Monday, December 17, 2012

Easily Recover Files from Phone or Tablets

The quickest and easiest way to check your hunch that your spouse is cheating is to investigate their mobile devices. Full data recovery from a phone or tablet is difficult but there are some methods which you can do yourself at home with little cost or technical expertise.

SD Card Recovery

Many phones use a Mini SD card for expanded memory. Cameras and camcorders also use expanded memory slots. Devices save data to either an internal memory or to the external memory card, sometimes both.

Data recovery from an memory card can be as simple as removing the memory card from the device, putting it in a card reader attached to your computer, and running a file recovery program.

Memory Card Readers

Many computers these days have a built in card reader. If your computer doesn't have a card reader, you can purchase a USB card reader almost anywhere for $5-$20 or so. Here are a few places where you can order online

File Recovery Software

The good people at CNet's have quite a few file recovery tools. However, there are some that aren't free. Limited trials may allow one to view the thumbnails of recovered images but the full licensed product is required for retrieval. The geek-elite at Lifehacker have provided their own guide for the best file recovery software. I highly recommend reading through their article before proceeding in your file recovery efforts.

The following software has been recommended by BSC blog readers:

Other Uses for File Recovery Software

One benefit of the file recovery software is that it can be run on several types of devices. Make sure to check the memory cards of all of you mobile phones, cameras, camcorders, GPS devices, video game consoles, etc... A second use for the software is that it can be run on hard drives of computers and laptops. The recovery software is a versatile information gathering tool.

Trouble Ahead: Internal Memory

The hard part of data recovery from devices comes from the internal memory of the device. The big culprits here are the Apple iDevices and the Blackberry. Apple prevents the use of external memory in its iPhone and iPad devices by not supporting physical slots for memory expansion. Some Blackberries default to using internal memory. The Blackberry Curve series will only use the external memory slots for message storage, photo storage, contact storage if the user modifies the default settings in the menu. In most cellphones some data is even stored on the SIM card, but Blackberry doesn't even do that.

Big Trouble

Even forensic professionals have a difficult time reaching into internal memory on mobile devices. It's a complex problem with lots of layers.

In the first layer you have firmware. This is the basic operating software on the phone that boots it up. Not only does each manufacturer have their own firmware on the device but each model of device can have a different firmware as well.

The next layer is the operating system. The main contenders in operating system are Apple and Google. Apple is notorious for closed systems and actively prevents the open source community from developing utilities that would have helped our purposes. Google's Android is much more open and has more development community involvement. There may be some applications out there on the net which would help recover data.

The third layer is a twist on the second. Jailbreaking the iOS or Android operating system adds a further wrinkle. The Cydia jailbreak adds a new app store for the iOS system where third-party developers can sell software. As with any operating system modification, apps designed for the original configuration may or may not work on the jailbroken device. Additionally, apps added after the jailbreak may modify how data is stored or can be retrieved.

The icing on the crap-cake is that special equipment and decoding software may be needed. For my outdated early-2000's Blackberry, the kit would have been ridiculously expensive. For those of you with deep pockets, there's a list of links below.

If anyone out there knows about a good tool set for Android, Blackberry and iOS... Please share!

What can you do?

There are cellphone reading kits that police and professional private investigators use to access the internal memory of the device. These kits are ungodly expensive. My recommendation is to seek professional help if you absolutely need to see the internal memory on a device. Contact a private investigator in your area, ask your lawyer for a referral, check out the firm's reputation, see if they outsource the forensic work and check the reputation of the lab. Be prepared to pay - I was charged $750 for one phone.

Also, be prepared to get zippo off the device. That's right... I spent $750 for "no data" because the lab couldn't read internal memory off the phone (not the SIM or expansion memory - the internal data store). The lab had a good reputation and updated equipment. They just were not able to read the internal data. Luckily, they refunded my payment. Contractually they didn't have to refund anything so I do feel very lucky indeed.

Professional Tools:

Cell Phone Records

Don't forget to log into the online account for mobile phones. I used this access to download a couple of years worth of calls and text message records. The data is simple; date, time, number, duration, placed/received call, sent/received text, and sent/received mms.

You should look for a pattern. For example- your wayward spouse has been calling and texting a suspicious number every day for months and then has a few days with little or no texts or calls. If this aberration occurs at the same time your spouse was away on a business trip, visiting family, working over the weekend, etc. I think you have some very strong evidence for a rendezvous.

Spoofing a Cloud

I have been researching a new approach for forensics. This is based on the distributed memory principle of cloud computing. For example; Apple's iOS for iPad and iPhone is utilizing a 'live backup' to their iCloud service which basically runs a backup of apps, contacts, and data through the internet connection of the device. Somewhere, out in the net, is an encrypted copy of all of the device data. I'm looking into how one could access this information -- so stay tuned.

--- DNS

Wednesday, December 5, 2012

Hacking help!

I've been contacted a few times recently to provide help getting to some part of a computer file or recovering some sort of data. I don't mind responding to people who reach out and generally need help, in fact, I'd like to think I've actually helped quite a few people. Here are some guidelines to make sure I can help you as much as I can.

What to do before reaching out to me for help

  1. It would be really awesome if you would read the relevant blog posts and attempt it on your own first.
  2. Know what you are asking for and likely to get. Data recovery and carving can generate lots of data but it generally is a shotgun approach.
  3. Do the work once you have the data. I can't generate lovely time-indexed, cross-referenced, collated reports of the data. I'll just generally give you the data and expect that you'll donate some elbow-grease to the equation.

What I need to help you

  1. A description of the system (Mac, PC), the operating system (XP, 7), the relevant programs (Skype, Firefox). Version of the programs is a nice-to-have for me.
  2. The relevant files!
  3. Any information that would help searching data. Names of the parties, dates of events, locations, etc...

