8/10/2019 34-193-1-PB

1/75

University of Derby

School of Computing & Mathematics

A project completed as part of the requirements for the

BSc !ons" Computer #orensics and Security

entitled

S$ype #orensics

By

Daniel Castle

d%castle'unimail%derby%ac%u$

daniel(castle'hotmail%co%u$

in the years )** + )*,

mailto:d.castle1@unimail.derby.ac.ukmailto:daniel_castle@hotmail.co.ukmailto:d.castle1@unimail.derby.ac.ukmailto:daniel_castle@hotmail.co.uk

8/10/2019 34-193-1-PB

2/75

Abstract

This project takes a look into the world of one of the most popular VoIP applications used

today Skype. The methods by which Skype transmits data over the internet and between

clients has been frequently eamined! to discover any potential data leaks. "n area that hasnot received much attention! is that of the local data stored on computer systems by Skype.

This project takes a look into just this area! takin# time to locate and eamine the types of

information that can be found on the stora#e media of these devices. "s a result of this

preliminary eamination! a software tool will be developed to automate this process for future

investi#ations.

Pa#e $ %

8/10/2019 34-193-1-PB

3/75

8/10/2019 34-193-1-PB

4/75

.able of Contents

"bstract.......................................................................................................................................%

"cknowled#ements...................................................................................................................../

Table of 'ontents........................................................................................................................0

Table of ,i#ures...........................................................................................................................1

'hapter % Introduction and Specification................................................................................2

%.% Introduction.......................................................................................................................2

%./ "ims and bjectives..........................................................................................................2

'hapter / 3iterature 4eview....................................................................................................5

/.% 3iterature 4eview..............................................................................................................5

/./ 6rief verview of 7ow Skype 'lients 'onnect...............................................................5

/.0 ther 4esearch 'onducted in this "rea............................................................................5

/.0.% Skype ,in#erprint.......................................................................................................5

/.0./ 'lient8side Skype ,orensics "n verview..............................................................9

/.1 Similar "pplications..........................................................................................................9

/.1.% :fire............................................................................................................................9

/.1./ ;oo#le 7an#outs........................................................................................................9

/.2

/.A "pplication 4esearch.........................................................................................................>

'hapter 0 8 *ethodolo#y............................................................................................................A

0.% *ethodolo#y.....................................................................................................................A

0.%.% *anual Investi#ation of =indows -evice..................................................................A

0.%./ *anual Investi#ation of "ndroid -evices..................................................................A

0.%.0 "pplication -esi#n.....................................................................................................A

Pa#e $ 0

8/10/2019 34-193-1-PB

5/75

0.%.1 'odin# of "pplication.................................................................................................A

0.%.2 "nalysis of "pplication...............................................................................................A

0.%.5 "pplication Testin#.....................................................................................................A

'hapter 1 "nalysis and -esi#n..............................................................................................%%

1.% Preliminary Investi#ation................................................................................................%%

1.%.%

8/10/2019 34-193-1-PB

6/75

5.0 4esults of

8/10/2019 34-193-1-PB

7/75

8/10/2019 34-193-1-PB

8/75

Chapter / 0ntroduction and Specification

%.% Introduction

ver recent years! the methods by which people communicate with one another have chan#ed

dramatically. ,rom hand written letters! electronic tele#raphs and telephone calls! to the

di#ital a#e of emails! instant messa#es and Voice over IP &VoIP( communication. Voice over

IP! or VoIPE

?is a method for takin#analo#ue audio si#nals! like the kind you hear when you talk

on the phone! and turnin# them into di#ital data that can be transmitted over the

Internet.@ &4oos and Valdes! /C%/(.

There are currently a variety of different VoIP clients available for use! and there are a number

of different types of VoIP client. There are applications that require users to connect to a

server to communicate! such as Teamspeak and Ventrilo! that are primarily desi#ned to allow

for lar#er numbers of people to communicate with one another simultaneously. There are also

applications that work in a one8to8one style of communication &in the same manner as an

ordinary phone call(. "n eample of this type of application is also one of the most

commonly used today! and that is Skype.

win# to the tremendous advances in the area of VoIP in recent years! the technolo#y hasmoved on from bein# primarily utilised for personal use! to bein# widely used by many

businesses for thin#s such as in8house telephony! meetin#s between multiple parties across a

number of locations and for video conferences.

"lthou#h VoIP is a very practical and! in most cases! a relatively cheap method of

communicatin# with multiple people! there is one key factor that is a major point of interest to

manyE the security of the data bein# transmitted between VoIP clients.

"s mentioned earlier! Skype is one of the most popular VoIP applications available! boastin# a

user base of more than /AA million people around the world! as of )une /C%0 &Swider! /C%0(.

8/10/2019 34-193-1-PB

9/75

conversation between a mother and her son is intercepted and viewed by an unpermitted

individual! this could be seen as a breach of the privacy of these two users! but it is unlikely

that much harm would be caused by this breach. n the other hand! if a conversation between

the mana#in# director and the finance controller of a company were to be intercepted! it is

entirely possible that the unauthorised individual could be privy to confidential! business

critical information. nce they have obtained this knowled#e! what they do with it is down to

them! whether they keep it to themselves! use it for blackmail! or sell it on to a competitor.

;iven the above scenario! it is clear why a lar#e number of people have looked into

interceptin# and decryptin# the data that is transmitted over a network by Skype. "lthou#h

this is an etremely important area for security to be eamined! it is not the only one. "s

Skype has to be installed on a computer system for it to be run! it is lo#ical to assume that

there must be some data stored locally on the computer system in question.

%./ "ims and bjectives

The main aim for this project is to locate and eamine the artefacts left behind on computer

systems by the popular application ?Skype@. nce any potentially useful artefacts have been

located and eamined! a software tool will be developed to automatically #ather the key

artefacts from the computer system in use! to assist with the eamination of past Skype

communications.

To achieve this aim! four key objectives will be metF

8 4esearch re#ardin# how Skype works and the structure of the Skype application! both on

=indows and on "ndroid! will be carried out! alon#side research on past investi#ations

carried out in this field.

8 ,orensic artefacts left behind by Skype will be located and eamined manually! both on a

=indows system and "ndroid devices.

8 " software tool will then be developed! with the ability to #ather the potentially useful

artefacts left behind by Skype on a =indows computer system.

8 The tool will then be tested on a number of systems! to ensure that it #athers the relevant

artefacts discovered durin# the manual investi#ation.

Pa#e $ >

8/10/2019 34-193-1-PB

10/75

Chapter ) / 1iterature 2evie-

/.% 3iterature 4eview

Guestions re#ardin# the security of data sent and received between Skype clients are not

uncommon! with a number of investi#ations bein# carried out to see what sort of data can be

intercepted whilst it is bein# sent over a network. "lthou#h this is quite a popular area of

investi#ation! much less research has been done into data stored locally on systems runnin#

the Skype client. win# to the secrecy surroundin# the network protocols used by Skype! and

due to the encryption methods used both whilst transmittin# data over a network and storin# it

on local systems! it is very difficult to intercept and utilise Skype data whilst it is bein#

transmitted! or to even read some data stored locally on Skype8enabled computer systems.

There are multiple reasons why this investi#ation is bein# conducted! the first of which is

purely down to curiosity as to what sort of information Skype records! stores and uses. If we

then consider the information that Skype is privy to such as the information required to

create an account! which includes our email address! forename! surname and date of birth it

can be quite concernin# to think that this personal information could be stored in an insecure

manner. "lthou#h this is likely to be stored on SkypeHs secure servers! it is also possible that

some of this data may be used by the Skype local client! which may mean that the data is

stored locally on the userHs computer! in a directory created by Skype. "lthou#h this may not

seem like an issue to the majority of people! it is likely to be much easier for an unscrupulous

individual to #ain access to someoneHs personal computer and take this information from

there! rather than accessin# SkypeHs servers! especially if the locally stored information is

stored in plaintet and not encrypted or hidden in any way.

,urther to this! the Skype application for "ndroid devices will also be eamined! to discover

how it handles the same data found on a =indows computer system. If the "ndroid

application does not encrypt or hide this data in any way! then this could mean that people are

walkin# around with lar#e amounts of personal information on their person! without them

bein# aware that this information is accessible by any party that may #ain access to their

phone.

"nother reason for eaminin# the Skype application for "ndroid devices! is due to the

security flaw that was discovered in the application back in /C%%. The Skype files that

contain personal user details were left with insecure read and write permissions! and were also

Pa#e $ A

8/10/2019 34-193-1-PB

11/75

left unencrypted. This meant that any application could access and use these files and the data

within them. This data includedE

?everythin# from your Skype username! contacts! profile! and instant messa#e lo#s to

far more sensitive information! such as your account balance! full name! date of birth!

address! phone numbers! e8mail address! your bio#raphy! and more. "lso at risk is

similar data about your contacts.@ &'assavoy! /C%%(.

The results of this investi#ation may be used for three key reasons. ,irstly! the information

found will be used to assist in the development of a software tool that will automatically

#ather any useful artefacts left behind by Skype on local systems. This could then be used to

aid in the investi#ation of hard drives that may have been seied by authorities! from someone

accused of committin# some form of ille#al activity.

Secondly! if users are aware of what kinds of information are stored by an application! they

may be more careful when usin# these applications. ,or eample! if Skype tet chat lo#s are

stored in plaintet on the local system! people will be much more careful when discussin#

confidential topics! such as bankin# information.

,inally! if a lar#e number of artefacts containin# personal user data are easily available! this

could be shown to the Skype developers! in the hopes that it would prompt them to find

another method by which the application could handle said data! whether it be by encryptin#

the relevant data or by hidin# it in a more secure location on a =indows computer system.

/./ 6rief verview of 7ow Skype 'lients 'onnect

This overview of how the Skype application initiates a connection is taken from the Skype IT

Administrators Guide! provided to network administrators by Skype themselves. "lthou#h it

provides enou#h information to allow network administrators to confi#ure their network to

allow for Skype network interaction! Skype are very careful not to mention any specifics

about the functions of the protocols that Skype uses. win# to both this and the encryption

systems used by Skype! it is very difficult to determine the eact details of how Skype

functions.

Skype uses a number of Peer8to8Peer nodes to connect the vast number of installations across

the world to one another. The three types of nodes defined in the Skype IT Administrators

Guide &/C%C( are ordinary nodes! supernodes and relay nodes. "n ordinary node purely runs

the Skype client! as an everyday user would see and use it. Supernodes are ordinary nodes

with a few etra functions. They are used for tasks such as searchin# for the locations of

Pa#e $ %C

8/10/2019 34-193-1-PB

12/75

other nodes that users may want to connect to. Supernodes are selected at random and are not

dedicated! so a system may act as a supernode one day! but may just be an ordinary node the

net. Jot all Skype8enabled systems can become a supernode! they must meet a list of

specific requirements! such as havin# a public IP address. 4elay Jodes are used to ?relay

media and si#nallin# information between nodes that otherwise canHt reach each other!

normally because of firewall permissions or problems traversin# J"T.@ It is stressed that

relay nodes are not able to view the information they are relayin#! they simply pass it on to

the intended recipient.

Figure 1. Diagram taken from the Skype IT Administrators Guide (Anon, 201!, to

demonstrate the ro"e of ea#h node.

To establish a connection between two clients! the Skype client on the ori#inatin# system will

communicate with the peer network to ensure there is connectivity. It will also check that the

out#oin# B-P port is available! and what type of address translation is utilised by the network

it is runnin# on. nce the user selects the user they wish to call! the Skype client will check a

number of standby connection paths for the one with the lowest latency and optimal

bandwidth for connectin# to the Skype network. The ori#inatin# client will then reach out to

a variety of supernodes on the network to try and locate the intended recipientHs network

Pa#e $ %%

8/10/2019 34-193-1-PB

13/75

address! as well as their associated supernodes. nce the intended receivin# client has been

located! the ori#inatin# client will then attempt to initialise a session with the recipient. If the

recipient is not accessible directly &due to network settin#s! firewall etc( then the client will

attempt to initiate a connection via the peer8to8peer network to hopefully find a connection to

the recipient that can bypass the blocka#e.

/.0 ther 4esearch 'onducted in this "rea

/.0.% Skype ,in#erprint

The paper ?Skype ,in#erprint@ &-od#e! /CC>( addresses the topic of locally stored Skype data

but! althou#h the findin#s are detailed! this investi#ation was carried out before *icrosoft

acquired Skype in /C%%. *icrosoftHs acquisition of Skype brou#ht alon# a myriad of chan#es

to the Skype client! includin# the method by which Skype stores data locally on computer

systems.

*uch like this paper! -od#eHs paper focuses onE

?an analysis of the information that can be #leaned from a Skype installation and use

on a client system.@ &-od#e! /CC>(.

Btilisin# a number of tests! -od#e checks to see if any useful information can be learned from

the =indows 4e#istry as well as in the usual application installation locations! such as in

Pro#ram ,iles and the "pplication -ata folder locations. The results of -od#eHs tests present

a wide variety of results. *uch of the data found was either encrypted or encoded! but he was

able to find certain data that was not! such as some of the confi#uration settin#s for the

particular Skype client in use. 7e was also able to find data such as a summary of most recent

tet8based instant messa#es sent! the default stora#e location for sent and received files! and

information re#ardin# the current userHs contact list. -od#e lists the names of the files in

which he found this information! many of which do not seem to be present in the current

version of Skype &version 5.%1.5C.%C1(. The reason for this is not yet apparent! and will be

investi#ated further.

"ll in all! -od#eHs paper does a #ood job of detailin# the discoveries he made and the

processes by which he made these discoveries. -espite the fact that some of the results in this

paper are relatively irrelevant in the current version of Skype &such as files that no lon#er

eist(! the locations in which a lot of his results appeared are still the same today! so these

locations may still be a useful source of information.

Pa#e $ %/

8/10/2019 34-193-1-PB

14/75

The only issue to be raised! is the method by which -od#e manufactures the Skype clients he

eamines. "s he is usin# ?fresh@ installs of the Skype client and #eneratin# data by usin#

Skype in a step8by8step manner &first lo# on! first messa#e! first call etc(! it is possible that

somethin# was missed out of the investi#ation. "lthou#h usin# a ?fresh@ install of Skype

ensures that all the default settin#s are in place! this adds a manufactured twist to the

investi#ation. If -od#e were to carry out this base investi#ation! and then follow it up with an

investi#ation of an eistin# Skype account and client! the data collected would be real8world

data! makin# the findin#s more relevant to a real8life investi#ation into a userHs Skype

account.

/.0./ 'lient8side Skype ,orensics "n verview

The paper ?'lient8side Skype ,orensics "n verview@ &'reutbur#! +rK#er and *eiLner!

/C%0( aims to hi#hli#ht and eplain the kinds of Skype user data that can be found on local

computer systems! alon# with the tools that can be used to access this data. The authors carry

out both a manual analysis of Skype data! and also utilise a number of widely available tools

to help locate and interpret data &'reutbur#! +rK#er and *eiLner! /C%0(.

The authors be#in by briefly introducin# the Skype application and #ive an overview of what

it is! how a connection between peers is established! and the types of information that are

stored by the application itself.

The first method the authors use to analyse Skype data! is to manually search throu#h the

Skype data files and to eamine them themselves! usin# #eneric tools such as a he editor.

"lthou#h the information presented in this section of the paper is relatively informative! it

seems to require the reader to have knowled#e on the subject prior to readin#. The authors

talk about the different Skype files! such as main.db! with very little eplanation as to what

the file is used for! and with no eplanation as to where it was found or how it was

discovered.

"lthou#h the information #iven durin# the manual analysis of Skype files is relatively brief!

the authors provide more detail on the data found whilst utilisin# software tools! such as

Skype3o#View and SG3iteSpy.

verall! this paper does #ive some useful information re#ardin# the personal user data stored

and utilised by Skype! but it seems to be more of a review of the software tools available!

rather than an analysis of the data that can be found! whether manually or usin# tools. "lso!

the authors seem to have a differin# definition of what a ?tool@ is. -urin# the manual

Pa#e $ %0

8/10/2019 34-193-1-PB

15/75

investi#ation part of their report! the authors make reference to openin# the main.db file in a

he editorE $the main.d% data%ase fi"e, &hi#h is reada%"e in the (he'! editor, #ontains

information). To the majority of people! a he editor is a software tool! albeit one with not

much in the way of features. The authors also use a SG3ite reader in their tool8assisted

section of the paper which! offers similar functionality to a he editor it is a software tool

without much in the way of features! desi#ned primarily for the analysis of a specific type of

database file.

/.1 Similar "pplications

"lthou#h there are not many applications out there that offer the same variety of functions in

one packa#e that Skype does! there are many that offer similar functionality! such as instant

messa#in# with the option for voice calls. ne such application is :fire.

/.1.% :fire

:fire is an instant messa#in# application that is primarily used by #amers! as it offers an in8

#ame chat interface! allowin# users to communicate with friends whilst simultaneously

playin# #ames! either by an instant messa#in# interface or via VoIP. " brief investi#ation will

be carried out to discover how :fire stores its data as it offers very similar functionality to

that of Skype! albeit with a few missin# features such as video conferencin#. "lso! owin# to

the fact that :fire is focussed more on the instant messa#in# than VoIP! it will be interestin# to

compare the stora#e of any :fire chat lo#s compared to Skype chat lo#s.

"s with the majority of instant messa#in# clients! :fire provides the option to allow for chat

lo#s to be created and stored on the local computer stora#e. "lthou#h users have the option to

enable or disable this recordin# of conversations! upon installation of the :fire client! the chat

lo##in# option is enabled by default. This can be seen by navi#atin# to the ?'hat options@

menu. The moment a messa#e has been sent to or received from a contact on the userHs friend

list! the chat lo# is #enerated. Bsers are able view the chat lo#s for each of their individual

contacts by selectin# the ?View 'hat 7istory@ option within the desired contactHs chat

window. Bsers also have the option of deletin# chat lo#s by selectin# the ?-elete 'hat

7istory@ option in the same location as ?View 'hat 7istory@. "lthou#h the stora#e location

for these chat lo#s is not advertised within :fire! a simple ;oo#le search for ?:fire chat lo#s

stora#e location@ presents a link to a blo# post on the official :fire website that eplains

eactly where to find the lo#sF ?:fire saves your chat lo#s to the "pplication -ata folder

which is tied to your =indows user account. Specifically you can access the said folder by

usin# shortcut ?*appdata*+fire+#hat"og@ &;-)one! /CCA(. "lthou#h this blo# post was

Pa#e $ %1

8/10/2019 34-193-1-PB

16/75

created nearly 2 years a#o! navi#atin# to this directory shows that this is still the stora#e

location for :fireHs chat lo#s &"ppendi %(.

=ithin this folder! :fire creates a separate folder for each user account that is used on the

computer system in use. Then! within the user folder! a notepad &.tt( file is created to contain

the conversations had with each individual user. If this file is then opened in notepad! or any

word processor! we are able to see the entire contents of the conversations carried out between

the two users! in plaintet &"ppendi /(.

/.1./ ;oo#le 7an#outs

"n application that is very similar to Skype is the relatively new ?;oo#le 7an#outs@!

formerly known as ?;oo#le Talk@. ;oo#le 7an#outs offers very similar functionality to that

of Skype! as it includes the options for instant messa#in#! video callin#! video conference

callin# and so on. The main difference between ;oo#le 7an#outs and Skype! is that

7an#outs is a browser8based application. This means that it can be run directly from the web

browser that is currently in use! such as ;oo#le 'hrome. Skype on the other hand! uses a

dedicated application that must be downloaded and installed before use.

"lthou#h 7an#outs is browser8based! to enable the use of the VoIP functions! such as a video

or voice call! the user is required to install a plu#in from ;oo#le! entitled

?;oo#leVoice"ndVideoSetup.ee@. The user is prompted to install this the first time they tryand initiate or connect to a VoIP call.

The instant messa#in# portion of 7an#outs does not require any plu#ins or applications to be

installed! users are able to access and use this function whenever they are on ;oo#leM. Bsers

do have the option to install an add8on into the 'hrome browser that allows for 7an#outs to

be used from anywhere! includin# the desktop of the computer system! without the need for

the 'hrome browser to be open.

"s 7an#outs does not require an installation of any application by default! it is unlikely that

any instant messa#in# chat lo#s will be stored locally on the system in use. 7owever! once

the user has installed the plu#in required for VoIP calls! data is stored on the local system!

even if it is just the data left behind by this plu#in.

"fter some investi#ation! the files created by the plu#in were found in $*AppData

*+-o#a"+Goog"e+Goog"e Ta"k "ugin). The majority of the files in this directory and itHs

subdirectories do not seem to store any data relevant to the system they are installed upon! as

the ?-ate *odified@ is set to a time lon# before the plu#in was installed upon the system in

Pa#e $ %2

8/10/2019 34-193-1-PB

17/75

use. The main file that stands out is ?#tbplu#in.lo#@ which had a ?-ate *odified@ and time

that match up with the last use of ;oo#le 7an#outs. penin# this file in JotepadMM reveals

that the file is completely plaintet. "t the top of this file are number of records of failed

attempts for 7an#outs to connect to the plu#in. Scrollin# to the end of the lo# file presents

more interestin# information. This appears to be a lo# of successful connections of the plu#in

to the 7an#outs application. ne line of plaintet contains information such as the username

of the account bein# used! the domain on which the user was lo##ed in! and the browser that

the user was usin# at the time. There is also another line that lists all of the audioDvideo

devices connected to the system in question. n the particular system bein# used for this

investi#ation! the make and model of the connection webcam! microphone! headphones and

audio input devices were all listed.

"lthou#h there was no record of any conversation lo#s produced by ;oo#le 7an#outs! the

information that was found may still prove useful! whether this be for a lawful investi#ation

or for unscrupulous means.

/.2

8/10/2019 34-193-1-PB

18/75

each user account. =ithin each individual user directory! there is a ?hidden folder@! or a

folderDdirectory that is not visible by default! entitled ?"pp-ata@ which contains the user

settin#s and some application data for applications used by that particular =indows user

account.

,inally! the ?=indows@ directory contains the vast majority of the data used by the =indows

operatin# system itself! such as the different lan#ua#es available! the fonts that can be used by

the system! and pro#rams that come with the operatin# system! such as the calculator.

To #ain access to the majority of the above directories! the user will need to have

administrative privile#es on the computer system in use or! in the case of the ?Bsers@ folders!

they will need to be the owner of the folder they are tryin# to view. ,or eample! the user on

the account ?)ohn@ would be able to access that accountHs Bser folder! with or without

administrator privle#es.

"ny further hard drives installed within the physical system can be used for a variety of

different tasks! dependant on how the user sets them up. ,or the most part! the directory

structure of these etra drives will be determined by the user &"non! Bnknown '(.

/.5

8/10/2019 34-193-1-PB

19/75

device &"ppendi 0(. If the *icroS- card is removed from the device! the ?e'tSd/ard@

folder remains in the root directory! but the contents of it are no lon#er there &"ppendi 1(.

"s all data stored and used by the "ndroid operatin# system is also stored under this root

directory! it would be lo#ical to assume that all data installed! used and #enerated by

applications on the device must be stored here somewhere.

"lthou#h this root directory in "ndroid contains everythin# stored or installed on the device

in use! the lar#e majority of users will not be able to! and will not need to! #ain access to it.

,or a user to be able to #ain access to this root directory! they need to have special privile#es!

or ?root@ access on the device.

/.9 "ndroid ?4oot@ "ccess

In the "ndroid world! the term ?root access@ is used to refer to the access of a special user

account on the system that has system administrator privile#es! allowin# it access to all areas

of the device! with permissions to make chan#es to any file or directory. It also provides

functionality to allow certain applications to run with more permissions than they would

ori#inally have &7offman! /C%/(.

"s mentioned previously! the majority of users will not have ?root@ access on their "ndroid

device. This is due to the fact that the lar#e majority of manufacturers do not enable ?root@

access by default. The reasonin# for this is that with the ability to edit any file on the device!

there is also the possibility for a user to edit a file on which the system depends! potentially

breakin# their device &7offman! /C%/(.

-urin# the eperiments carried out later in this project! a number of different "ndroid devices

will be eamined in the attempt to find any Skype artefacts. ne of the devices bein#

eamined! the Samsun# ;alay S0! will have ?root@ access and will be runnin# software that

has been sli#htly customised compared to the "ndroid installation as it comes from the

manufacturer. "nother device to be eamined! the ;oo#le Jeus 9 &/C%/(! will nothave

?root@ access! and runs the software that the manufacturer installed upon it. The reasonin#

behind this is to determine if any Skype data is available on a device with ?root@ permissions!

and if it is! to discover whether this data is also accessible on a device that does not have this

same level of elevated privile#es.

/.> Tools for eaminin# "ndroid -evices

There are a number of tools available online to assist with the eamination of the internal filesof an "ndroid device! such as "ndroid 'ommander and "ndroid -ebu# 6rid#e &"-6(. The

Pa#e $ %>

8/10/2019 34-193-1-PB

20/75

tool that will be used durin# this investi#ation is "ndroid -ebu# 6rid#e. "ndroid -ebu#

6rid#e is a tool created by the developers of "ndroid and is included in the "ndroid

-evelopment Toolkit! for use by developers when creatin# applications or software for

"ndroid devices. n the "ndroid -evelopers website! "-6 is defined asF

?a versatile command line tool that lets you communicate with an emulator instance or

connected "ndroid8powered device. It is a client8server pro#ram that includes three

componentsF

- " client! which runs on your development machine. Nou can invoke a client from a

shell by issuin# an adb command. ther "ndroid tools such as the "-T plu#in and

--*S also create adb clients.

- " server! which runs as a back#round process on your development machine. Theserver mana#es communication between the client and the adb daemon runnin# on an

emulator or device.

- " daemon! which runs as a back#round process on each emulator or device instance.@

&"ndroid! Bnknown(

8/10/2019 34-193-1-PB

21/75

to usin# one of the many other pro#rammin# lan#ua#es available! 'O was chosen for a

number of reasons. The first of these reasons was due to prior knowled#e. 7avin# already

used 'O in codin# projects! it made sense to start off utilisin# this knowled#e! with the

possibility of adaptin# the application to another codin# lan#ua#e at a later date.

"nother reason for choosin# 'O was for its compatibility. -espite the fact that it is ?desi#ned

to be a platform independent product@ &"non! Bnknown -( it is primarily used with

=indows! owin# to the fact that it is a *icrosoft product. "lso! owin# to the fact that this is

the third iteration of the ?'8,amily@ of pro#rammin# lan#ua#es! with ' and 'MM bein# the

two previous lan#ua#es! there is a certain feelin# of refinement to 'O.

,inally! the object8oriented nature of 'O &*icrosoft! Bnknown(made it an appealin# lan#ua#e

to use! due to the fact that this would make it easier to modify the pro#ram in the future!

should there be any new artefacts added or discovered in Skype that may be useful.

Pa#e $ /C

8/10/2019 34-193-1-PB

22/75

Chapter 3 + Methodology

0.% *ethodolo#y

The formal method by which this investi#ation will be carried out will be a qualitative format!

rather than quantitative. The reason for the decision upon this type of research method! is so

that more time can be spent in the investi#ation phase! allowin# for more focussed results.

To be#in the investi#ation! a Skype installation on a =indows system will be eamined! in an

attempt to find any useful artefacts. =indows has been chosen as the primary operatin#

system for this project as it is currently the most popular operatin# system in use today &"non!

/C%1(. The first step in this eamination will be to look throu#h the most common locations

in which applications are likely to store their data! such as Pro#ram ,iles! Pro#ram ,iles

&>5(! and the "pplication -ata folder. If! or when! any useful artefacts are located! a copy of

them will be created so as to allow for closer eamination of the data! usin# any tools required

to view them.

"fter the eamination of the =indows installation of Skype has been completed! an

eamination of an installation of Skype on two "ndroid devices will be carried out. "ndroid

has been chosen as the secondary operatin# system for this investi#ation as it is the most used

mobile operatin# system! especially in

8/10/2019 34-193-1-PB

23/75

Subsequently! a software tool will be desi#ned and developed! with the aim of it bein# able to

replicate the useful artefacts discovered in the previous investi#ation! without it causin# any

modification to the ori#inal artefacts. This tool will be developed for use on =indows

systems! a#ain because =indows is the most popular operatin# system in use today &"non!

/C%1(.

0.%.% *anual Investi#ation of =indows -evice

To be#in the manual eamination of a =indows installation of Skype! the ?rogram Fi"es@!

?rogram Fi"es ('3!@ and ?AppData@ directories will be eamined. The eamination will be

focussed around these directories because they are the key areas in which applications store

their data on =indows systems. These directories will firstly be eamined for any si#n

potential Skype repositories and! followin# on from this! any potential Skype stora#e

locations found will be eamined more closely. "ny data then found to be potentially useful

will be eamined and analysed in further detail. This eamination will be carried out

manually! with the use of tools required to read certain files! such as JotepadMM for

confi#uration files.

nce any data has been located and analysed! the locations in which this data is found will be

compared to the locations which others have found useful in the past! such as in Skype

Fingerprint&-od#e! /CC>(.

0.%./ *anual Investi#ation of "ndroid -evices

The first "ndroid device to be eamined will be the Samsun# ;alay S0. The reason for

eaminin# this device first is due to the fact that it has root permissions. =ith root

permissions! the eamination will be much more detailed! as there will be no stora#e areas

into which access is restricted. Btilisin# this elevated access! the hope is to find any Skype

artefacts available! and note down the location in which these are stored. nce this is done!

the second "ndroid device! the Jeus 9! will be eamined to see if the results found on the

;alay S0 can be replicated on a device with default permissions.

The first method by which the "ndroid devices will be eamined! is by utilisin# a #eneric file

eplorer application from the ;oo#le Play Store. This file eplorer will allow for the

eamination and navi#ation of the files stored on the device in use. nce a file eplorer is

chosen! a brief eamination of the internal and eternal stora#e &if applicable( of each device

will be carried out! to see if any Skype data is stored in any obvious locations. "fter this brief

inspection! research will be carried out re#ardin# the install location for applications!alon#side investi#ation bein# done to confirm the information presented in the research.

Pa#e $ //

8/10/2019 34-193-1-PB

24/75

If possible! the Skype "P+ file &the installation packa#e for the Skype "ndroid application(

will be copied onto another computer system and decompiled usin# any required tools. This

should then allow for the eamination of the files within the installation packa#e in the hopes

that it will identify the locations on "ndroid in which Skype data is stored.

0.%.0 "pplication -esi#n

Bsin# the data collected from the manual eaminations of the =indows and "ndroid devices!

a desi#n will be formed for the creation of the proposed application. This desi#n will consist

of plans for the functionality! aesthetics and usability of the application itself! alon# with

proposed methods of meetin# each desi#n requirement.

0.%.1 'odin# of "pplication

nce the application has been desi#ned! the codin# of the application will be#in. The codin#

process will #o throu#h a number of sta#es. To be#in with! a very basic user interface will be

created! purely for testin# the application as it is developed. The functionality will then be

coded in a number of sta#es! startin# off with the variables all bein# hardcoded! to ensure the

required function is possible. nce this has been completed and tested! the ability to add user

input variables will be added and tested. nce all the required functionality has been

implemented! then the user interface can be improved to make it easier for users to operate.

0.%.2 "nalysis of "pplication"fter the application has been completed! the code will be reviewed and analysed! so as to

ensure that it is all functionin# correctly! and that no obsolete code remains from any testin#

and eperimentation that may occur durin# development.

0.%.5 "pplication Testin#

,inally! once all codin# and analyses have been completed! a number of eperiments will be

carried out so as to test the completed application and to ensure that the intended functionality

is present! and also to ensure the functionality is present on computer systems runnin#

different variations of =indows! and comprised of different hardware components.

Pa#e $ /0

8/10/2019 34-193-1-PB

25/75

examination of a Skype installation on a Windows System

Manual examination of a Skype installation on rst Android device

Manual examination of a Skype installation on second Android Device

Comparison of Android device results

Comparison of results across operating systems

Design of software tool

Coding of software tool

Analysis of software tool

Testing of software tool

Figure 2. 4aterfa"" mode" representing the methodo"ogy.

Pa#e $ /1

8/10/2019 34-193-1-PB

26/75

Chapter , / Analysis and Design

1.% Preliminary Investi#ation

Prior to desi#nin# the application that will collect the useful Skype artefacts! a manual

investi#ation is to be carried out! so as to identify the locations in which files were stored! and

to determine which files were to be collected.

Bnlike in -od#eHs paper &/CC>(! the Skype clients used in this investi#ation will notbe a

completely new install! and will be ?live@ clients that have been used on a daily basis for quite

some time. These accounts will be used so as to simulate the information that can be found

from the Skype client of an avera#e user.

1.%.%

8/10/2019 34-193-1-PB

27/75

within ?-o#a"@ simply contains a subdirectory entitled ?Apps@. =ithin this directory! is

another! entitled ?"ogin@! alon# with an .md2 file! also entitled ?"ogin@. The ?"ogin@ directory

seems to contain the data etracted from the ?"ogin@ archive found previously. The .md2 file

simply contains the md2 hash value &or the ?fin#erprint@( for the ori#inal archive.

The Skype data stored within the ?8oaming@ directory is by far the most interestin# &full pathF

/+7sers+Danie"+AppData+8oaming+Skype(. =ithin this directory there are a number of

subdirectories! alon# with three individual files &"ppendi %1(. The majority of the

subdirectories! alon# with the individual files! do not seem to hold much in the way of useful

information. The one useful directory here is the one that uses a Skype username as the title!

which in this investi#ation was ?dcastleA%@.

=ithin the Skype user directory! there are a myriad of subdirectories and individual files. The

first directory of interest was the ?#hatsyn#@ folder. =ithin this folder! there appears a

varyin# number of folders! each with a two character lon# name! that seems to be a mi of

letters and numbers. "lthou#h some of these directories contain no data! the ones that do

contain information are etremely useful. 6y openin# the .dat files found within these folders

in JotepadMM &the name of each file is comprised of random numbers and letters(! we are

presented with what seems to be lar#e amount of encoded data &"ppendi %2(. "lthou#h this

was what it looked like at first #lance! a more detailed eamination of the tet shows that

there is plaintet in places between the encoded data. This plaintet data seems to consist of

the conversation history between any users that were part of a Skype call or instant messa#in#

session at that particular time. ,or eample! in one particular file bein# eamined! the

username ?dcastleA%@ was found! alon# with a number of links to various different websites

&"ppendi %5( that had been sent by the user.

6rowsin# throu#h the remainin# directories within the Skype user folder does not present any

useful data as the majority of the directories were either empty! or the files that were found

tended to be encoded.

The individual files contained in this directory are where the majority of the useful

information comes from. =hen opened in JotepadMM! the ?#onfig.'m"@ file presented a lar#e

amount of information about the user account bein# eamined. "lthou#h some data! such as

the last used dateDtime! is encoded! there is also an etensive amount of plaintet data. ,or

eample! one of the first noticeable pieces of information was a plaintet list of all the

usernames for the contacts in that user accountHs address book. "lthou#h these usernames arein plaintet! any usernames with a full stop within it has a random combination of two

Pa#e $ /5

8/10/2019 34-193-1-PB

28/75

characters followin# the full stop. ne such eample of this! is that ?john.smith@ becomes

?john.0"smith@ &name chan#ed to protect the privacy of the user(.

The ?#onfig.'m"@ file also contains a list of all video input devices connected to the system!

alon# with any audio inputDoutput devices connected. This list not only shows that there are

devices present! but also #ives the make and model of each device! provided that that

information is available to the system itself. The devices listed here do not always have to be

physical. ,or eample! on the system bein# eamined! a virtual surround sound tool is

installed. This tool is listed as an audio output device.

"n additional useful piece of information found within this particular file is the file transfer

directory used by the user. 6etween the Q,iletransfer-irR ta#s! the full file transfer path is

listed. In this case! the path was ?/+7sers+Danie"+Desktop+@. "t the end of the document the

default file transfer directory is listed! in this case as

?/+7sers+Danie"+AppData+8oaming+Skype+9y Skype 8e#ei:ed Fi"es+@.

The final file found that contains useful information is by far the most useful. The ?main.d%@

file! found within the Skype user folder! is a SG3ite database file and thus must be opened

within a SG3ite database editor to be viewed. In this investi#ation! the tool used was ?SG3ite

6rowser@. =ithin this database file! an etensive amount of data is stored. "lthou#h a

number of sections of the database do not hold much useful data! others hold plenty.

The first section containin# detailed information is the ?;ideos@ table. =ithin this table! there

is a record of each time a video stream was initiated. Jot only does this file identify when a

video stream was initiated! it also identifies a device I- for the device used! and if the video

session was a video conversation or a screen sharin# session. In the cases where it was a

screen sharin# session! the dimensions of the screen shared is also recorded! althou#h this is

only the case when the user bein# eamined has broadcast their screen! rather than viewin#

another userHs screen.

The net useful table is that of the ?/a""9em%ers@ table. =ithin this table! a record is kept of

each of the calls the user has been a part of! alon# with the username and display name of the

users with whom the call was initiated. Skype also keeps a record of the duration of the call!

but the timeframe used is not specified. The lo#ical assumption for the timeframe would be

that of seconds! but this cannot be #uaranteed. ,inally! the ?/a""9em%ers@ table also keeps a

record of the IP address of the other participants of the recorded conversations.

Pa#e $ /9

8/10/2019 34-193-1-PB

29/75

The $/on:ersations)table contains similar information to that already seen in previous

tables! but it also has the added record of the username and display name of anyone that the

current user has been in conversations with! even if they are not on one anotherHs contact lists.

The ?;ideo9essages@ table is only populated if a video messa#e is recorded and sent to

someone usin# the built in Skype function. If a video has been sent from the account bein#

eamined! there is no record of the user to whom it was sent! just a confirmation that it was

sent from the user account in question. If a video has been received! the username for the user

that sent the video is displayed. =ithin this table! there are two sections that are most

important! the first of which is ?:od6path@. =ithin this column! a B43 is stored that! when

copied into a web browser! displays an online version of the video sent or received. "lthou#h

this is useful! testin# showed that this link is only valid for around /1 hours! after which it is

no lon#er available. The other useful column is ?"o#a"6path@ which! as the name su##ests!

provides the local path for any video messa#es sent from the computer bein# eamined. In

this eample! the location was

?/+7sers+Danie"+AppData+-o#a"+Temp+:idm1?

8/10/2019 34-193-1-PB

30/75

,inally! the ?9essages@ table contains a record of the majority of messa#es sent and received

via the Skype instant messa#in# function! alon# with the users who were involved with each

messa#e. "lthou#h the messa#es are stored individually rather than in conversations! the

majority of them are easy to read and to follow on from.

"lthou#h there are other files and directories stored within the Skype user folder! the data

stored within them is either encoded or does not provide much in the way of useful

information.

1.%./

8/10/2019 34-193-1-PB

31/75

either encrypted or corrupt &"ppendi 2(! makin# the majority of the data available relatively

useless as the majority of it is unreadable. -espite this! the ?Search@ function was utilised to

try and find the term ?Install@! but to no avail.

win# to this! it seemed lo#ical to try to locate a pro#ram that was able to reverse8en#ineer

"ndroid application packa#es properly. This is where "P+Tool comes in. "P+Tool is a

community8developed tool for use in decompilin# "ndroid .apk files. In the words of the

developerE

?It "P+Tool is a tool for reverse en#ineerin# 0rd party! closed! binary "ndroid apps.

It can decode resources to nearly ori#inal form and rebuild them after makin# some

modificationsU@ &Tumbleson! Bnknown(.

Btilisin# "P+Tool! the #om.skype.raider51.apkfile was fully decompiled. "lthou#h this

seemed to produce less files than when they were etracted usin# 9ip! the missin# files did

not seem to have much relevance! as they appear to be files #enerated at compilation of the

.apk file. nce decompiled! the "ndroid*anifest.ml file was once a#ain opened in

JotepadMM. This time round! all of the data was in plaintet and or#anised correctly. Jothin#

more than a quick #lance over the code was needed to find the declaration of the install

location! featured in the second line of the code &"ppendi 5(. The declaration

$androidinsta""-o#ation)auto)is the code which the "ndroid operatin# system reads todetermine where to place the application files. "lthou#h it states ?auto@! which means very

little to the avera#e person! a pa#e on the "ndroid developer website details each of the three

possible variables for this declaration and defines what each of them means. The ?auto@

variable is defined asF

?The application may be installed on the eternal stora#e! but the system will install

the application on the internal stora#e by default. If the internal stora#e is full! then the

system will install it on the eternal stora#e. nce installed! the user can move the

application to either internal or eternal stora#e throu#h the system settin#s.@

&"ndroid! Bnknown 6(.

"lthou#h this defines that the data will be stored on either the internal or eternal stora#e of

the device in use! we are still unaware as to where eactly the application data is stored. "

quick search online for ?"ndroid application default data stora#e@ returns a multitude of

results! consistin# primarily of forums that indicate that the default stora#e location is

$@data@data@Ba#kage Came)&Iy! /C%0(. 6y navi#atin# to this location on the rooted

Pa#e $ 0C

8/10/2019 34-193-1-PB

32/75

Samsun# ;alay S0! this is proven to be true &"ppendi 9(. 6y searchin# throu#h the

multitude of folders for the Skype packa#e om.skype.raider ! as defined by the title of the

.apk file located earlier(! data stored and utilised by the Skype application can be found. "t

first #lance! the directory structure for the Skype application files on "ndroid looks different

to that of the directory structure found durin# the =indows eamination. This impression is

#iven by the first set of directories presented when accessin# the #om.skype.raider directory.

The directories displayed are ?app6&e%:ie&)! $#a#he)! ?fi"es)! $"i%) and ?shared6prefs)

&"ppendi >(. "lthou#h the majority of these folders store encoded data! the ?fi"es@ directory

brin#s up a set of files and directories similar to that found on a =indows system runnin#

Skype &"ppendi A(. "lthou#h not all the directories found on the =indows version of Skype

can be found on the "ndroid version! the one that contained the most useful artefacts was still

presentE the user account folder! in this case entitled ?dcastleA%@. =ithin this folder! we find avery similar structure to that of the =indows version of Skype! with files such as ?main.db@

bein# used to store the same majority of the user account information.

nce this information had been located on an "ndroid device with full ?root@ permissions! an

investi#ation was to be carried out to see whether or not this data is accessible on an "ndroid

device with the permissions set at default by the manufacturer. In this particular instance! the

device in use will be an "sus Jeus 9 /C%0 edition. 6y usin# the same application!

8/10/2019 34-193-1-PB

33/75

directory was shown! which displayed a list of the same files and directories seen on the

Jeus 9 via

8/10/2019 34-193-1-PB

34/75

usernames for each position! and populate them itself. The second! more feasible alternative!

and the one with which the pro#ram will be desi#ned! is to allow the user to input the two

usernames. Jot only would this be a more reasonable method to code! it also drastically

reduces the chance of the pro#ram takin# data from the wron# locations. "lthou#h the

automated feature could be implemented! the risk of an error would be far too hi#h! especially

if it were to be used in the intended situations! for eample as part of an investi#ation for a

court case.

1./.0 "esthetics

The aesthetics for this application are not of major concern at this point! owin# to the fact that

the only tasks carried out within the application are the input of two variables! and the

initiation of the duplication process. "s this application is relatively quick to use! the

aesthetics are not somethin# that will be focused on in detail at the present time! as the

functionality is more of a priority. The aesthetics used will be that of a default =indows

,orms application.

The idea for the #eneral look of the application will be to have two tet boes into which the

user will be required to enter the appropriate username! as requested by tet placed net to the

bo. There will be a sin#le labelled button on the application for the user to initiate the

duplication procedure. There will also be some instructions within the application! so as to

direct a first time user on how to operate the pro#ram effectively.

"n additional reason for the simplistic look and feel of the application is so it feeds into the

usability.

1./.1 Bsability

The usability of the application is of relative importance! as the idea behind the application is

to make it quicker and easier for users to #ain access to the required files. 6y desi#nin# the

application with a simple look and feel! it should make it much easier for the user to

understand and use. The addition of instructions will also assist with the usability.

Pa#e $ 00

8/10/2019 34-193-1-PB

35/75

Chapter 4 / Application Analysis and 56periments

2.% "pplication "nalysis

2.%.% "pplication verview

Figure . A s#reenshot of the app"i#ation front5end design.

In #eneral! the creation of the application was in line with the proposed desi#n. "s stated! the

application has the functionality to accept user input for the =indows and Skype usernames!

and uses this information alon# with coded data to compile the tar#et directory for the

duplicated files! alon# with the directory to which the files and data needs to be copied. Bpon

inputtin# the two variables! the user simply needs to click the ?'lick to Initiate "rtefact

-uplication@ button for the pro#ram to combine all the relevant variables! and to copy the

Skype artefacts to the tar#et location.

The only area where the application has differed from the plan is that it has two buttons in

place of the proposed two tet boes. The decision to use buttons in the place of tet boes

was made due to the fact that the code used to accept user input was tri##erin# the openin# of

additional tet boes! resultin# in the user havin# to input the required data twice. 6y usin#

buttons! the user is able to click and tri##er a sin#le tetbo! into which the relevant username

is entered and thus assi#ned to the relevant variable.

2.%./ 7ow the "pplication =orks

&To see the full code! please see appendi %9.(

Pa#e $ 01

8/10/2019 34-193-1-PB

36/75

Bpon runnin# the completed application! the user is prompted to #rant administrator

privile#es. This access level is required so as to allow the copyin# of the required files from

theAppDatadirectory. To enable the application to request the administrator privile#es that it

needs! an ?app.manifest@ had to be added to the application! so as to allow the confi#uration

of the level of access requested upon initialisation of the tool. nce the manifest was added!

the ?requested

8/10/2019 34-193-1-PB

37/75

?chatsync@! so as to identify which files are to be copied! and the locations into which they

should be duplicated.

nce all the file paths have been compiled! the application checks to see if the destination

directory ?Skype Artefa#ts@ eists in the tar#et location. If it does not! an ?if@ statement is

used to instruct the application to create a folder in the destination directory with the name

?Skype Artefa#ts@.

nce this directory has been created! the ?,ile.'opy@ commands are eecuted! instructin# the

pro#ram to copy the identified files from the specified directories into the specified tar#et

directory.

nce the two files have been copied! the ?-irectory'opy@ section of code is eecuted. This

section of code uses another ?if@ statement to check for the presence of a folder in the tar#et

location entitled ?#hatsyn#@. nce a#ain! if the folder does not eist! one is created. nce the

destination folder has been created! the ?file.Jame@ variable is combined with the

?dest-irJame@ variable! to create the full destination file path. Btilisin# the functionality of

the ?foreach@ command! the ?file.Jame@ variable is populated with the name of each file

found within the ?#hatsyn#@ folder. "nother ?if@ statement is then used to create any

subdirectories found within the ?#hatsyn#@ folder. nce these subdirectories are created! the

?-irectory'opy@ command is eecuted to copy the files from their ori#inal subdirectorywithin the ?#hatsyn#@ directory into the correct subdirectory in the tar#et location.

2./

8/10/2019 34-193-1-PB

38/75

2./.% Test 6ed Systems

The two computer systems on which my application will be tested are as followsF

Test System %F

The main =indows system that will be used for this eperiment is comprised of the followin#

specificationsF

ProcesserF "*- ,:8>02C

8/10/2019 34-193-1-PB

39/75

2././

8/10/2019 34-193-1-PB

40/75

Chapter 7 / 56periment 2esults

5.% 4esults of

confi#.ml 'FBsers-aniel"pp-ata4oam

in#skypedcastleA%

%5

chatsync 'FBsers-aniel"pp-ata4oam

in#skypedcastleA%

122

2d%dfC1a>1>ef10d.

dat

'FBsers-aniel"pp-ata4oam

in#skypedcastleA%chatsync2d

9

Figure =. First ta%"e of resu"ts from first e'periment, #arried out on Test System 1.

Copied #ile

#ile 9ame 1ocation #ile Si:e ;B"

main.db 'FBsers-aniel-esktopSkype

"rtefacts

%!25>

confi#.ml 'FBsers-aniel-esktopSkype

"rtefacts

%5

chatsync 'FBsers-aniel-esktopSkype

"rtefacts

122

2d%dfC1a>1>ef10d.

dat

'FBsers-aniel-esktopSkype

"rtefactschatsync2d

9

Figure >. Se#ond ta%"e of resu"ts from first e'periment, #arried out on Test System 1.

Pa#e $ 0A

8/10/2019 34-193-1-PB

41/75

5.%./ Test System /

8riginal #ile

#ile 9ame 1ocation #ile Si:e ;B"

main.db 'FBsers-aniel"pp-ata

4oamin#skypedcastleA%

25C

confi#.ml 'FBsers-aniel"pp-ata

4oamin#skypedcastleA%

%/

bca1>ea1CCfCc%ff.dat 'FBsers-aniel"pp-ata

4oamin#skypedcastleA%

chatsync2d

2

A11f1dc/a>5fCfA2.dat 'FBsers-aniel"pp-ata

4oamin#skypedcastleA%

chatsync2d

%1

Figure 3. First ta%"e of resu"ts from first e'periment, #arried out on Test System 2.

Copied #ile

#ile 9ame 1ocation #ile Si:e ;B"

main.db 'FBsers-aniel-esktop

Skype "rtefacts

25C

confi#.ml 'FBsers-aniel-esktop

Skype "rtefacts

%/

bca1>ea1CCfCc%ff.dat 'FBsers-aniel-esktop

Skype

"rtefactschatsyncbc

2

A11f1dc/a>5fCfA2.dat 'FBsers-aniel-esktop

Skype

"rtefactschatsyncA1

%1

Figure ?. Se#ond ta%"e of resu"ts from first e'periment, #arried out on Test System 2.

"s detailed in the results above! each of the files were copied to the correct destination

&/+7sers+Danie"+Desktop+Skype Artefa#ts+( and were the same sie as the ori#inal files! on

both test systems. "lthou#h this implies that each file was copied across correctly! this is not a

#uarantee. The eperiment to check the *-2 hash sum will determine whether or not the

files are eactly the same. 7ad any major problems occurred when copyin# across the files! it

is likely that the user would be able to tell this simply by #lancin# at the newly copied files.

Some of the most obvious si#ns that the copyin# of a file has #one awry are that the file type

has chan#ed or been deleted! the name is different to that of the ori#inal file! or the file is

Pa#e $ 1C

8/10/2019 34-193-1-PB

42/75

simply not there. ,or eample! if the copyin# of the ?main.db@ file had #one drastically

wron#! it is possible that the ?.db@ file etension would be missin#! leavin# the user with a file

without a file etension. If this were to happen! the user may be able to manually add the file

etension back on to the file! if they know what it is supposed to be. If this still does not

work! then the file is likely to be corrupt and unusable.

5./ 4esults of c/b/2252c2CACc510a10Ca/

confi#.ml 2acC5f>11f05A91Af%29Afa%1Caa/c11

Ccfc%/0ccdae9bf9.dat 0adeAf0%da5ce2c%e9/>>cc11A>cccee

/aCa9bcb/%%Cd1c/.dat C190f12eC1%c%5da0A0a%f2c%>Ced0ACFigure . First ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 1.

Copied #ile

#ile 9ame MD4 !ash %/>c/b/2252c2CACc510a10Ca/

confi#.ml 2acC5f>11f05A91Af%29Afa%1Caa/c11

Ccfc%/0ccdae9bf9.dat 0adeAf0%da5ce2c%e9/>>cc11A>cccee

/aCa9bcb/%%Cd1c/.dat C190f12eC1%c%5da0A0a%f2c%>Ced0AC

Figure

8/10/2019 34-193-1-PB

43/75

5././ Test System /

8riginal #ile

#ile 9ame MD4 !ash A10a52b2bAc12Aa/5290AA>2cc

bca1>ea1CCfCc%ff.dat 0d59be0c%b1A>f2C2c/50aeae00>92fCA11f1dc/a>5fCfA2.dat acbac1/f5/0C90fccb>202A0aA>55>cf

Figure 10. First ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 2.

Copied #ile

#ile 9ame MD4 !ash A10a52b2bAc12Aa/5290AA>2cc

bca1>ea1CCfCc%ff.dat 0d59be0c%b1A>f2C2c/50aeae00>92fC

A11f1dc/a>5fCfA2.dat acbac1/f5/0C90fccb>202A0aA>55>cfFigure 11. Se#ond ta%"e of resu"ts from se#ond e'periment, #arried out on Test System 2.

"s detailed in the above results! the *-2 hash values for each file that was checked is the

same for both the ori#inal file and the copied file. This is precisely what the desired

functionality was for this application! as it shows that no data within any of the files has

chan#ed at all. If even % byte of data had been chan#ed within any of the files! the *-2 value

would have been different between the ori#inal and copied files.

"s the *-2 hash values remain the same between the ori#inal and copied files! the possible

usa#es for this application have drastically increased. "s mentioned previously! if any data

within ori#inal files is chan#ed in an investi#ation! the data is no lon#er classed as admissible!

especially in a court of law. Jow it has been proven that the copied data is the same as the

ori#inal data! this application could be used as part of official investi#ations involvin# the

eamination of Skype files.

5.0 4esults of

8/10/2019 34-193-1-PB

44/75

Chapter = / Conclusion> 0mprovements and 2eflection

9.% 'onclusion

9.%.% "ims and bjectives

In this section! the ori#inal aims and objectives set out at the be#innin# of this project will be

split up individually! with an eplanation of how each one was met.

?The main aim for this project is to locate and eamine the artefacts left behind on

computer systems by the popular application ?Skype@. nce any potentially useful

artefacts have been located and eamined! a software tool will be developed to

automatically #ather the key artefacts from the computer system in use! to assist with

the eamination of past Skype communications.@

In order to identify the useful artefacts #enerated by Skype! a manual investi#ation was

carried out on both =indows and "ndroid devices. The conclusion of this was that Skype! on

both operatin# systems! #enerates just a few files that contain potentially useful information!

but one file in particular holds a vast amount of information that can be utilised for both

lawful and unlawful means. The ?main.d%@ folder contains vast amounts of personal user

data! such as full name! date of birth! telephone number! country of residence and so on. The

majority of this information is willin#ly input by users! to add to their Skype profile.

"lthou#h this information is willin#ly shared! the users only intend for it to be shared with the

people they have approved to be on their contact list. The ?main.d%@ file that stores this data

locally on computer systems is neither encrypted or password protected. This means that

anybody with access to a computer with Skype installed! whether theirs or somebody elseHs!

may be able to access the personal user information of all the contacts of any Skype account

that has been used on that system. To access the file in question! the user either has to be able

to #ain access to the =indows account of the Skype user! or they must have access to an

account with administrator privile#es.

This same file can be found on mobile devices runnin# the "ndroid operatin# system.

"lthou#h this file can be located and accessed! this is dependent on the permissions allocated

to that particular device. If the phone is used as it comes from the manufacturer! these Skype

files are hidden away and inaccessible by users. n the other hand! if the device has been

customised to have ?root@ permissions! these important Skype files are easily accessible and

store the same information available on a =indows computer system.

Pa#e $ 10

8/10/2019 34-193-1-PB

45/75

The developed application carries out the tasks specified! and creates a copy of the ori#inal

Skype artefacts that contain potentially useful information. "s verified in the eperiments

carried out! the duplicate files are an eact match of the ori#inal! and do not cause any

modification to the data stored within the ori#inal files.

?4esearch re#ardin# how Skype works and the structure of the Skype application! both

on =indows 9 and on "ndroid will be carried out! alon#side research on past

investi#ations carried out in this field.@

"t the very be#innin# of this project! etensive research was carried out re#ardin# the

functionality of Skype! on both operatin# systems! and on previous papers written on similar

topics. 'ombinin# the research carried out in all three of these areas led to an understandin#

re#ardin# how Skype functions! and where each operatin# system stores important application

data.

?,orensic artefacts left behind by Skype will be located and eamined manually! both

on a =indows system and "ndroid devices.@

" detailed manual investi#ation was carried out on the Skype applications for both =indows

and "ndroid! which lead to the identification of a number of files utilised by Skype. This then

lead to a detailed eamination of all the files found! a few of which were identified to contain

potentially useful information.

?" software tool will then be developed that will #ather the potentially useful artefacts

left behind by Skype runnin# on a =indows computer system.@

nce the artefacts had been identified! a software tool was developed with the functionality of

bein# able to create an eact duplicate of these artefacts! without modifyin# the ori#inal files

in any way.

?The tool will then be tested on a number of systems! to ensure that it #athers the

relevant artefacts discovered durin# the manual investi#ation.@

The software tool was finally tested on two different computer systems! one runnin# =indows

9! and one runnin# =indows >.%! so as to ensure functionality on multiple systems! rather than

just the system used to develop the application.

9.%./ Improvements and 4ecommendations

If this project were to be carried out a#ain! there are a number of recommendations that could

be made! so as to improve the outcomes of the project.

Pa#e $ 11

8/10/2019 34-193-1-PB

46/75

,irstly! research into real8world situations in which an eamination of Skype data has been

used could be carried out. This way! it #ives a concrete reasonin# as to why this project is

important and how it could help chan#e the outcome of these types of di#ital eaminations.

"lso! the Skype application for =indows could be reverse en#ineered! so as to identify a

number of key items! such as where Skype saves particular data! how particular data is

encoded! where data is saved and so on.

,or the application itself! a number of recommendations could be made. ,irstly! the inclusion

of ?catch@ commands to prevent application errors would be hi#hly useful. =ith the use of

these commands! a serious application error resultin# in a software crash could be avoided. It

would also allow for a clearer eplanation to the user as to why somethin# went wron#.

Secondly! there could be the inclusion of an option to allow the user to modify the drive that

the application searches. "s it is! the application is currently hard8coded to search the 'F

drive for Skype files! with no option for the user to chan#e this.

There are also a number of chan#es that could be made to the front end of the application! to

make it more user friendly. The first of these is to use tet input boes instead of buttons so

as to allow the user to enter the data directly! rather than clickin# a button to prompt the input

bo to appear. Secondly! the use of pop8up boes to inform the user when the duplication

procedure has completed would also be of some benefit! otherwise the user is unaware that

the procedure has started or completed. Thirdly! the option to allow the user to specify the

tar#et directory for the files would be beneficial.

The final! and ar#uably the most useful! recommendation! would be to confi#ure the

application for use across multiple operatin# systems. "ddin# compatibility with operatin#

systems such as "ndroid! iS and *ac S : would be etremely beneficial to people tasked

with investi#atin# Skype clients.

9./ 4eflection

Throu#hout this project! there were both positive factors that helped with the development of

skills! but also ne#ative factors that caused difficulties.

" few of the difficulties that were encountered were related to the research that needed to be

conducted in order to make this project possible. -ue to the fact that this type of investi#ation

is not one that has been carried out to any major de#ree in the past! it was relatively difficult

to find any recently conducted! publicly available research that addressed the questions raised!

and ultimately answered! throu#hout this paper.

Pa#e $ 12

8/10/2019 34-193-1-PB

47/75

"nother difficulty came in the form of findin# published materials that clarified the different

methods of encodin# utilised by the Skype application! whether it be durin# the transmission

of data! or the stora#e of data on the local system. win# to this! a lar#e amount of encoded

data was overlooked in the investi#ation! as there was no feasible method of decodin# it.

" number of the difficulties within this project were encountered durin# the codin# of the

software tool. The first of these difficulties! was the lack of knowled#e of the 'O

pro#rammin# lan#ua#e. "lthou#h the basics of 'O were known! an etensive amount of

research and self8teachin# needed to be carried out! so as to enable the creation of the required

application.

" selection of the other codin#8related difficulties encountered within this project were

mainly centred around findin# the correct line of code to carry out the desired task.

Specifically! the copyin# of the $#hatsyn#)directory. "lthou#h the ?,ile.'opy@ command

worked sufficiently for the individual files that needed to be copied! it was not able to copy

the entire directory needed. -ue to this! additional research had to be carried out to find the

?-irectory'opy@ code.

"lthou#h the above stated difficulties were considered to be ne#ative points at the time! they

ultimately resulted in the bi##est development of the skills used throu#hout this project.

win# to the difficulty with the codin#! the knowled#e of the 'O pro#rammin# lan#ua#e hasbeen developed drastically! specifically in the areas of readin#! writin# and analysis of code.

This project has also helped with the development of time mana#ement skills! as it has

become clear how vital effective mana#ement of time is! especially when it comes to

mana#in# a project with as much potential for development as this one.

Pa#e $ 15

8/10/2019 34-193-1-PB

48/75

2eferences?Citations

"nderson! 6. &/C%0(. "ndroid Jews for 'osta 4ica! 7nderstanding the Android Fi"e

Hierar#hy. nline. "vailable atF httpFDDwww.all8thin#s8android.comDcontentDunderstandin#8

android8file8hierarchy&"ccessedF 5 ,ebruary /C%1(.

"ndroid. &Bnknown "(. "ndroid -evelopers!Android De%ug ridge. nline. "vailable atF

httpFDDdeveloper.android.comDtoolsDhelpDadb.html&"ccessedF %2 )anuary /C%1(.

"ndroid. &Bnknown 6(. "ndroid -evelopers! Bmanifest.nline. "vailable atF

httpFDDdeveloper.android.comD#uideDtopicsDmanifestDmanifest8element.html&"ccessedF 0

*arch /C%1(.

"non. &/C%C(. Skype IT "dministrators ;uide! Skype for 4indo&s :ersion =.2. nline."vailable atF httpFDDdownload.skype.comDshareDbusinessD#uidesDskype8it8administrators8

#uide.pdf&"ccessedF %2 Jovember /C%0(.

"non! &/C%1(. Jet*arketShare!Desktop Eperating System 9arket Share. nline. "vailable

atF httpFDDwww.netmarketshare.comDoperatin#8system8market8share.aspW

qpridX%CYqpcustomdXC&"ccessedF % "pril /C%1(.

"non. &Bnknown '(. Bniversity of =est ;eor#ia! 7nderstand Dire#tor Stru#ture (4indo&s!.

nline. "vailable atF httpFDDwww.west#a.eduDitsDindeZ20/9.php&"ccessedF /C -ecember

/C%0(.

"non. &Bnknown -(. 'pro#rammin#! 4hatJs the point of /KLnline. "vailable atF

httpFDDwww.cpro#rammin#.comDtutorialDcsharp.html&"ccessedF %C ,ebruary /C%1(.

'assavoy! 3. &/C%%(. Tech7ive! Skype for Android Se#urity F"a& 4hat ou Ceed To no&.

nline. "vailable atF

httpFDDwww.techhive.comDarticleD//20>/DSkypeZforZ"ndroidZSecurityZ,lawZ=haZZNouZJe

edZtoZ+now.html&"ccessedF A ,ebruary /C%1(.

'reutbur#! 4. +rK#er! +. *eiLner! T. &/C%0(. /"ient5side Skype Forensi#s M An E:er:ie&.

nline. "vailable atF httpsFDDwww.research#ate.netDpublicationD/2>00/>C>Z'lient8

sideZSkypeZforensicsZanZoverview&"ccessedF 9 )anuary /C%1(.

-od#e! 4 '. &/CC>(. Skype Fingerprint! % &%( pp. %85 I

8/10/2019 34-193-1-PB

49/75

reloadXtrueYtpXYarnumberX110A%>1YqueryTet[0-skypeMforensic&"ccessedF 0

Jovember /C%0(.

;-)one &"lias(. &/CCA(. ;-)oneHs =orkshop! /hat -ogging. nline. "vailable atF

httpFDDwww.fire.comDblo#Dtheblo#D9C9111&"ccessedF 0C Jovember /C%0(.

7offman! '. &/C%/(. 7ow8To ;eek!Ho& to 8oot our Android De:i#e N 4hy ou 9ight

4ant To. nline. "vailable atFhttpFDDwww.howto#eek.comD%%2/A9Dhow8to8root8your8

android8why8you8mi#ht8want8toD&"ccessed 5 ,ebruary /C%1(.

Iy &"lias(. &/C%0(. Stack

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&tp=&arnumber=4439184&queryText%3Dskype+forensichttp://www.xfire.com/blog/theblog/707444http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://msdn.microsoft.com/en-us/library/aa664274(v=vs.71).aspxhttp://computer.howstuffworks.com/ip-telephony.htmhttp://searchsecurity.techtarget.com/definition/MD5http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749https://code.google.com/p/android-apktool/http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&tp=&arnumber=4439184&queryText%3Dskype+forensichttp://www.xfire.com/blog/theblog/707444http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://www.howtogeek.com/115297/how-to-root-your-android-why-you-might-want-to/http://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://android.stackexchange.com/questions/47924/where-android-apps-store-datahttp://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://www.techweekeurope.co.uk/news/android-kantar-world-panel-comtech-137288http://msdn.microsoft.com/en-us/library/aa664274(v=vs.71).aspxhttp://computer.howstuffworks.com/ip-telephony.htmhttp://searchsecurity.techtarget.com/definition/MD5http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://blogs.skype.com/2013/04/03/thanks-for-making-skype-a-part-of-your-daily-lives-2-billion-minutes-a-day/http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749http://www.techradar.com/news/software/operating-systems/xbox-live-upgrade-includes-300-000-servers-600-times-more-than-its-debut-1161749https://code.google.com/p/android-apktool/

8/10/2019 34-193-1-PB

50/75

Pa#e $ 1A

8/10/2019 34-193-1-PB

51/75

Appendices

"ppendices &as 4eferenced in the Tet(

"ppendi %. Screenshot of the contents of the :fire 'hatlo# folder.

"ppendi /. Screenshot of the contents of an :fire chat lo# file.

"ppendi 0. " screenshot showin# the "ndroid root directory! with the two stora#e drives

circled.

Pa#e $ 2C

8/10/2019 34-193-1-PB

52/75

"ppendi 1. Screenshot showin# the difference in "ndroid with a *icroS- card inserted and

etracted.

"ppendi 2. "ndroid*anifest.ml

8/10/2019 34-193-1-PB

53/75

"ppendi 9. "ndroid "pplication -ata Stora#e

"ppendi >. Skype "ndroid "pplication -ata

"ppendi A. =indows and "ndroid Skype ,ile 'omparison

Pa#e $ 2/

8/10/2019 34-193-1-PB

54/75

"ppendi %C. 'ontents of Jeus 9 4oot -irectory! Bsin#

8/10/2019 34-193-1-PB

55/75

"ppendi %/. 'ontents of Jeus 9 4oot -irectory! -isplayed via "-6

"ppendi %0. Permission -enied "ccessin# Ddata via "-6

"ppendi %1. 'ontents of the /+7sers+Danie"+AppData+8oaming+Skype -irectory

Pa#e $ 21

8/10/2019 34-193-1-PB

56/75

"ppendi %2.

8/10/2019 34-193-1-PB

57/75

"ppendi %9. "pplication code

usingSystem

usingSystem!Collections!"eneric

usingSystem!ComponentModel

usingSystem!Data

usingSystem!Drawing

usingSystem!#in$

usingSystem!Text

usingSystem!T%reading!Tasks

usingSystem!Windows!&orms

usingSystem!'(

namespace&ile)Copy)Application)*

+

pu,licpartialclass&orm* &orm

+

stringwin.ser / 00 11 "lo,al varia,les declared at t%e %ead of t%e code2 ensuring avail-

a,ility to all re$uired classes! 3alues to ,e determined ,y user input

stringskype.ser / 00

pu,lic&orm*45

+

'nitiali6eComponent45

7

privatevoid,utton8)Click4o,9ectsender2 :ventArgse5 11 Actions to ,e taken upon click

of Windows .sername ,utton

+

win.ser / Microsoft!3isual;asic!'nteraction!'nput;ox40:nter Windows .sername

8/10/2019 34-193-1-PB

58/75

7

privatevoid,utton=)Click4o,9ectsender2 :ventArgse5 11 Actions to ,e taken upon click

of Skype .sername ,utton

+

skype.ser / Microsoft!3isual;asic!'nteraction!'nput;ox40:nter Skype .sername

8/10/2019 34-193-1-PB

59/75

stringsource&ile* / Bat%!Com,ine4sourceDirectory2 le>ame*5

stringdest&ile* / Bat%!Com,ine4targetDirectory2 le>ame*5

stringsource&ile8 / Bat%!Com,ine4sourceDirectory2 le>ame85

stringdest&ile8 / Bat%!Com,ine4targetDirectory2 le>ame85

11 'f target directory does not exist2 create it

if4Directory!:xists4targetDirectory55

+

Directory!CreateDirectory4targetDirectory5

7

11 Copy les main!d, and cong!xml to target destination

&ile!Copy4source&ile2 dest&ile2 true5

&ile!Copy4source&ile*2 dest&ile*2 true5

11 Copy c%atsync directory from Skype les to target destination

+

DirectoryCopy4source&ile82 dest&ile82 true5

7

7

privatestaticvoidDirectoryCopy4

stringsourceDir>ame2 stringdestDir>ame2 ,oolcopySu,Dirs5

+

Directory'nfodir / newDirectory'nfo4sourceDir>ame5

Directory'nfoE dirs / dir!"etDirectories45

11 'f target directory does not exist2 create it

if4Directory!:xists4destDir>ame55

+

Pa#e $ 2>

8/10/2019 34-193-1-PB

60/75

Directory!CreateDirectory4destDir>ame5

7

&ile'nfoE les / dir!"et&iles45

foreac%4&ile'nfole inles5

+

stringleBat% / Bat%!Com,ine 4destDir>ame2 le!>ame5 11 Com,ine destDir>ame

and le!>ame varia,les to create full lepat% and assign to leBat% varia,le

le!CopyTo4leBat%2 false5 11 Copy les to directory assigned to leBat% varia,le

7

11 Copy all su,directories to target location

if4copySu,Dirs5

+

foreac%4Directory'nfosu,dir indirs5

+

stringtemppat% / Bat%!Com,ine 4destDir>ame2 su,dir!>ame5

DirectoryCopy 4su,dir!&ull>ame2 temppat%2 copySu,Dirs5

7

7

7

11 Classes to allow additional functionality to ,e added to la,els etc

privatevoidla,el*)Click4o,9ectsender2 :ventArgse5

+

7

privatevoidla,el8)Click4o,9ectsender2 :ventArgse5

+

Pa#e $ 2A

8/10/2019 34-193-1-PB

61/75

7

privatevoid&orm*)#oad4o,9ectsender2 :ventArgse5

+

7

privatevoidla,el*)Click)*4o,9ectsender2 :ventArgse5

+

7

privatevoidla,el8)Click)*4o,9ectsender2 :ventArgse5

+

7

7

7

Pa#e $ 5C

8/10/2019 34-193-1-PB

62/75

"dditional Information