How to Catch a Cheat

Let me guess... You're in a marriage that just doesn't seem like it has been up to par. You think maybe it is because of the stress of work, the kids, or some inexplicable changes in how your spouse is behaving. You've been aware something is wrong but you can't pin it down.... until... that first piece of randomly discovered evidence slaps you awake. Maybe it was a call you answered in the middle of the night, a piece of mail your spouse forgot to hide, a text message you read over their shoulder.. Whatever it was, it hits you like being slapped with a raw fish. Unbelievable, painful, stinky. In a snap, your mind is reeling and you have the emotional equivalent of cosmic gut-punch. What do you do now?

How to Go from Emotionally Devastated to Impartial Investigator

Okay, that's not going to happen. Accept that you will not be impartial but you need to figure out how to avoid obsessing. While you are digging for the truth in your most important personal relationship you need to realize that there are boundaries you need to set for yourself. Here is my list:

Boundaries

1. Don't hurt anyone. It doesn't matter how much they might deserve it, just don't do it.
2. Don't cheat your kids out of time with them because you want to go investigate/brood over your sorry life.
3. Don't be unproductive at work. Still earn your paycheck. Work stress can help displace family stress for 40 hours per week and that is wonderful!
4. Know when to fold 'em. If you're in too deep during your investigation, get out of the pool and come back later. Knowing when to walk away is an essential skill.
5. Have a lifeguard. My lifeguard was an ex-co-worker who lived 3,000 miles away and didn't know any of my friends. When ever things were too dark, too painful.. My lifeguard was there to talk me down from being a danger to myself or others.

Setting Expectations for Yourself

Also, figure out what you need to figure out.

1. There is no *WHY*? - only *WHAT*?. You will never find out why. Nothing you will find will explain the reason for infidelity to your satisfaction. You need to learn to let it go... "What" is defined as documenting facts about actions, dates, people, time. That is what is returned by all your efforts in an investigation.
2. Are you arming yourself for a legal battle? If so, STOP right now and talk to a lawyer. Investigating on your own can compromise you legally. It can remove the validity of what an investigator can bring to divorce hearings. Just imagine how quick the computer records would be thrown out of court when the judge hears you have been tampering with your spouse's computer!
3. Are you going to try to save the marriage? Or at least leave the door open to it? Then get into marriage counseling right now. A good marriage counselor can help you work through confrontations as well as persuade your spouse to be honest.

Computer Investigations

First Step - Baseline

In order to gain insight to your spouses behavior you should gain access to their computers, phones, cameras, and other electronic devices. Your goal at this time is to make a base-line copy of their files to investigate later.

Computers

Try to make a forensic copy of the hard drive. Include copying the free-space of the drive. You will need to store this on a device with at least as much capacity as the target hard drive + 20%. The most accessible software for this comes from OSForensics from Passmark Software, briefly discussed here.

If you are unable to do this process through time or material constraints, copy their important files. These are listed in their user profile on the computer. This includes everything under the path C:\Users\WindowsUserName\ for Win7 and C:\Documents and Settings\WindowsUserName\ for WinXP. Transfer these to a portable hard drive. Be sure to include Hidden and System files when you copy and paste!

These important files include the data in their Skype profile and browser history. I've discussed Skype before, as it is a very juicy subject, here and here. Browser data is juicy too, a more detailed discussion was posted int he subject here.

Save points/Restore points - these would be ideal to access. However, they do not back-up all of the files in the user's profile.

Phones

Access the phone logs on the device and export. Export contacts. Scan the internal memory for media (pictures, video). Remove the media card and use a recovery tool as explained in the 'Cameras and Other Media Devices" topic, below.

Note- It may be possible to access internal phone memory with a data recovery tool. Just link the phone to your own computer and run the recovery software on the device that shows in windows explorer. I believe this accesses both internal and removable memory but I have not tested it.

Cameras and Other Media Devices

Use a media rescue tool to recover data from the cameras, camcorders, GPS systems, and anything else a SD or Micro-SD card could fit into. I wrote about recovering data from devices here.

Second Step - Monitor

Install spyware if you are comfortable doing so. It is an easy process but has moral and legal ramifications. I have an in-depth introduction to spyware here.

You could also continue to take 'baseline snapshots' periodically. This would require you to access the target systems regularly and save a new copy of the important files each time. This is very time consuming.

Smoke them out. Not everyone is behaving badly all the time. You may need to say or do something to get your spouse to act inappropriately. It may just be as simple as going away for the weekend and letting them do what they would normally do. It may also be relating to some bit of info you have already found out... if you know one of your spouses friends cover for them while they are supposedly doing something different, message that friend and ask what they are up to - maybe even let them know you are suspicious. It will get back to your spouse and they may react by reaching out to their other significant others.

Third Step - Research

Wrangle every last piece of information you can out of the data you have. Here's some quick tips:

1. Recover deleted files as discussed here.
2. Look for the Thumbnails index, Thumbs.db Viewer as discussed here is a great tool.
3. Attack Skype as discussed here and here.
4. Raid browser data as discussed here.
5. Deeper delving

Fourth Step - Laying it Out

Now you have some data. You made it into information through research and connecting the dots. I wrote about structuring mass data here.

From here on out you are the investigator! Dig up clues, follow leads, document the facts. It would be a fun game if it were not for the reason you are doing it in the first place.

Here are some other helpful investigating tips..

Non-Computer Investigations

Not everything you can find useful will come from a phone or hard drive. Here are some non-computer tips for investigators:

1. Be the one who gets the mail every day. Look for bills, bank statements, credit card bills, collection notices, etc that suggest you spouse has another spending account.
2. Read all credit card statements and bank statements for ATM withdrawals, pay attention to dates and locations of charges
3. Order your and your spouse's credit reports from the three credit bureaus. This will show items such as credit card accounts, bank accounts, bank overdraft loans and other financial accounts your spouse may be using to pursue their activities.
4. Check the odometer on their vehicle. Note how far they drive to and from work on a daily basis and look for spikes in mileage if they have to 'work late'.

Behavioral Observations

Below are some examples of observing the behavior of your spouse to help develop avenues for further investigation:

1. Do the unexpected!
1. Before going out on an urgent errand, tell your spouse your car has a slowly leaking tire or is making a funny noise. Tell them you can't find your phone so they should let them borrow their phone just in case you need help on the road. Observe how reluctant they are to lend you their phone. 
2. Let your spouse know in advance that you are going on a business trip (or need to visit family). When time comes for your trip, head off but go to a movie. Come back home after a few hours and see if there is any panic from your spouse. You may want to consider an overnight stay when you head out and show up in the middle of the time you were supposed to be absent. 
3. Busting by romance. If your spouse if off on a trip or visiting family, you may want to pay them a surprise visit at their location. Bring your spouse their favorite take-out to their office when they are working late. Bring the kids over to the family your spouse is supposed to be visiting because they missed their mommy/daddy. The intent is to show up where they are supposed to be with all of the best intentions. 
4. If your spouse is at home while you work, head home for lunch sometime. Or stop by and get your healthcare insurance card prior to a doctor's appointment they were not aware of. Just show up unexpectedly at times to see if everything is kosher.
2. Identify suspicious behavior!
1. The bathroom is a sanctuary of privacy in any home. Does your spouse hole-up in there to take a bath frequently? Do they always take their phone or laptop with them? How pissed are they when you knock on the door unexpectedly?
2. If you think something fishy is going on, ask a lot of questions! If your spouse is suspicious about your intentions tell them that you just wanted to talk about their day like you both used to do. If your spouse went to a movie with their friends, ask who was there, how the movie was, what did they think of the movie plot, were there any twists, how did the bad guy get it, etc. then do your homework and see the movie to determine if your questioning got a lot of BS answers. 
3. Shut down your Internet router or modem saying it is due to a technical problem. Let them know you are working on it but it might take a day or two. Observe the level of panic in your spouse. If you suspect the phone is their primary means of communication, try causing an outage there. The intent is to disrupt their normal method of communication and see how bugged out they get. 
4. Observe when your spouse complains or pines about things. If winter weather is their top daily complaint and they always talk about Florida as a nice place to go/live, it may indicate something about their other person that bubbles through into their conversations and complaints about life. Many authors believe that the other person personifies resolution for untended needs your spouse may have in their life and that wayward spouses wrap much more into an affair partner than can be attributed to a normal person. The level of infatuation and escapism a wayward spouse has invested in the other person builds them up to the embodiment of the solution to all their ills. Just beware that your spouse's complaints and yearnings may, in fact, be describing aspects of the other person. And also this a very tentative connection so keep your ears open but don't jump too far to conclusions...
3. Don't trust anyone!
1. People you have been close to may have known about this for a long time and have kept information from you to protect your spouse. In my case, I was very close with my sister-in-law and spoke to her about my feelings of my impending divorce... my absolute depression, my thoughts of suicide, and I even made the comment 'this would be so much easier if my spouse had just cheated'. She said nothing.. I was very dumb to think she would have my best interests at heart if she had been covering for my spouse's infidelity.
2. Some people will care too much for you and take action on your behalf without your knowledge or consent. I never told my overprotective older brother of my spouse's infidelity. If I had, there would have been a family schism, revenge, violence, or worse. The last thing you need right now is someone justifying your anger and pushing bad decisions.
3. Loose lips sink ships. You are in the role of an investigator... gathering facts. The absolute last thing you need to do is confiding with someone who may, intentionally or not, tip off your spouse that you are suspicious. This may lead to the destruction of the very facts you have set out to collect.

I'm hopeful this article has helped you in deciding how (and if) you investigate your suspicions of infidelity. Stay strong and stick to the facts.

---DNS

Easily Recover Files from Phone or Tablets

The quickest and easiest way to check your hunch that your spouse is cheating is to investigate their mobile devices. Full data recovery from a phone or tablet is difficult but there are some methods which you can do yourself at home with little cost or technical expertise.

SD Card Recovery

Many phones use a Mini SD card for expanded memory. Cameras and camcorders also use expanded memory slots. Devices save data to either an internal memory or to the external memory card, sometimes both.

Data recovery from an memory card can be as simple as removing the memory card from the device, putting it in a card reader attached to your computer, and running a file recovery program.

Memory Card Readers

Many computers these days have a built in card reader. If your computer doesn't have a card reader, you can purchase a USB card reader almost anywhere for $5-$20 or so. Here are a few places where you can order online. 

File Recovery Software

The good people at CNet's Download.com have quite a few file recovery tools. However, there are some that aren't free. Limited trials may allow one to view the thumbnails of recovered images but the full licensed product is required for retrieval. The geek-elite at Lifehacker have provided their own guide for the best file recovery software. I highly recommend reading through their article before proceeding in your file recovery efforts.

The following software has been recommended by BSC blog readers:

• UndeleteMyFiles - Free
• Recuva - Free
• MiniTool Power Data Recovery - 1GB recovered free then $65 for a license

Other Uses for File Recovery Software

One benefit of the file recovery software is that it can be run on several types of devices. Make sure to check the memory cards of all of you mobile phones, cameras, camcorders, GPS devices, video game consoles, etc... A second use for the software is that it can be run on hard drives of computers and laptops. The recovery software is a versatile information gathering tool.

Trouble Ahead: Internal Memory

The hard part of data recovery from devices comes from the internal memory of the device. The big culprits here are the Apple iDevices and the Blackberry. Apple prevents the use of external memory in its iPhone and iPad devices by not supporting physical slots for memory expansion. Some Blackberries default to using internal memory. The Blackberry Curve series will only use the external memory slots for message storage, photo storage, contact storage if the user modifies the default settings in the menu. In most cellphones some data is even stored on the SIM card, but Blackberry doesn't even do that.

Big Trouble

Even forensic professionals have a difficult time reaching into internal memory on mobile devices. It's a complex problem with lots of layers.

In the first layer you have firmware. This is the basic operating software on the phone that boots it up. Not only does each manufacturer have their own firmware on the device but each model of device can have a different firmware as well.

The next layer is the operating system. The main contenders in operating system are Apple and Google. Apple is notorious for closed systems and actively prevents the open source community from developing utilities that would have helped our purposes. Google's Android is much more open and has more development community involvement. There may be some applications out there on the net which would help recover data.

The third layer is a twist on the second. Jailbreaking the iOS or Android operating system adds a further wrinkle. The Cydia jailbreak adds a new app store for the iOS system where third-party developers can sell software. As with any operating system modification, apps designed for the original configuration may or may not work on the jailbroken device. Additionally, apps added after the jailbreak may modify how data is stored or can be retrieved.

The icing on the crap-cake is that special equipment and decoding software may be needed. For my outdated early-2000's Blackberry, the kit would have been ridiculously expensive. For those of you with deep pockets, there's a list of links below.

If anyone out there knows about a good tool set for Android, Blackberry and iOS... Please share!

What can you do?

There are cellphone reading kits that police and professional private investigators use to access the internal memory of the device. These kits are ungodly expensive. My recommendation is to seek professional help if you absolutely need to see the internal memory on a device. Contact a private investigator in your area, ask your lawyer for a referral, check out the firm's reputation, see if they outsource the forensic work and check the reputation of the lab. Be prepared to pay - I was charged $750 for one phone.

Also, be prepared to get zippo off the device. That's right... I spent $750 for "no data" because the lab couldn't read internal memory off the phone (not the SIM or expansion memory - the internal data store). The lab had a good reputation and updated equipment. They just were not able to read the internal data. Luckily, they refunded my payment. Contractually they didn't have to refund anything so I do feel very lucky indeed.

Professional Tools:

• CelleBrite UFED
• Logicube CellXTract
• Paraben Device Seizure the only company advertising price, their cheapest kit is $1,750
• Micro Systemation XRY
• Susteen Secure View

Cell Phone Records

Don't forget to log into the online account for mobile phones. I used this access to download a couple of years worth of calls and text message records. The data is simple; date, time, number, duration, placed/received call, sent/received text, and sent/received mms.

You should look for a pattern. For example- your wayward spouse has been calling and texting a suspicious number every day for months and then has a few days with little or no texts or calls. If this aberration occurs at the same time your spouse was away on a business trip, visiting family, working over the weekend, etc. I think you have some very strong evidence for a rendezvous.

Spoofing a Cloud

I have been researching a new approach for forensics. This is based on the distributed memory principle of cloud computing. For example; Apple's iOS for iPad and iPhone is utilizing a 'live backup' to their iCloud service which basically runs a backup of apps, contacts, and data through the internet connection of the device. Somewhere, out in the net, is an encrypted copy of all of the device data. I'm looking into how one could access this information -- so stay tuned.

--- DNS

Searching Browser Client-Side Storage

Is there anything you don't know? Google it! Bing it! Ask Jeeves! We sometimes forget how ubiquitous internet search is in our lives - Google in particular. We use Google Maps to find our way around, we use Google's search engine to find a good restaurant, we use Google for almost everything. That's why Google is great for finding information about a wayward spouse.

Web Browser Client-Side Storage

A lot of what internet browsers retain for data is kept in "client-side" storage. Most browsers retain a SQLite database in the user's directory. From our previous discussions we know a few tricks to get information from these SQLite sources already. Grab a SQL browser and we'll dive into the rabbit hole of what's on a hard drive.

File Location - Where's it at?

Firefox:
On Win7:  C:\Users\[UserName]\AppData\Roaming\Mozilla\Firefox\Profiles\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[ProfileName]

Chrome:
On Win7:  C:\Users\[UserName]\AppData\Local\Google\Chrome\User Data\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Google\Chrome\User Data\[Profile]

RockMelt:
On Win7:  C:\Users\[UserName]\AppData\Local\RockMelt\User Data\[Profile]

Internet Explorer (IE):
This is a different kind of beast. We'll discuss this later but it is important to note they do not have a SQLite db structure.
On Win7:  C:\Users\[UserName]\AppData\Local\Microsoft\Windows\Temporary Internet Files
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files

Types of Storage

The following table is sourced from a Chrome Browser extension called Click&Clean. If their product is anywhere near as good as their chart on client-side storage - it should be excellent!

Below you can see Cookies, Local Storage, Web Databases (SQL), IndexedDB, File System, Application Cache, Flash Cookies, and Silverlight Cookies...

From Click&Clean

Cookies
I know what you're saying - "But everyone blocks cookies!" True. Everyone blocks 3rd Party Cookies. These are the cookies advertisers put on your system to track your behavior. What people usually don't block are 1st Party Cookies. These are cookies that are directly linked to the domain you choose to visit with your browser. They remember what's in your shopping cart, your login info (if you authorize autofill), your browser session state, etc. These cookies are delicious.

Local Storage,Web Databases (SQL)
The real big deal is in the local storage databases on your computer. These tables track downloads, search terms, archived history of URLs visited and more. See below for the schema and descriptions of the data present.

Application Cache
Nirsoft has a cache reader for you! Chrome, Firefox, Internet Explorer, Opera included. Even (gasp) Safari.

The cache is a set of already downloaded images and media from webpages that is stored on your hard drive. The browser uses these cached elements to speed the loading of webpages. The cache readers will recover images and the URLs that reference them. You will see a lot of elements like the graphic files for navigation buttons for a site, images for headers and/or other elements of a web page. If you are lucky... You may be able to retrieve images from online dating sites, Facebook images, and thumbnails of other incriminating evidence.

I strongly recommend reviewing the cache of every browser on the computer and recovering/saving files you find. The cache is fluid and can be flushed at any time or the relevant data may be overwritten by newer cached data. 

Flash Cookies & Silverlight Cookies
I haven't found anything worth noting in Flash or Silverlight Cookies. There may be data present that is interesting to an investigator but I haven't found it yet.

Local Storage, Web Databases (SQL)

Data Schema and Relevant Files
Here's a list of databases in the User's directory and a list of the data files contained within. There are many SQLite databases as well as flat files and cache files. There may be different tables present depending on the browser (Chrome, Firefox) and the browser version.

For a complete list of data files I've encountered, go here or click on the database you want to investigate below.

• Archived History
• Meta
• URLs
• Visits
• Visit Source
• Keyword Search Terms
• Cookies
• Meta
• Cookies
• Extension Cookies
• Meta
• Cookies
• Favicons
• Meta
• Favicons
• Icon Mapping
• History
• Meta
• Downloads
• Presentation
• URLs
• Visits
• Visit Source
• Keyword Search Terms
• Segments
• Segment Usage
• History Index YYYY-MM
• Meta
• Pages
• Pages Content
• Pages Segments
• Pages SegDir
• Info
• Login Data
• Meta
• Logins
• Shortcuts
• Omni Box Shortcuts
• Top Sites
•  Meta
• Thumbnails
• Web Data
• Meta
• Keywords
• Autofill Profile
• Autofill Profile Emails
• Autofill Profile Phones
• Autofill Profile Trash
• Credit Cards
• Web Intents
• Keywords Backup
• Logins
• IE7 Logins

The following are flat files (non-database files) in the User's directory. These open with Notepad and display readable contents. 

• Bookmarks
• Current Session
• Current Tabs
• Last Session
• Last Tabs
• Preferences
• Visited Links

So.... Where do I start?

I've presented a lot of information. So naturally you want to know where's the best information for web behaviors found.

• Look into the History Index YYYY-MM, History, Archived History and Web Data databases first.
• Get a cache reader and review what is in the cache for each browser on the computer.

Analyzing this data should help you confirm or deny your suspicions.

 

What's in a URL?

You are very likely to recover URLs. Sometimes these are neat and clean to read but a lot of times the URL is a jumble of variables and escaped characters.

Google Search URL
Here are some common variables you will find in a Google search string:

• q = search term
• as_sitesearch = searches specified domain only
• sort = sorting parameter for results

The authoritative source for variables would be Google. They've posted a helpful, lengthy page on search parameters here.

URL Encoding - Escaped Characters
URLs often have characters in them (:, /, ., etc) which would cause problems for other parsing engines like Java or Flash. The characters are often replaced by a '%' and the two digit hexadecimal code for the character. For example ':' = %3A and '?' = %3F.

Here's a list of characters that are often replaced in a URL with a more script-friendly value. I generally use the substitute function in Excel to replace the hex value with the ASCII character.

 

TL;DR - Summary

1) Find the local storage on your machine
2) Open a SQLite files with a database browser
3) Save file as HTML, close the file, re-open with a spreadsheet program (Excel)
4) Repeat until you've opened all files and saved them all into one workbook
5) Utilize the pivot table function to investigate the data
6) Have a beer

V/r - DNS

Skype

Where would the wayward spouses of this world be without Skype?

Skype Primer

Skype is an IM/chat/voice/webcam platform now belonging to Microsoft. There are no public chat rooms, ala AOL, but users can create a group and invite other users to join. Files can be shared between users and groups and desktops can be shared.

Skype Guts

Skype is a platform based on SQLite3 databases (like Chrome and Firefox). The files for Skype in Windows Vista and 7 are normally located at C:\Users\USER\AppData\Roaming\Skype. In this directory, you'll see the Skype user name set up as a folder. You'll have one such folder for every Skype user to log in through that computer. Clicking on the Skype user name, you are presented with the data files for that user.

You will see the following folders:

• chatsync
• httpfe
• voicemail

You will also see the following files:

• bistats.db
• config.xml
• dc.db
• griffin.db
• keyval.db
• main.db
• msn.db

You may also see several .db-journal files. These are temporary files SQLite uses to perform a rollback.

Brass Tax

The main.db file is the primary focus here. According to the SQLite3 documentation at www.sqlite.org:

A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.

This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Richard Drinkwater, blogger at Forensics from the Sausage Factory wrote a brilliant article in April 2011 titled Carving SQLite Databases from Unallocated Sectors. He posited it could be possible to write a parsing program to retrieve these "inactive" pages in a systematic manner utilizing the SQLite header information. That's beyond my skills... but like any good caveman with a blunt instrument, it just takes the right amount of brute force to get through it.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good.

From windows explorer, right click the target main.db file and select Open With... Pick HxD Hex Editor to open the file. In HxD, click View then Select Visible Columns, check Text Only. Click File, then Export and select to export the "Editor View". You now have a more-or-less human readable record of all the IMs, chats, file sharing and records of web cam sessions. Import into Excel and search for your favorite keyword.

You may want to use a tool called Windows Grep to pull out all references to a user, keyword, or conversation code. This is a shareware app and they request you purchase a license after evaluating the tool.

Inside Main.db

For user-to-user messages, the syntax used in main.db to identify the sender of a message is the hash (#), then Skype user name, then slash (/). The receiver is preceded by the dollar ($). A 16 digit alphanumeric conversation code is present as well. If you only see the conversation code then it came from a user that has since been blocked/removed or is a message sent to a group.

The leading two characters of the conversation code also appear as sub-folders within the Chatsync folder. Additional data is presumably stored in these files related to the conversation. The conversation folders in Chatsync may be empty where a conversation has been deleted by the user.

Other Handy Tools

Since main.db is a SQLite database, you can open and copy tables using SQLite Database Browser. Unfortunately, only active records are read by the database viewer. You will not see all of the records the user tried to delete.

SkypeChatsyncReader
This application reads the .dat files in the Chatsync folder and tries to reintegrate the conversations. Unfortunately, I have not had much luck with the application reading all of the deleted data. I have found that the delete process in Skype appears to clean up the .dat files before addressing main.db.

One useful aspect of this tool will provide the members belonging to a group conversation. That is, if the Chatsync files are present.

SkypeLogView
This application will provide a handy list of all messages in and out of the account. It includes voice and video. Unfortunately, it doesn't read the deleted records in the unallocated memory.

Video Chat/Voice

There is nothing able to retroactively recall the contents of a video chat or a voice call. The chat session is done on a peer-to-peer basis and the content of the session is not stored. The metadata surrounding the session (participants, time, video quality, etc) may be found in main.db but there are no saved video or audio files.

There are several add-ons around that allow a Skype user to record calls and video but it is user-initiated and is not a stealthy operation. There are rumors of a trojan virus which does record audio. This is far beyond the scope of this blog entry. I wouldn't ever recommend intentionally installing a virus on any machine.

Conclusion

Get a copy of main.db now! Run it through HxD and see what kind of deleted data you can retrieve. If your partner hasn't deleted data, SkypeChatsyncReader and SkypeLogView are excellent tools to review the contents of their Skype history.

Please post questions or comments. Also, let me know if you found a tool to read from the unallocated memory of that pesky Skype main.db file.

---DNS

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Tools
Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

Spyware
We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS