Carve Out main.db: Skype eDiscovery

Introduction

As a part of the digital world eDiscovery has become a part of our day to day life. Unlike some more specific regulations regarding e-Discovery rules will affect each and every company in the industry. Failure to comply invites fines, or liability to business organization. This section will describe on what things Skype eDiscovery works.

How to define eDiscovery?

The simple and well formulated single line definition for describing eDiscovery is as follows

eDiscovery should satisfy 3 types of conditions, i.e. it should be prepared, preserved and produce at any time or need. ESI (Electronic Stored Information) includes all information that can be converted digitally includes emails, Skype chats, facebook and all other electronic communication means. Let explore the Skype eDiscovery in detailed.

eDiscovery & Skype

Skype is the most commonly used tool for business communication as well as in private communications. It’s capable to provide different services ranging from instant messaging to advanced voice or video calls. So, from the forensic investigators point of view, let’s see what all things can be extracted from Skype?

Skype eDiscovery Artifacts

The registry keys defined for Skype is:

Skype stores both metadata as well as the entire conversation logs as part of the security claims. Skype records history in database files containing various fields of information. Many of the fields within the database are of great interest as far as an eDiscovery matters for a digital forensic investigator. However, Skype database files are mostly Sqlite databases. These DB files are not user friendly, So the analyst should posses’ deep knowledge to handle databases.

The default location of Skype log files is

By accessing the main.db file one can analyze all the conversations, members list, file transfers, calls, and contacts from Skype account. The Sqlite file, main.db stores data in different tables. Some of the tables included in main file are CallMember table, Call table, Transfer table, message table, etc.

CallMember

Consider the table, CallMember this contains different attributes like identity, display name, guid, start_timeStamp, call_duration, etc.

Call logs

While considering the Call table it contains certain columns like host_identity, current_video_audience, begin_timestamp, duration, etc.

chat logs

The Messages table in .db contains the chat logs regarding all conversation carried out. The details include source of chat, unique identifier, source of chat, date and time in epoch time and chat messages.

config.xml is the other file carrying important details from Skype which is an important spot for investigators. The system IP address plus port number will be displayed in hex values under Host cache tag. The chatsync folder contains some .dat files to hold chat history. These files mainly contain conversational history between the Skype user and the other end user. The timestamps are added to the files to indicate chat start time and its duration.

What happens if the main.db got corrupted?

There exists n number of tools to view and analyze the healthy Sqlite files and its contents. It ranges from freeware to costly forensic wares developed by various organizations. In most of the cases the suspects destroy the evidences from the databases. Rather than clearing history the log files may corrupt and makes the files inaccessible. Sqlite Viewer tool is excellent tool for eDiscovery of all the components of a Sqlite file, thereby an aid in Skype forensics investigators to view main.db.