Tuesday, January 28, 2020

Skype on Android - Images in Web Cache

The problem

At work I helped a colleague with a case. Skype on Android, Images in the chat, partly visible on the device (more on this later) but no images visible in the prepared chats in the tools Magnet AXIOM 3.8 and UFED PA 7.27.

So we wanted to figure out where the images are stored on the device. For us it was very clear that if we can see the images on the device when it is offline they must be stored anywhere on the device and it must be possible to find the connection to the corresponding message otherwise Skype itself couldn't be able to show us the images.

Overview on the structure of Skype on Android

Let me give you a quick overview on structure if you are completely unfamiliar with Skype on Android.

Path (SKYPEPATH): /data/data/com.skype.raider

Databases

Main Database: SKYPEPATH/databases/username.db

Where username is the Skype username. If a Microsoft account is used, the username is prefixed with "s4l-live:"


In this database the messages, conversations and contacts are stored. This is already well known and is decoded correctly be the known Forensic Suites. So I will not explain the corresponding tables here to focus on the main problem with media files.
But one table is of interest for media files: "fileCachemetadata", i will explain why a bit later.


Caches and Media File Storage

There are different caches used in Skype.

Folder SKYPEPATH/cache

Directly in this folder the pictures that are taken and sent by Skype are stored. If the Skype user sends image that is not taken by the app itself it won't be stored there.


Folder SKYPEPATH/cache/FileCache

In this folder the cached images are stored. These images were e.g. reloaded from the server when the device was online. They are gone when the device is restarted. And they don't last there forever (we will see this in the table "fileCachemetadata", just wait a few more paragraphs).


Folder SKYPEPATH/cache/image_cache/v2.ols100.1/

Here you can find a lot of folders, they contain files with the extension "cnt" . But the MIME Types are e.g. image/png, image/jpeg or image/gif. They are e.g. Smileys but also the images sent and received as thumbnails.


Finally, the last one - SKYPEPATH/files/http-cache/

Like on the image above there are a lot of files. Always one with extension "0" and one with extension "1". The file with the extension "0" is always a text file as far as I can see. For the other files they are different, e.g. png, jpeg, gzip or also text.


Example on one message

Okay, let me show you now one example for a message.

First, on the device in the chat:

On the device, when opening a chat in Skype, pictures are sometimes just grey.


Damn it, no image there... but wait, let's tip on it with the finger and see what happens:



Okay, image is there, that's good.
We did not find an image where this procedure was not possible.
But: some images were able to see directly in the chat without clicking/tipping on it.


Second, in our tools after physical acquisition:

When an image was sent or received UFED PA and AXIOM show the link to the image. e.g. something like (the content is from my test phone):

---
Um dieses geteilte Foto anzuzeigen,
 wechsle zu: <a href=\"https://login.skype.com/login/sso?go=xmmfallback?pic=0-weu-d11-bff42ccc99abcb3c465dd88b7913d143\">https://login.skype.com/login/sso?go=xmmfallback?pic=0-weu-d11-bff42ccc99abcb3c465dd88b7913d143</a>
---

Just a few images are shown in the chat, the others are not shown, just the link. I am not in my office so I cannot give you an image of the output from the tools because I don't have AXIOM or UFED PA at home.
Please feel free to double check it on your next case where Skype for Android was in use.


Third, under the hood:


Okay, so we can see all images on the device but not all of them in the decoded data.Where to start?

First we looked into the database to find a message corresponding to an image that is shown on the device but not in the decoded data.

Table is "messagesv12". The column "nsp_data" holds a lot of information in  JSON format. The JSON Object is a bit to large to post here, so I only give a few values here that were relevant:

1. The Time (there are different timestamps in the JSON, for this message they were all the same):

"originalarrivaltime":"2020-01-04T07:13:38.318Z"

2. The message content:

"content":"<URIObject uri=\"https://api.asm.skype.com/v1/objects/0-weu-d11-bff42ccc99abcb3c465dd88b7913d143\" url_thumbnail=\"https://api.asm.skype.com/v1/objects/0-weu-d11-bff42ccc99abcb3c465dd88b7913d143/views/imgt1_anim\" type=\"Picture.1\" doc_id=\"0-weu-d11-bff42ccc99abcb3c465dd88b7913d143\" width=\"1196.8831168831168\" height=\"2048\">Um dieses geteilte Foto anzuzeigen,
 wechsle zu: <a href=\"https://login.skype.com/login/sso?go=xmmfallback?pic=0-weu-d11-bff42ccc99abcb3c465dd88b7913d143\">https://login.skype.com/login/sso?go=xmmfallback?pic=0-weu-d11-bff42ccc99abcb3c465dd88b7913d143</a><OriginalName v=\"1578122018152.JPEG\"></OriginalName><FileSize v=\"54864\"></FileSize><meta type=\"photo\" originalName=\"1578122018152.JPEG\"></meta></URIObject>"




Okay, so we can see the time the message arrived, the original file name and a link with an ID at the end.

Arrival Time: 2020-01-04T07:13:38.318Z
Original File Name: 1578122018152.JPEG
ID: 0-weu-d11-bff42ccc99abcb3c465dd88b7913d143

For this example the image was taken with the Skype App and than sent. (I did this myself on my Test Phone, so I know it).

With the information in the message content we didn't see a direct way to map to the images. We searched for the original file name without luck. We looked around and found the http_cache. So let me show you what we've found there.
In my test lab at home I extracted the Skype folder from my test device and loaded it into Autopsy 4.14. After I indexed all files I searched for the ID, see the result below.





This means, there are five hits. As I've already written above, the http_cache contains file pairs.

The first match contains the GET of the Thumbnails. The second the GET of the image. For the third and fourth I am not really sure what this is about. Last one is the table itself.

Let me show you part of the content from the second hit:


Yes, there is the ID. Okay, I talked about file pairs, let us find the corresponding file with ending "1". And yes, there is the image. File name is "a3aac68c8823c2c49181a2a59b07605a.1".

Timing in Skype - When are the images "gone"

Okay, why and when are the images not shown anymore? I've written about the table "fileCachemetadata".
This table contains data about the cached files. Directly after putting my device into Airplane mode, the images were still there, also after a reboot. I've not tested what AXIOM and UFED PA will show. I assume that they would also be able to show the images when decoding the data.

The interesting value in this table is the following:

"expiration":1580486931002

The number seems to be Unix Epoch Time in ms -> Fri, 31 January 2020 16:08:51.002 UTC.
I last opened my Skype with active Internet connection on the Test device on "Tue, 28 January 2020 16:08:51.002 UTC" (estimated but really close).
So it seems that the cached files are only stored for 72 hours.
I decided to test this. For this I changed my phones system time to 1st February 2020 and restarted it. If my assumption is correct, the images should not be shown anymore on the device in the chat.
The test shows the expected result.
The images are still visible when clicking on them but not directly in the chat. Now my test device looks exactly the same like the device from the case.


Conclusion

It seems that after 72 hours the images in the cache folders are removed by the Skype App. So the normal mapping from the message content to the image is not possible anymore. But one can go through the files in the web_cache folder to find the images.
In my test I could find images there older than 9 months. I have not tested if images in this folder are removed at any time or after any amount of image synchronizations. On the device of the case there were images older than 24 months and many images and threads.

I would love to give you a script that does this automatically, but don't have the time at the moment.

Just again, know the limits of the used Software and Tools. Use your brain when analyzing. We had a bit of luck because the device was open and we could take a look on it. So we could see that something was missing in the decoded data of Skype.

Thanks to my colleague, it was one of his first mobile device cases. We both learned a lot. Keep going!









No comments:

Post a Comment