendations that could

    be made! so as to improve the outcomes of the project.

    Pa#e $ 11

  • 8/10/2019 34-193-1-PB

    46/75

    ,irstly! research into real8world situations in which an eamination of Skype data has been

    used could be carried out. This way! it #ives a concrete reasonin# as to why this project is

    important and how it could help chan#e the outcome of these types of di#ital eaminations.

    "lso! the Skype application for =indows could be reverse en#ineered! so as to identify a

    number of key items! such as where Skype saves particular data! how particular data is

    encoded! where data is saved and so on.

    ,or the application itself! a number of recommendations could be made. ,irstly! the inclusion

    of ?catch@ commands to prevent application errors would be hi#hly useful. =ith the use of

    these commands! a serious application error resultin# in a software crash could be avoided. It

    would also allow for a clearer eplanation to the user as to why somethin# went wron#.

    Secondly! there could be the inclusion of an option to allow the user to modify the drive that

    the application searches. "s it is! the application is currently hard8coded to search the 'F

    drive for Skype files! with no option for the user to chan#e this.

    There are also a number of chan#es that could be made to the front end of the application! to

    make it more user friendly. The first of these is to use tet input boes instead of buttons so

    as to allow the user to enter the data directly! rather than clickin# a button to prompt the input

    bo to appear. Secondly! the use of pop8up boes to inform the user when the duplication

    procedure has completed would also be of some benefit! otherwise the user is unaware that

    the procedure has started or completed. Thirdly! the option to allow the user to specify the

    tar#et directory for the files would be beneficial.

    The final! and ar#uably the most useful! recommendation! would be to confi#ure the

    application for use across multiple operatin# systems. "ddin# compatibility with operatin#

    systems such as "ndroid! iS and *ac S : would be etremely beneficial to people tasked

    with investi#atin# Skype clients.

    9./ 4eflection

    Throu#hout this project! there were both positive factors that helped with the development of

    skills! but also ne#ative factors that caused difficulties.

    " few of the difficulties that were encountered were related to the research that needed to be

    conducted in order to make this project possible. -ue to the fact that this type of investi#ation

    is not one that has been carried out to any major de#ree in the past! it was relatively difficult

    to find any recently conducted! publicly available research that addressed the questions raised!

    and ultimately answered! throu#hout this paper.

    Pa#e $ 12

  • 8/10/2019 34-193-1-PB

    47/75

    "nother difficulty came in the form of findin# published materials that clarified the different

    methods of encodin# utilised by the Skype application! whether it be durin# the transmission

    of data! or the stora#e of data on the local system. win# to this! a lar#e amount of encoded

    data was overlooked in the investi#ation! as there was no feasible method of decodin# it.

    " number of the difficulties within this project were encountered durin# the codin# of the

    software tool. The first of these difficulties! was the lack of knowled#e of the 'O

    pro#rammin# lan#ua#e. "lthou#h the basics of 'O were known! an etensive amount of

    research and self8teachin# needed to be carried out! so as to enable the creation of the required

    application.

    " selection of the other codin#8related difficulties encountered within this project were

    mainly centred around findin# the correct line of code to carry out the desired task.

    Specifically! the copyin# of the $#hatsyn#)directory. "lthou#h the ?,ile.'opy@ command

    worked sufficiently for the individual files that needed to be copied! it was not able to copy

    the entire directory needed. -ue to this! additional research had to be carried out to find the

    ?-irectory'opy@ code.

    "lthou#h the above stated difficulties were considered to be ne#ative points at the time! they

    ultimately resulted in the bi##est development of the skills used throu#hout this project.

    win# to the difficulty with the codin#! the knowled#e of the 'O pro#rammin# lan#ua#e hasbeen developed drastically! specifically in the areas of readin#! writin# and analysis of code.

    This project has also helped with the development of time mana#ement skills! as it has

    become clear how vital effective mana#ement of time is! especially when it comes to

    mana#in# a project with as much potential for development as this one.

    Pa#e $ 15

  • 8/10/2019 34-193-1-PB

    48/75

    2eferences?Citations

    "nderson! 6. &/C%0(. "ndroid Jews for 'osta 4ica! 7nderstanding the Android Fi"e

    Hierar#hy. nline. "vailable atF httpFDDwww.all8thin#s8android.comDcontentDunderstandin#8

    android8file8hierarchy&"ccessedF 5 ,ebruary /C%1(.

    "ndroid. &Bnknown "(. "ndroid -evelopers!Android De%ug ridge. nline. "vailable atF

    httpFDDdeveloper.android.comDtoolsDhelpDadb.html&"ccessedF %2 )anuary /C%1(.

    "ndroid. &Bnknown 6(. "ndroid -evelopers! Bmanifest.nline. "vailable atF

    httpFDDdeveloper.android.comD#uideDtopicsDmanifestDmanifest8element.html&"ccessedF 0

    *arch /C%1(.

    "non. &/C%C(. Skype IT "dministrators ;uide! Skype for 4indo&s :ersion =.2. nline."vailable atF httpFDDdownload.skype.comDshareDbusinessD#uidesDskype8it8administrators8

    #uide.pdf&"ccessedF %2 Jovember /C%0(.

    "non! &/C%1(. Jet*arketShare!Desktop Eperating System 9arket Share. nline. "vailable

    atF httpFDDwww.netmarketshare.comDoperatin#8system8market8share.aspW

    qpridX%CYqpcustomdXC&"ccessedF % "pril /C%1(.

    "non. &Bnknown '(. Bniversity of =est ;eor#ia! 7nderstand Dire#tor Stru#ture (4indo&s!.

    nline. "vailable atF httpFDDwww.west#a.eduDitsDindeZ20/9.php&"ccessedF /C -ecember

    /C%0(.

    "non. &Bnknown -(. 'pro#rammin#! 4hatJs the point of /KLnline. "vailable atF

    httpFDDwww.cpro#rammin#.comDtutorialDcsharp.html&"ccessedF %C ,ebruary /C%1(.

    'assavoy! 3. &/C%%(. Tech7ive! Skype for Android Se#urity F"a& 4hat ou Ceed To no&.

    nline. "vailable atF

    httpFDDwww.techhive.comDarticleD//20>/DSkypeZforZ"ndroidZSecurityZ,lawZ=haZZNouZJe

    edZtoZ+now.html&"ccessedF A ,ebruary /C%1(.

    'reutbur#! 4. +rK#er! +. *eiLner! T. &/C%0(. /"ient5side Skype Forensi#s M An E:er:ie&.

    nline. "vailable atF httpsFDDwww.research#ate.netDpublicationD/2>00/>C>Z'lient8

    sideZSkypeZforensicsZanZoverview&"ccessedF 9 )anuary /C%1(.

    -od#e! 4 '. &/CC>(. Skype Fingerprint! % &%( pp. %85 I

  • 8/10/2019 34-193-1-PB

    49/75

    reloadXtrueYtpXYarnumberX110A%>1YqueryTet[0-skypeMforensic&"ccessedF 0

    Jovember /C%0(.

    ;-)one &"lias(. &/CCA(. ;-)oneHs =orkshop! /hat -ogging. nline. "vailable atF

    httpFDDwww.fire.comDblo#Dtheblo#D9C9111&"ccessedF 0C Jovember /C%0(.

    7offman! '. &/C%/(. 7ow8To ;eek!Ho& to 8oot our Android De:i#e N 4hy ou 9ight

    4ant To. nline. "vailable atFhttpFDDwww.howto#eek.comD%%2/A9Dhow8to8root8your8

    android8why8you8mi#ht8want8toD&"ccessed 5 ,ebruary /C%1(.

    Iy &"lias(. &/C%0(. Stack

    http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&tp=&arnumber=4439184&queryText%3Dskype+forensichttp://www.xfire.com/blog/theblog/707444http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://msdn.microsoft.com/en-us/library/aa664274(v=vs.71).aspxhttp://computer.howstuffworks.com/ip-telephony.htmhttp://searchsecurity.techtarget.com/definition/MD5http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749https://code.google.com/p/android-apktool/http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&tp=&arnumber=4439184&queryText%3Dskype+forensichttp://www.xfire.com/blog/theblog/707444http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://msdn.microsoft.com/en-us/library/aa664274(v=vs.71).aspxhttp://computer.howstuffworks.com/ip-telephony.htmhttp://searchsecurity.techtarget.com/definition/MD5http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749https://code.google.com/p/android-apktool/
  • 8/10/2019 34-193-1-PB

    50/75

    Pa#e $ 1A

  • 8/10/2019 34-193-1-PB

    51/75

    Appendices

    "ppendices &as 4eferenced in the Tet(

    "ppendi %. Screenshot of the contents of the :fire 'hatlo# folder.

    "ppendi /. Screenshot of the contents of an :fire chat lo# file.

    "ppendi 0. " screenshot showin# the "ndroid root directory! with the two stora#e drives

    circled.

    Pa#e $ 2C

  • 8/10/2019 34-193-1-PB

    52/75

    "ppendi 1. Screenshot showin# the difference in "ndroid with a *icroS- card inserted and

    etracted.

    "ppendi 2. "ndroid*anifest.ml

  • 8/10/2019 34-193-1-PB

    53/75

    "ppendi 9. "ndroid "pplication -ata Stora#e

    "ppendi >. Skype "ndroid "pplication -ata

    "ppendi A. =indows and "ndroid Skype ,ile 'omparison

    Pa#e $ 2/

  • 8/10/2019 34-193-1-PB

    54/75

    "ppendi %C. 'ontents of Jeus 9 4oot -irectory! Bsin#

  • 8/10/2019 34-193-1-PB

    55/75

    "ppendi %/. 'ontents of Jeus 9 4oot -irectory! -isplayed via "-6

    "ppendi %0. Permission -enied "ccessin# Ddata via "-6

    "ppendi %1. 'ontents of the /+7sers+Danie"+AppData+8oaming+Skype -irectory

    Pa#e $ 21

  • 8/10/2019 34-193-1-PB

    56/75

    "ppendi %2.

  • 8/10/2019 34-193-1-PB

    57/75

    "ppendi %9. "pplication code

    usingSystem

    usingSystem!Collections!"eneric

    usingSystem!ComponentModel

    usingSystem!Data

    usingSystem!Drawing

    usingSystem!#in$

    usingSystem!Text

    usingSystem!T%reading!Tasks

    usingSystem!Windows!&orms

    usingSystem!'(

    namespace&ile)Copy)Application)*

    +

    pu,licpartialclass&orm* &orm

    +

    stringwin.ser / 00 11 "lo,al varia,les declared at t%e %ead of t%e code2 ensuring avail-

    a,ility to all re$uired classes! 3alues to ,e determined ,y user input

    stringskype.ser / 00

    pu,lic&orm*45

    +

    'nitiali6eComponent45

    7

    privatevoid,utton8)Click4o,9ectsender2 :ventArgse5 11 Actions to ,e taken upon click

    of Windows .sername ,utton

    +

    win.ser / Microsoft!3isual;asic!'nteraction!'nput;ox40:nter Windows .sername

  • 8/10/2019 34-193-1-PB

    58/75

    7

    privatevoid,utton=)Click4o,9ectsender2 :ventArgse5 11 Actions to ,e taken upon click

    of Skype .sername ,utton

    +

    skype.ser / Microsoft!3isual;asic!'nteraction!'nput;ox40:nter Skype .sername

  • 8/10/2019 34-193-1-PB

    59/75

    stringsource&ile* / Bat%!Com,ine4sourceDirectory2 le>ame*5

    stringdest&ile* / Bat%!Com,ine4targetDirectory2 le>ame*5

    stringsource&ile8 / Bat%!Com,ine4sourceDirectory2 le>ame85

    stringdest&ile8 / Bat%!Com,ine4targetDirectory2 le>ame85

    11 'f target directory does not exist2 create it

    if4Directory!:xists4targetDirectory55

    +

    Directory!CreateDirectory4targetDirectory5

    7

    11 Copy les main!d, and cong!xml to target destination

    &ile!Copy4source&ile2 dest&ile2 true5

    &ile!Copy4source&ile*2 dest&ile*2 true5

    11 Copy c%atsync directory from Skype les to target destination

    +

    DirectoryCopy4source&ile82 dest&ile82 true5

    7

    7

    privatestaticvoidDirectoryCopy4

    stringsourceDir>ame2 stringdestDir>ame2 ,oolcopySu,Dirs5

    +

    Directory'nfodir / newDirectory'nfo4sourceDir>ame5

    Directory'nfoE dirs / dir!"etDirectories45

    11 'f target directory does not exist2 create it

    if4Directory!:xists4destDir>ame55

    +

    Pa#e $ 2>

  • 8/10/2019 34-193-1-PB

    60/75

    Directory!CreateDirectory4destDir>ame5

    7

    &ile'nfoE les / dir!"et&iles45

    foreac%4&ile'nfole inles5

    +

    stringleBat% / Bat%!Com,ine 4destDir>ame2 le!>ame5 11 Com,ine destDir>ame

    and le!>ame varia,les to create full lepat% and assign to leBat% varia,le

    le!CopyTo4leBat%2 false5 11 Copy les to directory assigned to leBat% varia,le

    7

    11 Copy all su,directories to target location

    if4copySu,Dirs5

    +

    foreac%4Directory'nfosu,dir indirs5

    +

    stringtemppat% / Bat%!Com,ine 4destDir>ame2 su,dir!>ame5

    DirectoryCopy 4su,dir!&ull>ame2 temppat%2 copySu,Dirs5

    7

    7

    7

    11 Classes to allow additional functionality to ,e added to la,els etc

    privatevoidla,el*)Click4o,9ectsender2 :ventArgse5

    +

    7

    privatevoidla,el8)Click4o,9ectsender2 :ventArgse5

    +

    Pa#e $ 2A

  • 8/10/2019 34-193-1-PB

    61/75

    7

    privatevoid&orm*)#oad4o,9ectsender2 :ventArgse5

    +

    7

    privatevoidla,el*)Click)*4o,9ectsender2 :ventArgse5

    +

    7

    privatevoidla,el8)Click)*4o,9ectsender2 :ventArgse5

    +

    7

    7

    7

    Pa#e $ 5C

  • 8/10/2019 34-193-1-PB

    62/75

    "dditional Information