What I can promise

  1. My best effort to recover data
  2. Getting to the task of investigating as soon as possible (I do have a life!)
  3. Utmost secrecy... I will only share your information with you, no one else. Nobody but me will ever see it. I promise to delete all copies of data and emails once I've finished investigating and sent results. 
  4. Discretion. I've been through this myself and I know how personally devastating going through this kind of event can be through my own experience.

How to contact me

  1. Post a comment to the blog and I will reach out to you. I moderate all comments and will not make any comments public that contain personal info like an email address.
  2. Email me at dead.nt.sleeping [at] gmail [dot] com
  3. I have put together a web form for a contact page you will be able to see on the top tabs of the blog. Here's a link to it anyway: Contact Form.

V/r - DNS

Thursday, November 29, 2012

Searching Browser Client-Side Storage

Is there anything you don't know? Google it! Bing it! Ask Jeeves! We sometimes forget how ubiquitous internet search is in our lives - Google in particular. We use Google Maps to find our way around, we use Google's search engine to find a good restaurant, we use Google for almost everything. That's why Google is great for finding information about a wayward spouse.

Web Browser Client-Side Storage

A lot of what internet browsers retain for data is kept in "client-side" storage. Most browsers retain a SQLite database in the user's directory. From our previous discussions we know a few tricks to get information from these SQLite sources already. Grab a SQL browser and we'll dive into the rabbit hole of what's on a hard drive.

File Location - Where's it at?

On Win7:  C:\Users\[UserName]\AppData\Roaming\Mozilla\Firefox\Profiles\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[ProfileName]

On Win7:  C:\Users\[UserName]\AppData\Local\Google\Chrome\User Data\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Google\Chrome\User Data\[Profile]

On Win7:  C:\Users\[UserName]\AppData\Local\RockMelt\User Data\[Profile]

Internet Explorer (IE):
This is a different kind of beast. We'll discuss this later but it is important to note they do not have a SQLite db structure.
On Win7:  C:\Users\[UserName]\AppData\Local\Microsoft\Windows\Temporary Internet Files
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files

Types of Storage

The following table is sourced from a Chrome Browser extension called Click&Clean. If their product is anywhere near as good as their chart on client-side storage - it should be excellent!

Below you can see Cookies, Local Storage, Web Databases (SQL), IndexedDB, File System, Application Cache, Flash Cookies, and Silverlight Cookies...

From Click&Clean

I know what you're saying - "But everyone blocks cookies!" True. Everyone blocks 3rd Party Cookies. These are the cookies advertisers put on your system to track your behavior. What people usually don't block are 1st Party Cookies. These are cookies that are directly linked to the domain you choose to visit with your browser. They remember what's in your shopping cart, your login info (if you authorize autofill), your browser session state, etc. These cookies are delicious.

Local Storage,Web Databases (SQL)
The real big deal is in the local storage databases on your computer. These tables track downloads, search terms, archived history of URLs visited and more. See below for the schema and descriptions of the data present.

Application Cache
Nirsoft has a cache reader for you! Chrome, Firefox, Internet Explorer, Opera included. Even (gasp) Safari.

The cache is a set of already downloaded images and media from webpages that is stored on your hard drive. The browser uses these cached elements to speed the loading of webpages. The cache readers will recover images and the URLs that reference them. You will see a lot of elements like the graphic files for navigation buttons for a site, images for headers and/or other elements of a web page. If you are lucky... You may be able to retrieve images from online dating sites, Facebook images, and thumbnails of other incriminating evidence.

I strongly recommend reviewing the cache of every browser on the computer and recovering/saving files you find. The cache is fluid and can be flushed at any time or the relevant data may be overwritten by newer cached data. 

Flash Cookies & Silverlight Cookies
I haven't found anything worth noting in Flash or Silverlight Cookies. There may be data present that is interesting to an investigator but I haven't found it yet.

Local Storage, Web Databases (SQL)

Data Schema and Relevant Files
Here's a list of databases in the User's directory and a list of the data files contained within. There are many SQLite databases as well as flat files and cache files. There may be different tables present depending on the browser (Chrome, Firefox) and the browser version.

For a complete list of data files I've encountered, go here or click on the database you want to investigate below.
  • Archived History
    • Meta
    • URLs
    • Visits
    • Visit Source
    • Keyword Search Terms
  • Cookies
    • Meta
    • Cookies
  • Extension Cookies
    • Meta
    • Cookies
  • Favicons
    • Meta
    • Favicons
    • Icon Mapping
  • History
    • Meta
    • Downloads
    • Presentation
    • URLs
    • Visits
    • Visit Source
    • Keyword Search Terms
    • Segments
    • Segment Usage
  • History Index YYYY-MM
    • Meta
    • Pages
    • Pages Content
    • Pages Segments
    • Pages SegDir
    • Info
  • Login Data
    • Meta
    • Logins
  • Shortcuts
    • Omni Box Shortcuts
  • Top Sites
    •  Meta
    • Thumbnails
  • Web Data
    • Meta
    • Keywords
    • Autofill Profile
    • Autofill Profile Emails
    • Autofill Profile Phones
    • Autofill Profile Trash
    • Credit Cards
    • Web Intents
    • Keywords Backup
    • Logins
    • IE7 Logins
The following are flat files (non-database files) in the User's directory. These open with Notepad and display readable contents. 
  • Bookmarks
  • Current Session
  • Current Tabs
  • Last Session
  • Last Tabs
  • Preferences
  • Visited Links

So.... Where do I start?

I've presented a lot of information. So naturally you want to know where's the best information for web behaviors found.
  • Look into the History Index YYYY-MM, History, Archived History and Web Data databases first.
  • Get a cache reader and review what is in the cache for each browser on the computer.
Analyzing this data should help you confirm or deny your suspicions.


What's in a URL?

You are very likely to recover URLs. Sometimes these are neat and clean to read but a lot of times the URL is a jumble of variables and escaped characters.

Google Search URL
Here are some common variables you will find in a Google search string:
  • q = search term
  • as_sitesearch = searches specified domain only
  • sort = sorting parameter for results
The authoritative source for variables would be Google. They've posted a helpful, lengthy page on search parameters here.

URL Encoding - Escaped Characters
URLs often have characters in them (:, /, ., etc) which would cause problems for other parsing engines like Java or Flash. The characters are often replaced by a '%' and the two digit hexadecimal code for the character. For example ':' = %3A and '?' = %3F.

Here's a list of characters that are often replaced in a URL with a more script-friendly value. I generally use the substitute function in Excel to replace the hex value with the ASCII character.


TL;DR - Summary

1) Find the local storage on your machine
2) Open a SQLite files with a database browser
3) Save file as HTML, close the file, re-open with a spreadsheet program (Excel)
4) Repeat until you've opened all files and saved them all into one workbook
5) Utilize the pivot table function to investigate the data
6) Have a beer

V/r - DNS

Thursday, August 9, 2012

Spyware, An Introduction

There's an old saying that being paranoid doesn't mean that they aren't out to get you... In our case, being paranoid doesn't mean your spouse isn't being unfaithful. The uncertainty and dread of the unthinkable happening is maddening. Many people turn to spyware to find evidence. I will recount my experiences here with some popular software.

Morality and Legality

Without question, it is immoral to invade another person's privacy. In fact, it is illegal. What I'm writing in this post is a review of products and not an endorsement. I don't want to influence you in your decisions - you are responsible for your own actions and their consequences. My post is merely a discussion of popular software and hardware and their benefits and restrictions.


Spyware is classified as any software used to capture data without the primary user's consent and/or knowledge. There are several general types of spyware; key loggers, parental/employee monitoring, network packet inspection, and "professional" software.

Nota Bene! 

Installing Spyware

Everyone has a virus scanner and spyware protection software package these days, as well they should. So, how do you install spyware without it being instantly removed? The answer is to modify the security program to create an exception, or blind-spot, for the spyware you install. Prior to installation, you need to create these exceptions in the security software's settings. The software you decide to use will likely have detailed instructions on how to create exceptions. 

The big risk to installing any spyware is that the user may be savvy enough to review their security software settings, do a clean re-install of their security software, or download a new security software package entirely. If the user does this, the exceptions you created will be lost and the user will be alerted to the presence of the spyware.

Key Logger

A key logger is a program that is used to track which keys are struck while the computer is in use. There are many variations on the basic key logger program. Most of the free programs will track the basic keystrokes and save the data to a hidden directory on the computer for later retrieval. More advanced programs will capture additional data, such as; programs in use, screenshots, etc.

Parental/Employee Monitoring

All spyware is distributed or sold to "monitor the computer use of children/employees". As such, parental monitoring software has many spyware features built-in. The features generally include a key logger, a website filter, instant messaging capture, webcam locks, and others. The website filters can often be configured to track, not block, web use. Some monitoring software offer a real-time communication for specific events, such as; visiting an adult website, sending an instant message, computer use during prohibited hours, etc.

There are some software packages which can do an IP lookup and provide a generalized location for the computer. Note that the lookup here isn't very precise and is based on the assigned IP address of the machine. Proxy servers, onion routers, and other actions that impact the domain name server (DNS) assignment of IP addresses can mess with its accuracy.

It is important to note that most parental/employee monitoring software has a splash screen, notification tray icon or other visual cue to alert the user to its presence. You will need to find a solution that meets your needs. If you are negotiating a reconciliation with a wayward spouse, asking them to install a monitoring software on their computer may be one of your conditions.

Network Packet Inspection

This is, by far, the nerdiest of the geekery on this post. Here's an article or two to get you familiar with packets and networking.

In general, networks operate by sending packets of data back and forth. Each packet has a header which tells your router (the traffic cop of you home network) where each should go and in what order. Once packets are received by the destination machine they are decoded and transmuted into data.

Network packet inspection software allows you to monitor these packets. It is also referred to as a "packet sniffer" because it intercepts and decodes each packet sent over the network and presents you with raw data. These are essential and valuable network admin tools. As powerful as these tools are, I found many very cumbersome to use and far too technical for a casual user. My experience has primarily been with Wireshark, Ethereal and WinPcap.

"Professional" Software

For those of us who need a solution that ameliorates the need to have physical access to the computer to download keystrokes, the "professional" software fits the bill. The main operator in the arena is Spectorsoft. I have experience with their product line; eBlaster, SpectorPro, eBlaster Mobile. In my opinion, they have excellent customer service and are very responsive. I've only had to wait an hour most of the time I sent an *email* inquiry to their team.


The features worth mentioning in the eBlaster software are as follow:
  • Sends email reports on a user-defined schedule
  • Reports contain keystrokes, program use, files transferred or printed, IM activity
  • Keywords can be set to send an immediate email report containing the keyword, program use and a screenshot of the computer at the time it was detected
  • Remote control panel once installed allows user to adjust what's monitored, how frequent the reports are sent, set keywords, set websites to block, and allow customization of the emailed reports to give a "friendly" subject, sender, etc.
  • Forwards emails sent from the computer to an account you select.
Some cons to using the software I learned the hard way:
  • The application doesn't support non-major browsers. If your subject uses Opera, Chrome, Iron, RockMelt, etc. much of the beneficial tracking info is lost. You still get the keystrokes logged but the output can be randomly mixed, confusing and lack association with the appropriate webpage or webapp (think of Skype integration in Facebook through the RockMelt browser as an example).
  • The frequency and quality of screenshots is limited by Spectorsoft. However, if you utilize your own Gmail account as the SMTP server to send the screenshots this can be circumvented.
  • Video streams and audio streams are not captured. Voice/video calls through Skype do not capture the audio or video component. If you're lucky your subject might type a keyword so you can get a screenshot.


SpectorPro is a software program much like eBlaster. The following are the main differences:
  • SpectorPro won't send you email reports. It spools them to a hidden directory on the subject machine. You will need to access the computer to get to them. The software does allow the user to set up a network path where these files can be accessed remotely.
  • SpectorPro records computer use like a video recording. You can playback the files and see exactly what was being displayed on screen during the time the subject was using the computer.
  • SpectorPro doesn't record audio. A pure voice call on Skype or any other VoIP app wouldn't provide much more detail than seeing the call being made/accepted.

eBlaster Mobile

In my opinion, eBlaster Mobile is where Spectorsoft falls down. First the features:
  • Sends periodic email reports.
  • Logs calls made, missed and received with time and duration. Looks up the caller in the user's contact book to provide a name with the number.
  • Logs website pages loaded (big caveat here, read on for its limitation).
  • Logs SMS and MMS sent and received with contact information.
  • Sends a thumbnail of a photo or video taken with the phone with geo-tagging and time the picture was taken.
  • Looks up GPS location and resolves to a street location at a set schedule
  • Allows a geo-fence to be set up which provides alerts when it has been entered or exited. 
  • Remote dashboard to set and manage delivery settings
  • "Friendly" names for sender of reports, subject, etc.
  • The eBlaster Mobile app won't track any websites visited outside of the native android browser. Any use of a browser outside of the crappy one the android was packaged with circumvents eBlaster Mobile entirely.
  • The eBlaster Mobile app won't track app usage. You won't know if your kid plays Angry Birds all day in that expensive private school you're sending him to, or if your spouse uses the Skype app for calls/video chat, uses Google Talk, uses Google Voice, Meebo, What's App, and on and on... All of the apps are invisible to eBlaster Mobile.
  • The geo-location feature that provides the location of the phone at set intervals is a battery-burner. As an example, the phone I use has a 1.5 day battery life. Using a 2-hour lookup for location during normal use reduces that to about 6-hours.
  • It was pretty convoluted to set up. It required I jail-break my phone (more a limitation set by my service provider) prior to set-up.

The Final Word

Find software that works for you. I found the email reports provided by Spectorsoft extremely useful and worth the cost and limitations. I just wish they had a more comprehensive mobile offering.


There is hardware available for snooping. The most useful being mini-GPS, spy cameras, and voice recorders (bugs). I have found most of my needs resolved through software but there are hardware options out there.

The Mini-GPS

The Garmin GTU 10 is a mini-GPS unit that's about 3 inches by 1 inch by 1 inch and is fairly expensive. The signal is strong enough to transmit through the body panels of most cars. It sends an email report of its location and Garmin provides an online dashboard to view locations and modify settings.

It has a handy geo-fencing feature which allows you to set it to sleep inside a location. For example, you can have it report hourly and set a geo-fence around your home which it will wake up once it leaves. The GTU 10 can switch to continuous tracking which reports every 30 seconds or so - in real time.

Spy Cameras

Admittedly, I do not have much experience with different types of spy cameras. There is a dizzying array of options and prices. Many are wireless, motion activated and record to a DVR or computer. The small design of modern cameras allow them to be placed almost anywhere. I ran into a major stumbling block when considering the areas I'd want to monitor and the possible locations for a spy cam. I couldn't reconcile where to place it that wasn't in the direct line of sight of my subject and I quickly abandoned the idea.

Audio Recorders

The old "bug". An audio recorder is a discreet method of documenting what is going on when you are not present. The trick is to find a portable, battery friendly device with lots of memory that your subject will likely always be near. One popular choice is a voice-activated recorder made to resemble a key fob. Granted your spouse may be suspicious when you get her a new key fob for no real reason, so it is up to your ability to bullshit your way through it.


The only thing worse than knowing is not knowing. However, as I always recommend, talk out your problems first. Using these devices and programs in a manner which compromises anyone's privacy is immoral and illegal. It will also break any threads of trust your spouse may have for you and may lead to an inevitable conclusion of divorce. I doubt any of us would be considering these technologies if we didn't have a very solid suspicion but do consider this before hopping down the rabbit hole - what if you are wrong?

-- DNS

Friday, July 20, 2012

Skype Main.db

I hope you've read the Skype primer I posted a while back... Because now it is time to roll up our sleeves and get dirty!


The main.db SQLite 3 file is the heart of Skype. The file is located in Windows 7 at C:\Users\WindowsUserName\AppData\Roaming\Skype\SkypeUserName and in Windows XP at C:\Documents and Settings\WindowsUserName\Application Data\Skype\SkypeUserName.

In my Computer Psuedo-Forensics & Tools post, I pointed out some helpful software; a SQLite database browser called, appropriately, SQLite Database Browser and a raw hexadecimal file editor called HxD Hex Editor. Both are free. The discussion below utilizes these tools.

SQLite is cool

The Skype tool (also Firefox and Chrome) utilize a lightweight SQL engine called SQLite 3. This enables the software to have a back-end platform which is light enough to be used on mobile devices. The PC based tools are using the same engine as the software is relatively standardized on the back-end to reduce the cost of maintenance and reducing development cost and time across platforms.

SQLite is an open standard and has extensive documentation. All SQLite formatted files have a header beginning "SQLite format 3".

From my earlier post on Skype

"According to the SQLite3 documentation at

A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good."
That's why SQLite is cool :)

Using Main.db

The main.db file is a SQLite database. Using SQLite Database Browser (or any other SQLite tools), you can open the "official" memory of the Skype program. The information you can retrieve from this file represent the data that has not been deleted or removed by the user.


The schema is the set of tables and indexes within the database file. It provides the structure of the database, the names of the tables, the fields (data items) within each table and a description of the field indicating what type of data is stored and whether it is a primary key (a unique, mandatory value). The indexes for the database are provided. These indexes are tools used by SQLite to speed up the execution of queries used to retrieve data.

Just because I like you here is a link to a spreadsheet containing the tables and indexes and a link to a spreadsheet containing the tables and data fields.


The following tables appear in the main.db schema. Each table on this list is linked to a spreadsheet with a description of the table's fields and data types.

So what?

The following tables are where you will find useful data...
  • Contacts
    • You'll find all of the user's contacts with their SkypeName, their DisplayName and any other details they've provided in their Skype profile (location, mobile #, etc)
  • Videos
    • You'll find a list of the user's video chats and a Convo_ID. 
    • The Convo_ID will map to the Convo_ID in the Conversations and Participants tables.
  • SMSes
    • I have no experience with this table but I believe it is used to store SMS texts sent via Skype to a cell phone (a paid feature for Skype users)
  • CallMembers
    • Provides a list of all parties to a call (grouped by Call_Name). 
    • Duration is provided per participant and a Video_Status is provided (I believe 3 = video call)
  • ChatMembers
    • Provides a list of members taking part in a chat (grouped by Chat_Name). 
    • The Adder field provides the SkypeName of the user who added the participant to the chat.
  • Conversations
    • Provides a list of the conversations in which the user participated. 
    • The Identity column provides the SkypeName of the participant or the Chat_Name for group chats/rooms. 
    • The DisplayName field provides the participant's displayed name in Skype or the displayed title of the group chat/room.  
    • The Creator column notes the creator of the group chat/room.
    • Timestamps are provided for Last_Activity, Inbox_Timestamp, Creation_Timestamp and more.
  • Participants
    • Provides a list of conversation participants grouped by the Convo_ID
    • The Adder field notes the SkypeName of the user who added the participant to the conversation
    • The Identity column provides the SkypeName of the participant.
    • Text, Voice and Video status fields are provided.
  • Calls
    • Provides the calls in which the user has participated.
    • Call_Name is provided and maps to the Call_Name column in the CallMembers table.
    • Timestamps for the calls and the Host of the call are provided.
  • Transfers
    • Provides the details of files shared and downloaded by the user.
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    •  FileName and FileSize is provided along with the FilePath (uploads only I believe).
    • Convo_ID is provided which maps to the Participants and Conversations tables.
    • Timestamps are provided.
  • Voicemails
    • Lists voicemails sent to the user
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    • Path column displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Voicemail folder
  • Chats
    • Provides the chats in which the user participated.
    • The Name field follows this structure; #SkypeUserNameOfInitiator/$SkypeUserNameOfPartner;ChatIDString
      • The ChatIDString is a 16-digit alphanumeric string that is unique to the Chat
      • The SkypeNameOfPartner is replaced with the ChatIDString when the chat is a group chat/room. Ex: #SkypeUserNameOfInitiator/$ChatIDString
    • The Friendly_Name column provides the display name of the partner or group chat/room.
    • The Adder field notes the SkypeName of the user who added the participant
    • Timestamps are provided
    • The Posters field is a concatenated list of SkypeUserNames that posted to the chat
    • The Participants field is a concatenated list of SkypeUserNames that received messages from the chat
    • The ActiveMembers field is a concatenated list of SkypeUserNames of those who have recently posted
    • The dbPath field displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Chatsync folder
      • The name of the ".dat" file is a 16-digit alphanumeric
      • The first two characters indicate the subfolder where the ".dat" file is located under the Chatsync folder. Ex- if the dbPath field has the value of 01abc2345def6789.dat; the file is located at ...\Skype\SkypeUserName\Chatsync\01\
  • Messages
    • Provides a Convo_ID to map to Conversations table, Videos table and others.
    • Provides ChatName to map to the Name field in the Chats table.
    • Notes the SkypeName of the Author of the message.
    • Provides the message detail in the Body_XML field. This is the most important field... this is the message sent from one party to another!


The timestamps in main.db follow a format based on UNIX. You will need to convert these timestamps into a human-readable values. For example, the value '1325900664' represents January 6, 2012 8:44pm. I use the following equation in Excel to convert the dates (assuming the Timestamp value is in cell B3):

The IF statement states that if there is no value for Timestamp, then no value should be returned. If there is a value in the Timestamp field, the equation should be executed.

In SQL queries the date is converted using the datetime function. The format of the function is as follows:


A query to start off with

Not everyone can write SQL queries, but they should! Here is a simple sample query to get you on your way. This retrieves all contacts sorted by the number of times they appear in the participants table:

select c.skypename
         ,datetime(c.lastused_timestamp,'unixepoch') lastused_timestamp
from contacts c
    ,participants p
where c.skypename = p.identity
group by c.skypename
order by count(p.identity) desc

What's the deal with Chatsync?

The Chatsync folders also contribute a great deal. The main.db database includes pointers to the ".dat" files in the Chat table. I believe that these folders within Chatsync are used to store nodes of information which is retrieved by the Skype application when the chat data is needed. It's sort of like an extended memory to save information about the chat. I do know the Chatsync files are not inclusive of all the information presented in the main.db Chat table and I have found data present in the Chatsync files not present in the main.db tables.


Reading the Main.db file with a SQLite utility and the Chatsync files are of limited use when trying to recover data that has been deleted. As I stated in this earlier article, the best approach is to read Main.db with a hexadecimal reader to recover partial records of deleted messages, video calls, voice calls, chats and other data. The Chatsync files are of limited worth as these appeared, in my experience, to have been deleted with more regularity than the old data in main.db was overwritten by new data.

Other Tools

The other helpful tools to user are SkypeLogView and SkypeChatsyncReader. I discussed these in my earlier post:


The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD.


A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.


The Main.db file is a useful source of data IF a deletion of data has not occurred. The presentation of files from a SQLite database browsing utility can provide a well-formatted view into Skype usage. Please remember that carving the Main.db file with a hex editor will yield data that has been deleted by the user. However the presentation of this deleted data is nowhere near the organized output of the Main.db file.

-- DNS

Thursday, June 7, 2012


So you have 1,000 emails, a 500,000 line file full of chats, 30,000 transactions from your cellphone bill, and credit card statements going back six years... What does it mean?

Structure Your Data

Just a thought for today... When compiling forensic data it is important to make it human readable. This isn't just to help those who aren't tech savvy. It is to help consolidate and present information in a coherent manner so it is more readily comprehensible. Isn't that what were doing at the Betrayed Spouses Club when we look at digital data? We're not only finding information we didn't have (or didn't want to see), we are trying to comprehend it. We are trying to put some structure into a subject matter that had suddenly and unexpectedly jumped from our subconscious insecurities into the ever-present lugubrious spotlight of our daily lives. For me, personally, no matter how badly my wife and I were getting along I never thought it I would be a member of this club. It was so horribly unfathomable that I find myself wondering which way is up more days than not. My search for the truth is paired with my need to structure it. I need the facts and a structure with which I can begin to comprehend them. That is why I took some time to write this post.

Mis En Scene

An important part of understanding "what" is to not take it out of context. Nobody lives in a vacuum. External events can be a frame of reference that can help with comprehension. I identified several events which could impact the decisions that were made by my wayward spouse.

It's important here to remember that no one can make someone cheat... No matter what happens the wayward spouse's decisions are their own. That said, the events which may have influenced those decisions can't be ignored. First, it can help you come to terms with what actually happened. Second, if you do try to reconcile, you will need to find and fix the vulnerabilities in your marriage, such as; poor stress coping skills, communication issues, lack of emotional support, etc.

Here are some of my events.
  • Holidays
  • My wife's birthdays
  • Big arguments over money
  • My spouse's mental condition
  • A death in the family
  • My diagnosis with cancer
  • Loosing my job and health benefits

I plot these on the same structure along with milestones I found in my conversations with my spouse and my search for digital information. Here are a few.
  • Meet-ups with the other people
  • Calls, texts, chats, pic/video to the other people
  • Initiating a new relationship with another other person

The Timeline

A chronological structure can begin to help you fit the puzzle pieces together. There are a few options; calendar, timelines and Gantt Chart are what I'll cover here.


To start, begin adding the data that you've collected which identify external events and events during the affair(s). I wouldn't recommend going to such detail as to record every text sent or received. You will need to stay at a high level of detail to make sure the calendar doesn't become cluttered and unreadable.



Timelines offer an advantage over the calendar because they can manage the duration component of your data more effectively. The duration could be the time your spouse has associated with one other person or another or it could help identify times where your spouse was well-behaved and acted with the appropriate respect for your marital vows. The basic structure of a timeline is a big arrow signifying time moving from a discreet point in the past and moving forward. Single events are marked as bullets, or milestones, along the path. Events with a duration can be listed with a callout (bracket) that is large enough to cover the span of time in the duration. This makes a better visual representation than a basic calendar and provides quick reference to the concept of duration.


Gantt Chart

A Gantt Chart is a project planning tool from the IT world. It's supposed to let a project planner identify tasks and events which need to occur on the timeline of a project. Additionally, resources needed for the project, costs, materials, dependencies, and all other sorts of project information can be associated with the tasks. The project manager can use it to keep his eye on the dizzying amount of data that is needed to ensure the project gets completed to spec. Now, this isn't a PMP certification blog so that's as far as I'm going to go in the proper use of the Gantt Chart. What it does well that suits our purposes is manage lots of information related to events, the duration of activities, and dependencies on external events.

I prefer the Gantt Chart to an ordinary timeline for a couple of reasons. First, you can add a lot of detail. A normal timeline would get fairly cluttered with a lot of detail is added. Second, you can roll-up activities into a parent task. This is really handy when you are working with a complex data set like figuring out WTF happened to your life to make it go to sh*t.


  • Microsoft Project ($$$$$)
  • Microsoft Visio ($$$)
  • GanttProject ($0)

Thematic Analysis

This approach takes the events you have compiled and places them in relation to a key concept. A key concept may be "arguments" or "business trips" or "health/getting older" or whatever you and your spouse feel are major influences on the affair(s). You will need to spend some time to classify or label your events with the appropriate concepts. Once you are done, you can begin to see how these themes correlate to the behavior leading to affairs. For example, you find that your spouse is out late at the local meat market club on weekends (event) when they had a health scare (theme), birthday (theme), or a close friend passed (theme). You will be able to cut through the noise of too much data to see relationship between theme and event. If you're lucky, you just may be able to find a better understanding of their decisions and perhaps some hope by finding something you both can work on to strengthen your marriage.


  • TaggedFrog allows you to make a tag cloud from Windows files
  • Many Eyes is cool site to see thematic visualization in action

It doesn't paint a pretty picture but it is a picture. With structure, I can see more clearly what events influenced her decisions. That gives me a better ability to understand what happened and how to work on the marriage to ensure it never does again.

Nota Bene: if you do use the Google tools make sure you're not sharing that with anyone! Set it to private so your bar buddies don't get a sneak peek at why you're always ordering double whiskeys.


Friday, June 1, 2012

Mental Disorders in the One You Love

I know I'm crazy... I eat nutella instead of jelly on my pbj. I name my pets after participles. I read books upside down for fun. But this post is about the craziness of being in a relationship with someone who is diagnosed.

My own situation is crazy to an extreme. My wife is bipolar (BP), has borderline personality disorder (BPD), and a rampant history of self-medicating through drugs and alcohol. She was diagnosed a few months ago although her disorders go much farther back. I was the kind of schlep every borderline dreams of- I was supportive, attentive, allowed her to be her own moral guide, and took whatever she said for face value. It has been at least six years, maybe ten, that she has shown behavioral traits which may have helped diagnose her and get her help. It is somewhat unsettling to me to think that being the supportive husband, committed family-man, and respectful partner I always had aspired to be had enabled her to suffer for so long. I'm wracked with as much guilt over this as I am with anger at what she has done over the past few years. That's the point of this post. Maybe someone out there will read it and figure out their own situation before it gets into that hand basket and goes straight to hell.

How to Get Help Fast

The first time I tried to get my wife to a psychiatrist was a nightmare. I called 30+ offices and found only a few that took my insurance (I had really good insurance too). Those that did, either weren't seeing new patients or were focusing in on the elderly market. I finally found one to go to but they were scheduling 3.5 months in advance! It was almost hopeless to try to go see a shrink... I eventually found a quick way in. I wouldn't recommend it though. At one of our marriage counseling sessions I said I was going to go away for a weekend to cool off and my wife snapped. She said she couldn't deal with it and said she'd probably hurt herself. I immediately took her to the hospital ER for a psych evaluation. They enrolled her into a partial hospitalization program and she was able to see a shrink the next day. I wouldn't recommend this approach unless you're actually in fear for their safety but it did get her in the door and get her the help she needed right away.

Nota Bene: I'm not a shrink. I'm just a dude who has to deal with this sh*t on a daily basis. What follows is my opinion. Take it for what it's worth.

Bipolar (BP)

Formerly called manic depression, bipolar is caused by chemical imbalances in the brain. It is generally treated with medication and behavioral therapy. A very important note is that antidepressants alone can cause this disease to get worse.

General Traits

Mood swings between depression and manic phases. Depression is a common term thrown around these days but BPs have clinical depression. Clinical depression is a long term period of low mood that interferes with daily life. It can cause a loss of pleasure in once enjoyable activities, constantly feeling helpless, sleeping too much or too little, eating too much or too little, lack of energy, thoughts of death and suicide. The BP will have shifts in mood from the depressed state to a manic state which can occur quickly or over a prolonged period. The mood shift is often unconnected with events in real life. There are two types of BP; Type 1 (manic) and Type 2 (hypomanic).

BP Type 1

This is the mainstream bipolar. They have crippling depression followed by a feel-good manic phase. The manic phases are really, truly highs where they feel invincible, unable to make mistakes and euphoric. Type 1s are often trying to get back to being manic when they are in their depressed state.

BP Type 2

Type 2 is a subset of BP where the manic phase isn't a real high, it's a hyper-energized state of anxiety. The manic phase can often be seen as irritable or angry to an observer. BP type 2s often have crippling depression intermixed with crippling panic and anxiety which leads to further depression.


Type 1s and Type 2s often have similar traits in manic phases. The Type 2 doesn't have the euphoric high and may have less extreme traits.
  • Easily upset
  • High energy levels, talking a lot, racing thoughts
  • Little need for sleep
  • Poor judgment
  • Reckless and impulsive behavior, over-spending, gambling, substance abuse, hypersexuality


Most BP develops between 15-25. Some potential causes are genetics, drug use, and (proving kids can actually make you crazy) childbirth.

Resources for BP

Borderline Personality Disorder (BPD)

BPD is a cognitive disorder rather than a chemical imbalance. It's a learned set of coping skills, usually created from a distressed childhood or unstable family setting, which are ultimately destructive. BPD gets its name from the old terminology used for the disorder: 'borderline schizophrenic'. It is also commonly referred to as being a 'sociopath'. There's a lot of stigma being diagnosed with BPD. Some shrinks treat BPD with medication but ultimately therapy is needed.

General Traits

People suffering from BPD often feel uncertain about their identities, see things in a black/white or all/nothing perspective, change interests and personalities quickly, have a fear of abandonment, frequently feel bored/empty, have inappropriate displays or acts of anger, are impulsive (gambling, hypersexuality, substance abuse), and can often be in crisis or attempt self-harm. They can feel like they're "wearing masks" when they need to interact with others. BPD sufferers often have moods swings that occur more frequently than BPs and are more rooted in reactions to events in their lives.


There are a lot of classifications within BPD. The most often referred to is Narcissistic Personality Disorder. However, most discussions make a distinction between high-functioning and low-functioning. The high-functioning BPD is the type which is most difficult to treat. The disorder itself has roots in self-preservation, pursuing selfish goals, and a profound lack of empathy for any of the people they may wrong in said pursuits. Low-functioning BPD are at least aware that something may be wrong and they may have hurt people.


Bad news folks. BPD has long been said to be untreatable. There are some docs which prescribe medications for mood stabilization and depression. The therapy options available for BPD are often classified as behavioral (mentalization, transference) or cognitive (dialectical behavior therapy (DBT), schema therapy). The dialectical therapy seems to be the go-to treatment option for many and has shown moderate success. However, the time commitment for patient and therapist is quite significant and it is a costly treatment program. I haven't gone far enough down the rabbit hole to offer a personal opinion on treatment.. Yet.

Resources for BPD

Substance Abuse

For us this was an out growth of BP and BPD but it is a huge issue in-and-of itself. No healing or emotional growth can occur while drugs or alcohol are in the picture. Some shrinks won't even start therapy or medications until the substance abuse problem has been addressed.

Resources for Substance Abuse


Get help! A BP, BPD or abuser of substances will not seek help as long as they're not at rock bottom. As long as you, the spouse, is supporting them by tolerating their behavior or protecting them from the consequences of their actions they will never hit rock bottom. The hardest thing in the world I ever had to do was to look at the woman I've loved for 15 years, my wife and mother of my children, and tell her that I wanted her out of my life. There was no way we could continue as we had. I just hope you can address these issues if they are present in your life before they destroy everything.


Wednesday, May 30, 2012


Where would the wayward spouses of this world be without Skype?

Skype Primer

Skype is an IM/chat/voice/webcam platform now belonging to Microsoft. There are no public chat rooms, ala AOL, but users can create a group and invite other users to join. Files can be shared between users and groups and desktops can be shared.

Skype Guts

Skype is a platform based on SQLite3 databases (like Chrome and Firefox). The files for Skype in Windows Vista and 7 are normally located at C:\Users\USER\AppData\Roaming\Skype. In this directory, you'll see the Skype user name set up as a folder. You'll have one such folder for every Skype user to log in through that computer. Clicking on the Skype user name, you are presented with the data files for that user.

You will see the following folders:
  • chatsync
  • httpfe
  • voicemail
You will also see the following files:
  • bistats.db
  • config.xml
  • dc.db
  • griffin.db
  • keyval.db
  • main.db
  • msn.db
You may also see several .db-journal files. These are temporary files SQLite uses to perform a rollback.

Brass Tax

The main.db file is the primary focus here. According to the SQLite3 documentation at
A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Richard Drinkwater, blogger at Forensics from the Sausage Factory wrote a brilliant article in April 2011 titled Carving SQLite Databases from Unallocated Sectors. He posited it could be possible to write a parsing program to retrieve these "inactive" pages in a systematic manner utilizing the SQLite header information. That's beyond my skills... but like any good caveman with a blunt instrument, it just takes the right amount of brute force to get through it.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good.

From windows explorer, right click the target main.db file and select Open With... Pick HxD Hex Editor to open the file. In HxD, click View then Select Visible Columns, check Text Only. Click File, then Export and select to export the "Editor View". You now have a more-or-less human readable record of all the IMs, chats, file sharing and records of web cam sessions. Import into Excel and search for your favorite keyword.

You may want to use a tool called Windows Grep to pull out all references to a user, keyword, or conversation code. This is a shareware app and they request you purchase a license after evaluating the tool.

Inside Main.db

For user-to-user messages, the syntax used in main.db to identify the sender of a message is the hash (#), then Skype user name, then slash (/). The receiver is preceded by the dollar ($). A 16 digit alphanumeric conversation code is present as well. If you only see the conversation code then it came from a user that has since been blocked/removed or is a message sent to a group.

The leading two characters of the conversation code also appear as sub-folders within the Chatsync folder. Additional data is presumably stored in these files related to the conversation. The conversation folders in Chatsync may be empty where a conversation has been deleted by the user.

Other Handy Tools

Since main.db is a SQLite database, you can open and copy tables using SQLite Database Browser. Unfortunately, only active records are read by the database viewer. You will not see all of the records the user tried to delete.

This application reads the .dat files in the Chatsync folder and tries to reintegrate the conversations. Unfortunately, I have not had much luck with the application reading all of the deleted data. I have found that the delete process in Skype appears to clean up the .dat files before addressing main.db.

One useful aspect of this tool will provide the members belonging to a group conversation. That is, if the Chatsync files are present.

This application will provide a handy list of all messages in and out of the account. It includes voice and video. Unfortunately, it doesn't read the deleted records in the unallocated memory.

Video Chat/Voice

There is nothing able to retroactively recall the contents of a video chat or a voice call. The chat session is done on a peer-to-peer basis and the content of the session is not stored. The metadata surrounding the session (participants, time, video quality, etc) may be found in main.db but there are no saved video or audio files.

There are several add-ons around that allow a Skype user to record calls and video but it is user-initiated and is not a stealthy operation. There are rumors of a trojan virus which does record audio. This is far beyond the scope of this blog entry. I wouldn't ever recommend intentionally installing a virus on any machine.


Get a copy of main.db now! Run it through HxD and see what kind of deleted data you can retrieve. If your partner hasn't deleted data, SkypeChatsyncReader and SkypeLogView are excellent tools to review the contents of their Skype history.

Please post questions or comments. Also, let me know if you found a tool to read from the unallocated memory of that pesky Skype main.db file.


Tuesday, May 29, 2012

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS

Monday, May 28, 2012

Hello World!

Welcome to the club no one wants to join. I am hoping this blog will help you in your path to healing.

I'll post stuff here about my own struggles and pointers on the healing process. Others are encouraged to comment and share their own stories.

There is a resource page where websites and books will be posted which can help you on your own journey.

I am not a computer forensics person but I will post some techniques I know about computers. You're your own moral guide when it comes to this information. I highly recommend you do not pursue these activities... Work on communication and get the answers to your questions from your wayward spouse. That is the best way forward..