Artifacts

Skype

Posted by:  /  Tags: , , , ,  /  Comments: 4

Author Name
Matt

Artifact Name
Skype

Description
Skype is a desktop application that enables voice and video calls, instant messaging, file transfers, and screen sharing between users.

Registry Keys
HKEY_CURRENT_USER\Software\Skype

File Locations
C:\Documents and Settings\[Profile Name]\Application Data\Skype\[Skype User]

C:\Documents and Settings\[Profile Name]\AppData\Roaming\Skype\[Skype User]

Research Links
https://docs.google.com/viewer?url=http://www.lpcforensic.it/public_html/yabbfiles/Attachments/SkypeLogFileAnalysis.pdf

http://nickfurneaux.blogspot.com/2010/03/skype-chat-carver-from-ram-skypeex.html

Subpoena Contact – http://search.org/programs/hightech/isp/default.asp#207

Forensic Programs of Use
Skype Log View – http://www.nirsoft.net/utils/skype_log_view.html

Skype Parser – http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55

Skype Analyzer – http://belkasoft.com/bsa/en/Skype_Analyzer.asp

SkypeAlyzer – http://www.sandersonforensics.com/content.asp?page=440

4 Comments

Belkasoft

August 30, 2010

arrow

Besides Skype Analyzer, Belkasoft also has Forensic IM Analyzer, which can carve drive or drive image for deleted Skype artifacts and memory image for Skype messages in RAM.

keydet89

August 30, 2010

arrow

HKEY_CURRENT_USER\Software\Skype; subkeys contain some useful information, as well.

matt

August 30, 2010

arrow

Thanks again, Harlan. Post has been updated with the registry information.

Mark McKinnon

October 18, 2010

arrow

Link to my Skype Log Parser is http://redwolfcomputerforensics.com/downloads/skype-log-installer-1.7.exe

In version 3.x skype uses its own format to store chats and other evidence.

In version 4.x skype uses sqlite to store chats and other evidence.

Also in version 3.x of skype there will be a file named index2.dat.

If the user has upgraded from 3.x to 4.x then the index2.dat file will not exist. The Dbb files will still exist and you can look at these for potential evidence that may have been deleted from the sqlite database.

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment