Analysis of Skype App for Windows (Metro-App) - Version 14.xx

Analysis Skype App for Windows (Metro-App) - Version 14.xx

Why this post?

In my last posts I wrote about older Skype Versions and showed a more detailed analysis on Skype for Windows Version 12.7 and higher.
As I already mentioned in that posts in the most recent Skype version the underlying structure has changed again.
In this post I will show the underlying structure of the most recent Skype version and some important things to know when analyzing it.
I cannot say with which version exactly this changes were made to the underlying structure. I can just say it has already been changed with Version 14.23, I didn't test all version between 12.7 and 14.23.

The structure

First the general structure

The Skype folder is located under:
 %USERPROFILE%\AppData\Local\Packages\[Skype_App]


There you will find a structure like this one:


The chat db (formerly skype.db) is located in the subfolder LocalState. There is a database named "s4l-[skypeuser].db".
If there is more than one Skype User used, you will find more than one s4l-[skypeuser].db.

Pictures (sent/recieved): Located in the subfolder LocalCache\FileCache

Things to mention / how things work

I did some testing at which moment a file is generated/deleted.

1. The s4l-[skypeuser].db is generated when the skype user logs in the first time on the machine.
BUT: Not all data is then synced with the network. The chat lists are synced, so one can see with whom the Skype account had conversations (so that the user can see in the app his last chats).
The content of these conversations is not synced until the user clicks on the chat in the app. That is important to know because this is different to earlier versions.

2. A folder named [skypeuser] is also generated on the first successful login
In this folder is a file named "config.xml". This one holds information about the last login and Connection Caches and Tokens. Perhaps useful in some way.

The Timestamp of the last login can be found in the second line of this file:




Here 1563870266.4 which is Tue, 23 Jul 2019 08:24:26. UTC. That's correct for my case here.



3. Pictures in the subfolder LocalCache\FileCache:
    a) The pictures are stored when they were clicked in the chat by the user. Not earlier. They will not be stored when only the preview was shown in the chat. So you will only find pictures in this folder that were really viewed by the user.
    b) Freshly sent pictures are stored in the folder the moment the user sends it in the chat.
    c) Only pictures are stored in this folder.
    d) The pictures will remains in this folder when the user logs out
    e) The pictures will be deleted the moment a different skype user logs in on the same machine with the same windows account.

Internal database structure

The internal database structure has changed a bit.
There are a lot of tables in the database file s4l-[skypeuser].db. Similar to the old skype.db.




But e.g.  the tables "conversations" and "messages" are now "conversationsv14" and "messagesv12".

The suffixes "v14" and "v12" perhaps mean something like "version". So one could recognize the internal structure in the table by the name. But at the moment that is just guessing from my side. I have not checked this in any way!

The internal structure of the tables themselves also changed.

One example for the table  messagesv12:


In the field "nsp_data" is the content of the message and also the timestamps, picture filename (if sent/received), sender and receiver and so on. It is stored in a JSON structure.

My Proceeding

For the point above "Things to mention / How things work" I list here my steps what exactly I have done to test it. So anyone can double check it and can determine all limitations to my results if wanted.

1. I logged in into Skype on a freshly installed PC. Than I checked the database, the table "messagesv12" was empty except the message from "convierge". What seems to be something like a Test entry.
Than I clicked on an existing chat in the App and reloaded the databases. Now I could find the messages in the table.

2. I logged in into Skype on a freshly installed PC. Than I checked the filesystem and fonund the folder. IT was not there before. I opened the config.xml and saw e.g. the timestamp IT was close to my login. I decided to logoff and login again and write down the time. Than I checked the timestamp in the *.xml again. It has changed to the new login time.

3. After logged in I opened the folder LocalCache\FileCache, it was empty
a) I clicked in a chat on a picture -> this picture than was stored in the folder
b) I sent a picture that was not already in the folder. After sending it it was in the folder.
c) I sent a pdf file, this one was not in the folder. BUT: this one was in the folder LocalCache\RNManualFileCache. Only for a few minutes than it was deleted automatically.
d) I logged out from skype. The pictures kept in the folder
e) I logged in with another account, all pictures in the folder were gone.

Conclusion

It is necessary to understand that with the most recent Skype version not all data (images/messages) is synced automatically with the device. In older versions this was the case.

If more than one Skype User uses the same Skype App one cannot find the pictures of the non-active user in the folder  LocalCache\FileCache. Just the pictures from the active user that he has actively clicked/viewed.

 

Analysis of Skype - Windows 10 App Version 12.7 and higher

Analysis of Skype - Windows 10 App Version 12.7 and higher

Why this post?

In my last post a gave an overview of the different version of Skype.
I had recently a case where I found relevant pictures in a folder that leads me to Skype.
After processing the data with Magnet Axiom (Version 3.3.1) I took a look into the decoded Skype chats if I can see if the pictures were sent/received and if I can see the corresponding Skype accounts.
Unfortunately there were no pictures shown in the Skype messages. Just messages like "account_a shared file_x with account_b".
And file_x was not a file name that could be found in the file system.
I was pretty sure there must be a way to map the pictures to the messages. There were over 400 pictures and most of them were relevant.
For this case it was important that I am able to tell if the pictures were sent out or "just" received/stored.

What I had at the beginning

1. The system was a Windows 10 Home System.
2. The installed Skype version was "14.40 Skype for Windows 10". But probably Skype was used for a long period of time. I could see usage from 2016 until mid of 2018. So the usage started with an older version.
3. I found the relevant pictures in the following folder: %USERPROFILE%\AppData\Local\Packages\Microsoft.SkypeApp_[Version]\LocalState\[skype_user_name]\media_messaging\media_cache_v3
4. I have a skype.db in the folder: %USERPROFILE%\AppData\Local\Packages\Microsoft.SkypeApp_[Version]\LocalState\[skype_user_name]
5. And I have a cache_db.db in the folder: %USERPROFILE%\AppData\Local\Packages\Microsoft.SkypeApp_[Version]\LocalState\[skype_user_name]\media_messaging\media_cache_v3\asyncdb

The analysis

A few months ago I read an article from Paul Sanderson about the media cache analysis of Skype. He did the research with his Forensic Browser for Sqlite.
Please find his report here: https://sandersonforensics.com/forum/content.php?223-Investigating-Skype-cloud-based-media_cache-image-sharing-with-the-Forensic-Browser-for-SQLite
Paul stated out, that the path to the files is stored in the field "serialized_data" in the table "assets" of the database file cache_db.db.
I checked this for my case and this is still the same. That is good, no changes in the cache_db.db
The problem is that the mapping to the skype.db, where the messages are stored, is not possible in the same way like Paul showed it for the old Skype version with the main.db.
So I needed to find the new possible correlation between those two database.
First I will give a short overview of the relevant content in the two databases

The cache_db.db file 

In this database there is the table "assets" with the fields key and serialized_data (also other fields but not interesting for this analysis).
When I read "key", I hope I can work with it to match it to the other database in any way.
The content of the fields are like:

key:


serialized_data:

 

The skype.db file

In this database is a table named "messages" that contains the messages sent and received by the Skype User.

In the field "content" I see the content of the message. If a picture was received or sent this field contains a XML-like--structure with a value for the key "url".
This value looks very similar to the value in the field "key" of the table "assets" in the database cache_db.db.

Example of content field when a picture is shared:



The mapping

Now I have an idea how to map the messages to the pictures.
I checked it it for one picture and one message manual. The creation timestamp of the message and the created timestamp of the picture were almost identical (just about 2 seconds separated). I tested it for another picture, and the same.
The two seconds separation could be there because the message is sent and then the picture needs time to be downloaded onto the machine.

So I decided to write a script that gives me a list with all filenames in the media_cache_v3 folder and their status about sent or received, which skype accounts and creation timestamp of the message.

I am sure I could have done all of this in SQL or with a complete tool but my SQL knowledge is not the best and I don'T have a tool. So I decided to use Python Version 3.
This script can be found in my GitHub repository https://github.com/kalink0/useful_scripts/blob/master/skype/analyzeSkypeApp.py. At the moment of writing this post one needs to insert the path to the Skype profile folder into the code for the variable "base_dir".
I will change the script asap in the way that one can call it with a parameter or the script will ask for the path.

Result/Conclusion

With this research and the script I am able to tell if a picture in the folder media_messaging/media_cache_v3 was sent or received and also by whom.

If you have a system you analyze with relevant pictures in the media_messaging/media_cache_v3 folder of Skype, you now know how you can perhaps map this pictures to the Skype chats.

Skype Analysis - From the old one to the newest one - A First Overview

Why this post?

When analyzing Skype on Windows nowadays you need take a deeper look which versions are used. Because Microsoft updated a few things in the underlying structure.
So I will give a short overview about the versions and their changes.

A bit confusing is the version numbering.
When looking under "Help & Feedback" you get to version numbers:



This seems to be because of the difference between Skype for Desktop and Skype for Windows 10.
The Skype for Windows 10 comes via Windows Store. Skype for Desktop is the "classic" Version, downloadable from the website.

It seems like 8.xx is mapped to 14.xx. But I am not totally sure.

You will see in the following sections that there are differences in the Versions (Desktop to Windows App). So not only the version number is important.

This post just gives an overview!

The different versions

The old skype (Up to Version 7)

The old skype version is well known. There is a database named "main.db". In there you can find the information about chats, contact, the user account and sent pictures. This is the Skype for Desktop, there was no Skype App from the Windows Store.

The Skype folder is located under: %USERPROFILE\AppData\Roaming\[Skype_App_folder]
Location of main.db: directly under the mentioned directory.
Pictures: In the subfolder media_messaging\media_cache.

Paul Sanderson wrote a nice post about the details in 2015. He also described how to map a chat message to the stored pictures in the media cache folder:
https://sandersonforensics.com/forum/content.php?223-Investigating-Skype-cloud-based-media_cache-image-sharing-with-the-Forensic-Browser-for-SQLite

Tools like Magnet Forensics IEF and Magnet Forensics AXIOM in current versions decode the data correctly as far as I could see. So, this is "old" stuff, nice to know but with modern versions of Skype not usable anymore.

The newer skype (Since Version 12.7)

With the Skype Version 12.7 an update on the file structure were made. This is the version number of the Skype for Windows 10. Unfortunately I don't know the corresponding Version number from the Desktop version.
Also one now need to look at two different cases: Desktop App and Windows 10 App.
The main.db is replaced by the skype.db.
And also the mapping mechanism how to connect a picture to the corresponding chat message has changed.

Desktop(Classic) App
The Skype folder for the classic App is: %USERPROFILE\AppData\Roaming\Microsoft\[Skype_App_folder]
Where Skype_App_Folder is "Skype for Desktop".
Location of skype.db: in the subfolder [skypeuser]
Pictures: [skypeuser]\media_messaging\media_cache_v3\

Windows 10 App
The Skype folder for the Skype for Windows 10 is located under: %USERPROFILE%\AppData\Local\Packages\[Skype_App]\
Location of skype.db: in the subfolder LocalState\[skypeuser]
Pictures: LocalState\[skypeuser]\media_messaging\media_cache_v3\

About the mapping mechanism to map the picture to the chat message I'll write a separate post with more details.
I wrote a short script you can find in my Github repository:
https://github.com/kalink0/useful_scripts/blob/master/skype/analyzeSkypeApp.py
More details in my next post then.

At least AXIOM in the current version (3.3.1) does not map the images to the chat messages (Just shows the links and filenames). That is why I started my research. I did not test any other tools yet.

Most recent version (Version 14.48.51.0) - Windows 10 App

And now the fun part. After I worked at a case where I needed to make some research and had finished everything I tested my new knowledge in my own Skype to double-check my results. My PC has the most recent version of Skype for Windows 10 (14.48) installed and everything is different now.
There is no main.db or skype.db anymore.

The main.db/skype.db is replaced by a database named like the skype user. The media cache folder seems to be gone.

The Skype folder is located under: %USERPROFILE%\AppData\Local\Packages\[Skype_App]
The chat db (formerly skype.db): located in the subfolder LocalState. There a databse named "s4l-[skypeuser].db".
Pictures: Located in the subfolder LocalCache\FileCache

But there are a few things to know about the pictures:
1. Pictures that were sent from the PC are stored there
2. Pictures that were received by the PC are only stored there if the user double clicked the picture in the chat (maximized the view of it)
3. The pictures are deleted if another user is logged in into the skype on the machines under the same local PC account.

The mapping of the pictures to the chat messages works via the original Name stored in the database.

I will check the status of AXIOM if it decodes this correctly. The first test showed that AXIOM was able to analyze/decode the database and the picture for the first user. I had a second user, not logged in anymore, AXIOM did not decode any info (even not the chat messages). But I need to double check.

I will create another post on this topic asap.

Most recent version (Version 8.49)  - Desktop/Classic App

And the Desktop App is totally different now.
There is no database for the text messages anymore. It is now a file with the ending *.log. It has plaintext inside.
Pictures are stored when they were opened. But not with the ending "jpg". And not with the name that is mentioned in the chat message.

The Skype folder for the classic App remained identical to the older version. %USERPROFILE\AppData\Roaming\Microsoft\[Skype_App_folder]
Where Skype_App_Folder is "Skype for Desktop".
Location of log file with chat messages: in the subfolder LocalStorage\leveldb - Filename in my case is 000004.log
Pictures are stored in subfolder: Cache, Filename in my Case is f_000007 without any extension.

The numeric value will increase for the next picture.


I need to research here a lot.
Didn't had a case with a Skype Desktop version like this one yet. Also need to test my tools (e.g. AXIOM)

Next steps and Conclusion

The conclusion is that the new updates from Microsoft on Skype changed the structure and so one need to take a deeper look if our tools still parse the data correctly.
Also it is important what type of Skype is installed (Skype for Desktop or Skype for Windows 10)

Next steps:
1. I will write the next post about my analysis of the pictures and their mapping to the corresponding chat message for Version 12.xx of the Windows 10 App.
2. I need to find out at which version the change of the database and the media storage occurred. At the moment I just know that with version 14.48 it is different. I tested version 14.24 and there is already the most recent structure, no skype.db or main.db.
3. I will analyze the most recent Skype Version (Desktop and Windows 10) and test it with Magnet AXIOM to see if all relevant data gets decoded and I will write about it.

Why AXIOM? -> It is currently one of my main tools to work with to get out artifacts fast.