Call logs, SMSes, emails, social networks communications and, of course, chats in instant messengers can give you a lot of important information in a course of a forensic investigation. Let's see how one single chat product can be examined from different aspects, each of which gives one more – unique! – part of puzzle.

In our case, the suspect had Skype installed on his laptop and mobile device which were seized and investigated with Belkasoft Evidence Center.

First part of the analysis is easy: chats are extracted from existing main.db, a SQLite database where Skype stores its history logs.

BEC automatically locates and extracts chat history from Skype database, as well as hundreds of other messengers

Is this it? No, there are many things yet to be discovered!

First of all, BEC finds not just text chats. Looking in the Overview section of the product, you can note the following types of data extracted from the same Skype database:

  • Calls: Voice calls made via Skype
  • Contacts: Contents of Skype address book, as well as interlocutors not added to it
  • File transfers: Files sent and received via Skype "Send file" feature:

  • Geolocation data: mobile Skype client allows a user to send their current location to an interlocutor. Belkasoft extracts this data:

Besides, you can visualize one or multiple locations on Google Maps (if you have Internet connection) or Google Earth (if you don't).

  • Pictures: Skype allows a user to share photos inside a chat, and BEC shows such pictures:

By the way, BEC can automatically analyze pictures for faces, skin tone and scanned text, if this is what your investigation about:

  • This particular database did not contain other types of Skype artifacts, but there are more supported by BEC: SMSes, voicemails and so on

Now is this all? The answer is still no! What else is there?

Let us check if there is anything deleted in the Skype history. How to do that? With Belkasoft you can easily review deleted items in the convenient SQLite Viewer window. In order to populate this window with Skype data, one should select corresponding Skype profile in the Case Explorer window of Evidence Center:

To the left of SQLite Viewer window you can see tables of selected Skype database. One of the tables is called Messages, and it stores chats sent or received. In the picture above you can see a number of records highlighted with red background. These items are originated from a special area of SQLite database called "freelist". This area stores recently deleted items, which Belkasoft can recover for you.

You are probably thinking: this has to be it, right? But once again, no! Let us pay more attention to File System pane of Evidence Center. What is the file named main.db-journal next to main.db database?

Evidence Center can visualize file system structure of computers and mobile devices (including Android backups). If we navigate to the suspect's profile folder, we will see main.db file along with main.db-journal. The journal file is of significant size: more than 40% of the main database file!

What is inside this file? Is this information important? Yes, it is! Journal file is a SQLite auxiliary file which may contain records absent in the main database. If we go back to SQLite Viewer, we will see records highlighted with cyan:

For chats, 5 extra messages were found in the journal file. For MediaDocuments table the number is even bigger: 370 items out of 1361. Thus, journal file information is not to be overlooked!

Now, this is it.

Joke! There is more.

Each SQLite database, if used frequently, contains unallocated space. Don't confuse it with unallocated space in a hard drive. This is a separate concept, and what is important to know is that SQLite unallocated may contain remnants of recently deleted items. This is not similar to freelist and, unlike info in freelist, unallocated space can contain random or damaged data. However, using data carving of unallocated SQLite space (built-in feature of BEC), you can recover meaningful data:

In this database only one field was recovered from Skype database unallocated, but very important one: one of interlocutors' mobile phone number.

For those who prefer to verify results manually, BEC has low-level means for that. HexViewer window allows to visualize a SQLite record (allocated or unallocated), any file selected in File List, disk partition or volume selected in File System pane, or mobile phone backup contents.

HexViewer shows binary contents of selected SQLite unallocated space item

Fortunately, in our case the suspect's laptop was found switched on, so it was possible to capture Live RAM. BEC contains Live RAM Capturer utility as a part of its installation package. Live RAM Capturer is a portable tool, which can run from a thumb drive and dump all the memory of a running Windows machine. Then, the output can be analyzed in Evidence Center. In particular, Skype details can be found inside the memory dump if it was running at the moment of memory acquisition.

When we inspect File System pane of BEC, we can see that Skype.exe was indeed running:

Now we switch to Case Explorer pane and trust the tool's ability to carve RAM artifacts:

You can see that Skype.exe process memory contains links in Safari and Opera format. Some of these links lead to pictures which are still alive on Apple server:

Is this it now? Yes, that's it for this article, but just for the sake of brevity. We haven't covered Skype data carving of pagefile and hibernation file, as well as investigation of slack space, analysis of Volume Shadow Copy, processing Skype hidden inside virtual machines and Skype app for other popular operating systems such as Mac OS or Linux, and many more other potentially crucial aspects of Skype investigation. Be sure, however, that all of them are supported by the product reviewed in this article, Belkasoft Evidence Center (BEC).

P.S. We reviewed Skype app only, but did you know that Belkasoft supports several hundreds of other chat applications?

More details on BEC