Data Recovery, Forensics 101, Mobile Devices, Software, Uncategorized

Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases

Summary

This article describes common approaches used for the recovery of cleared Skype histories and deleted chat logs, and discusses methods and techniques for recovering evidence from cleared and damaged SQLite databases.

Introduction

It is difficult to underestimate popularity of Skype. Hundreds of millions of people use Skype every day, generating a lot of potential evidence.

Recent versions of Skype are using SQLite databases to keep all history items. Chat logs, information about voice calls made and received, and a lot of other information is available in these SQLite databases. Accessing and analyzing this evidence is essential for many investigations involving a seized PC.

At this time, there are lots of tools that can be used to view and analyze SQLite databases. These tools range from freeware utilities to fully featured and highly expensive forensic suites. While viewing records an existing, healthy SQLite database is not a big deal, performing a forensic analysis of such database has quite different requirements.

Suspects may and do destroy evidence by clearing chat histories and/or physically deleting Skype logs. At this point, only dedicated forensic tools can still be used to recover deleted databases and extract evidence from cleared Skype logs.

In this article, we’ll look at tools, methods and techniques used by forensic specialists to handle evidence contained in cleared Skype histories and deleted SQLite databases, particularly those located on formatted or repartitioned hard drives or discovered in the computer’s volatile memory.

How Skype Stores History Logs

Before we begin analyzing Skype databases, let’s have a brief look at how Skype keeps its records.

  1. Skype maintains a main database in a file named “main.db”. In addition, Skype stores information about its activities in temporary “.dat” files. These files have alphanumerical names such as 0181a0a519e2c304.dat
  2. Skype uses SQLite database format and SQLite engine to keep its records. As a result, certain SQLite-specific considerations are applicable to Skype databases. As an example, records being deleted (“cleared”) from a Skype history are not erased immediately. Instead, they are temporarily placed into a so-called “freelist”. The deleted records will not be kept in the freelist forever, but if an investigator is analyzing the database fairly soon after the user cleans Skype history, the chance of getting some or even most information back is reasonably high.

Having said that, it’s pretty obvious that any Skype analysis tool used in the course of a forensic investigation must be able to recognize and recover records kept in the freelist.

In this article, we’ll be using several tools to analyze a sample Skype database. Our tools of choice are (in alphabetical order):

  • Belkasoft Evidence Center 6.0.527
  • Chat Examiner 3.1.4455.18335
  • Epilog 1.2.1
  • Forensic Assistant 1.3.3
  • Internet Evidence Finder 6.2.0.0202
  • Skype Extractor by Tim Coakley
  • SkypeAlyzer by Paul Sanderson
  • SkypeLogview 1.12

Searching for Skype Histories

During the investigation, experts often use automated disk scanning facilities provided by forensic analysis tools to locate all available Skype databases. Different tools use different approaches, and may or may not be able to locate certain files.

To see how the tools from our shortlist will behave in the course of a forensic investigation, we have created a set of sample Skype databases. The first database (DB1) was a Skype database containing empty strings. The second file (DB2) was a temporary Skype file. The third file (DB3) was also a Skype temporary file, yet it was named “driver_3.stl” (that is, it did not follow the naming convention for Skype temporary files).

Then we used the tools from our list trying to locate these files and extract any evidence available. The results are provided below in Table 1.

Table 1

Results for DB1

Tool

Result

Belkasoft Evidence Center DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call
Chat Examiner DB1 is not recognized as a SQLite database
Epilog DB1 recognized as a SQLite database. Discovered 1 chat message, 1 call
Forensic Assistant The tool crashed
Internet Evidence Finder DB1 is not recognized as a SQLite database
Skype Extractor DB1 recognized as a SQLite database. Discovered 2 chat messages, 1 call
SkypeAlyzer DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call
SkypeLogview DB1 is not recognized as a SQLite database

When analyzing the results for DB2 and DB3, we decided to put them into one table as the results were similar.

Table 2

Results for DB2, DB3

Tool

Result

Belkasoft Evidence Center DB2 and DB3 not recognized as valid Skype files.
Chat Examiner DB2 and DB3 not recognized as valid Skype files.
Epilog DB2 and DB3 not recognized as valid Skype files.
Forensic Assistant DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages.

 

DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages.

 

Internet Evidence Finder DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages.

 

DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages.

 

Skype Extractor DB2 and DB3 not recognized as valid Skype files.
SkypeAlyzer DB2 and DB3 not recognized as valid Skype files.
SkypeLogview DB2 and DB3 not recognized as valid Skype files.

 

.

Recovering Cleared Skype Histories and Deleted SQLite Databases

In real life, the evidence often is not easily available. Deleted files, formatted hard drives, reinstalled operating systems, the use of privacy protection software and cleared histories are routinely encountered during investigations. As a result, a forensic tool working with Skype must be able to carve the hard drive (or disk image) for any remaining evidence. The ability to access deleted records in Skype/SQLite  databases is a must as well.

For our test, we prepared a 250 GB disk image in the DD format. The disk was mounted with FTK Imager 3.1.3. The image was taken from a live system, and contained the following information:

-         The operating system was first installed on Mar 16, 2011

-         Skype was installed on Sep 28, 2012

-         Skype was being actively used until the operating system was re-installed on January 16, 2013

-         At the same time, the hard drive was formatted before having the new OS installed

-         A different Skype instance was installed on Mar 5, 2013

-         The system was in active use for 4 month until it was seized

Upon acquisition, the active copy of Skype “main.db” contained records going back to March 5th, 2013. It contained 29948 records, but did not contain information for 2012.

Our goal was attempting to recover old Skype records going all the way back to the initial instance.

Method 1: Using a Combination of Data Recovery and Forensic Tools

We used a data recovery tool Recover My Files 5.2.1.1964 to recover an old partition on the hard drive being acquired. However, the tools was unable to locate and recover Skype “main.db”. At the same time, the tool was able to recover a number of temporary files created by that old instance of Skype. In order to analyze the files, we used the following tools: Belkasoft Evidence Center, Forensic Assistant and Internet Evidence Finder .

As a result, Internet Evidence Finder was able to extract 21152 records; Forensic Assistant extracted 20395 records, Belkasoft Evidence Center extracted 5352 records. What’s important, all of these records belong to the period of interest before the new operating system was installed on January 16, 2013.

Method 2: Using Forensic Toolkits

Another method of recovering Skype data that goes missing involves carving of the fragments of SQLite databases used by the Skype instance of interest. The carving is a complex and time-consuming process. For that reason, it’s only implemented by few forensic tools. In our sample, only three products have the ability to carve SQLite databases: Belkasoft Evidence Center, Internet Evidence Finder and SkypeAlyzer. SkypeAlyzer was not tested but does have this facility.

To give an idea on how fast (or how slow) the carving process can be, here is our test bench configuration:

-         Supermicro – X8DTH-6F-O motherboard with Intel i5520 chip set supporting Intel Xeon X5500 series CPUs

-         Dual-CPU configuration with two Intel Xeon E5620 processors (2.4 GHz, 12 MB second-level cache)

-         48 GB DDR3 RAM (Kingston KVR1333D3D8R9S/4G DDR3-10600)

-         NVIDIA Quadro2000 with 1 GB DDR5 RAM, PCIExpressx16

-         Two HDDs Western Digital HDD SATA-II 2000Gb RE4, 7200 RPM, configured as a RAID1 array

-         Four HDDs Seagate 2000 GB SAS  Constellation ES 64Mb, 7200 RPM, configured as RAID0

-         Windows 7 Ultimate 64-bit SP1

By no means is this a high-end configuration for a PC used in the course of forensic investigations. In our experience, this is a typical configuration for intended use in 2013.

We used the corresponding carving features of Internet Evidence Finder and Belkasoft Evidence Center to collect SQLite/Skype evidence. Both tools offer fully automated carving, so we timed the process from start to finish.

-         Belkasoft Evidence Center: located 245,948 records in 110 minutes (2235 records per minute)

-         Internet Evidence Finder: located 154,056 records in 190 minutes (811 records per minute)

Conclusion

We performed a series of tests using real-world scenarios to discover Skype evidence located in SQLite databases as well as temporary files produced by Skype using multiple forensic tools including Belkasoft Evidence Center, Chat Examiner, Epilog, Forensic Assistant, Internet Evidence Finder, Skype Extractor, SkypeAlyzer, SkypeLogview. We have experienced the following results:

-         When analyzing corrupted and cleared Skype SQLite databases, Belkasoft Evidence Center and SkypeAlyzer revealed the most evidence.

-         When analyzing temporary files produced by Skype, Belkasoft Evidence Center, Internet Evidence Finder and Forensic Assistant are the best tools.

-         When carving the disk image for SQLite records Belkasoft Evidence Center and Internet Evidence Finder recover a similar number of records. However, Belkasoft Evidence Center demonstrates almost double the performance compared to Internet Evidence Finder.

About the Author: Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Contacting the Author: http://linkedin.com/in/igormikhaylovcf
Site: http://computer-forensics-lab.org

Discussion

11 thoughts on “Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases

  1. Thank you very mush for the information!

    Posted by wosully | November 26, 2013, 1:06 pm
  2. Belkasoft is mentioned as one of the best tools for analyzing Skype temporary files, while in table for analyzing DB2 and DB3 (both temporary Skype files) there’s a note that it did not recognized those bases as Skype files… Could you please send me or publish here those DB1-DB3 files to test them against other tools ?

    Posted by Chris | November 28, 2013, 10:19 pm
    • I sent the e-mail.

      Posted by Igor Mikhaylov | November 29, 2013, 1:36 am
    • While Belkasoft cannot detect renamed/recovered temporary files, the information from these files is perfectly found by their tool using chatsync carver. Thus, communication is not missed. Besides, regular temporary Skype files, if not renamed, are perfectly processed by Evidence Center.

      In my article I also did not touch questions of freelist recovery and SQLite database carving, what, as far as I know, if unique feature of Belkasoft, comparing to reviewed tools. Correct me, if I’m wrong.

      Posted by Igor Mikhaylov | November 29, 2013, 2:50 pm
  3. And what about Skype Xtractor?

    http://sourceforge.net/projects/skypextractor

    Posted by Moran | December 10, 2013, 2:16 pm
  4. I see you promote Belkasoft a lot on LinkedIn and FF, and now in this “unbiased” comparison. What is your association to Belkasoft?

    Posted by Arthur | December 11, 2013, 12:59 pm
    • I am not sure what are you referring to about “promote a lot”. This is my first post mentioning this company. Please be so kind and give me proof links of your words to make such statements.

      I am not an employee of Belkasoft nor I have any contracts with them. However, I have a paid license of their tool, which I like very much.

      Finally, if you don’t trust my conclusions about Skype extraction, you can check my results yourself.

      Posted by Igor Mikhaylov | December 11, 2013, 2:23 pm
  5. Igor,

    I’m very surprised at your results with Epilog as I have had a lot of success with recovering skype data from both good and corrupt databases.

    Would it be possible for you to share the settings you were using and also the test data? I would appreciate the opportunity to re-run your tests and if improvements to the tool are required, I can make them in the next version.

    Thanks,

    Alex

    Posted by Alex C | December 16, 2013, 11:55 am
  6. Excellent way of telling, and nice paragraph to take information regarding my presentation subject matter, which i
    am going to deliver in college.

    Posted by cancan | February 25, 2014, 6:13 am

Trackbacks/Pingbacks

  1. Pingback: Digital Forensics, Inc. Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases | Digital Forensics, Inc. - November 26, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 701 other followers

%d bloggers like this: