Why this post?
When analyzing Skype on Windows nowadays you need take a deeper look which versions are used. Because Microsoft updated a few things in the underlying structure.So I will give a short overview about the versions and their changes.
A bit confusing is the version numbering.
When looking under "Help & Feedback" you get to version numbers:
This seems to be because of the difference between Skype for Desktop and Skype for Windows 10.
The Skype for Windows 10 comes via Windows Store. Skype for Desktop is the "classic" Version, downloadable from the website.
It seems like 8.xx is mapped to 14.xx. But I am not totally sure.
You will see in the following sections that there are differences in the Versions (Desktop to Windows App). So not only the version number is important.
This post just gives an overview!
The different versions
The old skype (Up to Version 7)
The old skype version is well known. There is a database named "main.db". In there you can find the information about chats, contact, the user account and sent pictures. This is the Skype for Desktop, there was no Skype App from the Windows Store.The Skype folder is located under: %USERPROFILE\AppData\Roaming\[Skype_App_folder]
Location of main.db: directly under the mentioned directory.
Pictures: In the subfolder media_messaging\media_cache.
Paul Sanderson wrote a nice post about the details in 2015. He also described how to map a chat message to the stored pictures in the media cache folder:
https://sandersonforensics.com/forum/content.php?223-Investigating-Skype-cloud-based-media_cache-image-sharing-with-the-Forensic-Browser-for-SQLite
Tools like Magnet Forensics IEF and Magnet Forensics AXIOM in current versions decode the data correctly as far as I could see. So, this is "old" stuff, nice to know but with modern versions of Skype not usable anymore.
The newer skype (Since Version 12.7)
With the Skype Version 12.7 an update on the file structure were made. This is the version number of the Skype for Windows 10. Unfortunately I don't know the corresponding Version number from the Desktop version.Also one now need to look at two different cases: Desktop App and Windows 10 App.
The main.db is replaced by the skype.db.
And also the mapping mechanism how to connect a picture to the corresponding chat message has changed.
Desktop(Classic) App
The Skype folder for the classic App is: %USERPROFILE\AppData\Roaming\Microsoft\[Skype_App_folder]
Where Skype_App_Folder is "Skype for Desktop".
Location of skype.db: in the subfolder [skypeuser]
Pictures: [skypeuser]\media_messaging\media_cache_v3\
Windows 10 App
The Skype folder for the Skype for Windows 10 is located under: %USERPROFILE%\AppData\Local\Packages\[Skype_App]\
Location of skype.db: in the subfolder LocalState\[skypeuser]
Pictures: LocalState\[skypeuser]\media_messaging\media_cache_v3\
About the mapping mechanism to map the picture to the chat message I'll write a separate post with more details.
I wrote a short script you can find in my Github repository:
https://github.com/kalink0/useful_scripts/blob/master/skype/analyzeSkypeApp.py
More details in my next post then.
At least AXIOM in the current version (3.3.1) does not map the images to the chat messages (Just shows the links and filenames). That is why I started my research. I did not test any other tools yet.
Most recent version (Version 14.48.51.0) - Windows 10 App
And now the fun part. After I worked at a case where I needed to make some research and had finished everything I tested my new knowledge in my own Skype to double-check my results. My PC has the most recent version of Skype for Windows 10 (14.48) installed and everything is different now.There is no main.db or skype.db anymore.
The main.db/skype.db is replaced by a database named like the skype user. The media cache folder seems to be gone.
The Skype folder is located under: %USERPROFILE%\AppData\Local\Packages\[Skype_App]
The chat db (formerly skype.db): located in the subfolder LocalState. There a databse named "s4l-[skypeuser].db".
Pictures: Located in the subfolder LocalCache\FileCache
But there are a few things to know about the pictures:
1. Pictures that were sent from the PC are stored there
2. Pictures that were received by the PC are only stored there if the user double clicked the picture in the chat (maximized the view of it)
3. The pictures are deleted if another user is logged in into the skype on the machines under the same local PC account.
The mapping of the pictures to the chat messages works via the original Name stored in the database.
I will check the status of AXIOM if it decodes this correctly. The first test showed that AXIOM was able to analyze/decode the database and the picture for the first user. I had a second user, not logged in anymore, AXIOM did not decode any info (even not the chat messages). But I need to double check.
I will create another post on this topic asap.
Most recent version (Version 8.49) - Desktop/Classic App
And the Desktop App is totally different now.There is no database for the text messages anymore. It is now a file with the ending *.log. It has plaintext inside.
Pictures are stored when they were opened. But not with the ending "jpg". And not with the name that is mentioned in the chat message.
The Skype folder for the classic App remained identical to the older version. %USERPROFILE\AppData\Roaming\Microsoft\[Skype_App_folder]
Where Skype_App_Folder is "Skype for Desktop".
Location of log file with chat messages: in the subfolder LocalStorage\leveldb - Filename in my case is 000004.log
Pictures are stored in subfolder: Cache, Filename in my Case is f_000007 without any extension.
The numeric value will increase for the next picture.
I need to research here a lot.
Didn't had a case with a Skype Desktop version like this one yet. Also need to test my tools (e.g. AXIOM)
Next steps and Conclusion
The conclusion is that the new updates from Microsoft on Skype changed the structure and so one need to take a deeper look if our tools still parse the data correctly.Also it is important what type of Skype is installed (Skype for Desktop or Skype for Windows 10)
Next steps:
1. I will write the next post about my analysis of the pictures and their mapping to the corresponding chat message for Version 12.xx of the Windows 10 App.
2. I need to find out at which version the change of the database and the media storage occurred. At the moment I just know that with version 14.48 it is different. I tested version 14.24 and there is already the most recent structure, no skype.db or main.db.
3. I will analyze the most recent Skype Version (Desktop and Windows 10) and test it with Magnet AXIOM to see if all relevant data gets decoded and I will write about it.
Why AXIOM? -> It is currently one of my main tools to work with to get out artifacts fast.
No comments:
Post a Comment