Digital Forensic: Skype - Case Study Example

Digital forensic The need for digital forensic in this high-tech world is inevitable. In recent times, the use of social networking, instant messaging, and web browsing has undergone a phenomenal growth and so is the number of cyber crimes. Due to the wide availability and cheap price of the Voice over internet protocol (VoIP) applications, they are extensively used by most of the high profile companies. Skype is one such application which allows instant messaging, file transfers, voice and video calls, and screen sharing between users (Wallingford 2006). As mentioned earlier, Skype is no exemption for computer crimes like cyber bulling and information theft. So, digital forensic has become very essential and in fact a part of the overall security perspective of any computer based industry, in spite of various challenges associated with the digital forensic investigation process. The increased use of Skype is resulting in increased number of cyber crimes as the users take advantage of the anonymity associated with its use. But with the aid of apt digital forensic tools, valuable evidences can be retrieved and it can reveal the defendant’s activities. This report will discuss about the various available tools that will aid the digital forensic investigation process, document the steps involved in the investigation process along with the challenges that has to be faced during the course of the investigation process. The artifacts collected from a Skype conversation can be analysed with the help of several investigation tools like ‘Skype chat carver’, ‘Belkasoft Evidence Center’, ‘Chat Examiner’, ‘Epilog’, ‘Forensic Assistant’, ‘Internet Evidence Finder’, ‘Skype Extractor’, ‘SkypeAlyzer’, ‘SkypeLogview’, and others (Mikhaylov 2013). It is very important to know where and how to recover the evidences like calls, messages, contacts, file transfers, and voicemails from a user’s accounts in order to utilize the above mentioned tools in the forensic analysis process. The steps stated below will help in the evidence recovery process. The first step is to discover the Skype user directories which may be found by following the below mention root path provided in the example screen shot (Shaw 2014). Fig 1: Root Path (Shaw 2014) There are four users who use Skype application in this example. The file named ‘shared’ is a XML file which contains the main configuration information like time of usage, IP address, and other useful information. Exploring the ‘shared’ file one can retrieve the Unix style time stamp information (Shaw 2014). Here comes the first challenge. This Unix style time stamp information is displayed in a coded format as a string of numbers, which has to be converted to readable format. So, an investigator has to rely on online Unix time conversion tools to convert the string of numbers to an understandable time format. After completion of the conversion process the Skype conversation time can be discovered. This process is explained with the help of the screen shot shown below. Fig 2: Conversion (Shaw 2014) Next major step is to identify the IP address of the system involved in the conversation. This is available in the ‘HostCache’ tag of the ‘shared’ XML file Fig 3: Identificaiton of IP address (Shaw 2014). The Hexadecimal value D5C7B3AD9C51 in the above screenshot indicates the IP address. The next challenge is to convert this Hexadecimal value to decimal in order to retrieve the IP address in an understandable format. Again an investigator has to rely on online Unix conversion tools to retrieve the IP address. Other tags in the ‘shared’ file like ‘UIVersion’ and ‘Language’ denotes the Skype version and the language used for communication (Shaw 2014). A specific user directory is selected for further analysis as shown in the below screenshot. Fig 4: User Directory (Shaw 2014) A user’s directory contains the chat, call, and voicemail information as a split data across several files and data are to be combined from multiple sessions and dates (Shaw 2014). For an investigator unifying the split data to retrieve useful information is the greatest challenge. In such cases tools like Internet Evidence Finder (IEF) can greatly help (Jamie 2014). The file named ‘Chatsync’ contains all the data regarding the history of a particular chat session like who are the chat participants? who initiated the chat? chat messages and their status, timestamp values, and others (Shaw 2014). The most important file is the ‘Main.db’ which contains the most valuable artifacts like user’s account, calls, messages, group chat, contacts, file transfers, voicemails, and SMS messages. The ‘Main.db’ file contains a table named ‘Accounts’ which allows the investigator to collect information regarding the user’s Skype name, full name, birthday, gender, email address, location data, telephone details, when the profile was created and last modified (Jamie 2014). This seems to be very significant information for an investigator. But, if we critically evaluate the above mentioned details, there is no confirmation that the information provided by the user is true. Suspects usually have a tendency to create fake profile information like modifying the gender, wrong telephone numbers, fake email addresses, and so on. Next the call information are retrieved from the ‘call’ table which contains information like call type, local user details, and remote user details as shown in the example screen shot given below (Shaw 2014). Fig 5: Information (Shaw 2014) Defendants use Skype to steal valuable piece of information from an organization because in most cases whenever such a theft occurs, authorities either scrutinize the suspects email or his USB device, as Skype transfer is not much expected and suspected means of information theft. The ‘Main.db’ file contains information regarding file transfers which is very much essential to investigate an intellectual property theft. It contains information regarding the time and date of file transfer, sender / receiver information, file name and size, and delivery status. Once transferred, the files are stored in the location shown in the below figure (Jamie 2014). The chat message information is stored in the ‘Main.db’ and ‘Chat.sync’ files (Jamie 2014). While investigating chat messages, an investigator has to be careful because overlap of information is possible because the two files contain almost similar information. Details regarding group chat are also available which can be identified with the help of the ‘type’ field. If there are only two participants in a conversation, the type field is mentioned as 2 and if there are more than two participants the type fields is mentioned as 4 (Jamie 2014). So, if the committed crime is related to sending messages, then it can be perfectly investigated and the accused can be easily caught with appropriate evidences. The ‘Main.db’ file consists detailed information about the voice mails sent over Skype. The audio file is located in the ‘voicemail’ table and can be easily read by any SQLite database reader. The audio files are stored in the location shown in the below figure (Jamie 2014). Again here comes another challenge to the investigator. It is not possible to replay Skype voice mail conversations outside the Skype application because Microsoft always store the audio files in a proprietary format (Jamie 2014). To sort out this problem, the investigator has to create a Skype account and record a voicemail after logging into his account. Then the recorded voicemail must be replaced with the voicemail that has to be investigated. This way Skype permits the defendant’s voicemail to be played via the investigator’s account (Jamie 2014). This process is really challenging because it consumes a lot of time. Though it consumes a lot of time, the reward may be valuable evidence. Other challenges faced by an investigator are while using tools like Automatic SQLite Carver, some data can be missed and there is no assurance for entire data to be retrieved (Mikhaylov 2013). Also some data available at the end of a file may be lost and can never be retrieved. Another critical issue is that if the committed crime is related to either chat messages or threatening voicemails and even information theft, it can be resolved and the accused can be charged with proper evidence. But Skype is extensively used for video chatting and live conversations. Though the details about the participants of the conversation along with the time information are available, what was actually conversed cannot be recovered as evidence unless the conversation has been recorded. So, crimes related to live web chats will always be a challenge to a digital forensic investigator to investigate. As per the result of a research conducted by the Berkeley scientists, 93% of the information created, never leaves the digital domain (Gubanov 2012). So, even if a criminal is clever enough to delete all the digital information related to the crime, he still leaves a definite trace which becomes a strong evidence for the crime committed by him. So, here comes the role of digital forensics which uncovers the details of even an expertly committed crime. Proper handlings of digital forensic investigations with appropriate tools are very much indispensable for uncovering the crime and prevent its future occurrence. References Gubanov, Y., 2012. Retrieving Digital Evidence: Methods, Techniques and Issues. Available from: http://forensic.belkasoft.com/en/retrieving-digital-evidence- methods-techniques-and-issues(accessed on November 8, 2014) McQuaid, J., 2013. Skype Forensics: Analyzing Call and Chat Data From Computers and Mobile. Available from: http://cdn2.hubspot.net/hub/209184/file- 659618264-pdf/Skype_Forensics_-_Analyzing_Call_and_Chat_Data_ From_Computers_and_Mobile_-_Magnet_Forensics.pdf?submissionGui d=b9cefdfd-6996-41c1-b03a-31afa58de3c8(accessed on November 8, 2014) Mikhaylov, I., 2013. Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases. Available from: http://articles.forensicfocus.com/2013/11/26/extracting-evidence-from- destroyed-skype-logs-and-cleared-sqlite-databases/(accessed on November 8, 2014) Mikhaylov, I., 2013. The Automatic Skype Chat Carver v0.0.0.1. Available from: http://www.forensicfocus.com/Forums/viewtopic/t=11223/ Shaw, R., 2014. Skype Forensics. Available from: http://resources.infosecinstitute.com/skype-forensics-2/(accessed on November 8, 2014) Wallingford, T., 2006. VoIP applications. Available from: http://www.macworld.com/article/1051658/voip.html(accessed on November 8, 2014) Read More