Friday, July 20, 2012

Skype Main.db

I hope you've read the Skype primer I posted a while back... Because now it is time to roll up our sleeves and get dirty!

Main.db

The main.db SQLite 3 file is the heart of Skype. The file is located in Windows 7 at C:\Users\WindowsUserName\AppData\Roaming\Skype\SkypeUserName and in Windows XP at C:\Documents and Settings\WindowsUserName\Application Data\Skype\SkypeUserName.

In my Computer Psuedo-Forensics & Tools post, I pointed out some helpful software; a SQLite database browser called, appropriately, SQLite Database Browser and a raw hexadecimal file editor called HxD Hex Editor. Both are free. The discussion below utilizes these tools.

SQLite is cool

The Skype tool (also Firefox and Chrome) utilize a lightweight SQL engine called SQLite 3. This enables the software to have a back-end platform which is light enough to be used on mobile devices. The PC based tools are using the same engine as the software is relatively standardized on the back-end to reduce the cost of maintenance and reducing development cost and time across platforms.

SQLite is an open standard and has extensive documentation. All SQLite formatted files have a header beginning "SQLite format 3".

From my earlier post on Skype

"According to the SQLite3 documentation at www.sqlite.org:

A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good."
That's why SQLite is cool :)


Using Main.db

The main.db file is a SQLite database. Using SQLite Database Browser (or any other SQLite tools), you can open the "official" memory of the Skype program. The information you can retrieve from this file represent the data that has not been deleted or removed by the user.

Schema

The schema is the set of tables and indexes within the database file. It provides the structure of the database, the names of the tables, the fields (data items) within each table and a description of the field indicating what type of data is stored and whether it is a primary key (a unique, mandatory value). The indexes for the database are provided. These indexes are tools used by SQLite to speed up the execution of queries used to retrieve data.

Just because I like you here is a link to a spreadsheet containing the tables and indexes and a link to a spreadsheet containing the tables and data fields.

Tables

The following tables appear in the main.db schema. Each table on this list is linked to a spreadsheet with a description of the table's fields and data types.

So what?

The following tables are where you will find useful data...
  • Contacts
    • You'll find all of the user's contacts with their SkypeName, their DisplayName and any other details they've provided in their Skype profile (location, mobile #, etc)
  • Videos
    • You'll find a list of the user's video chats and a Convo_ID. 
    • The Convo_ID will map to the Convo_ID in the Conversations and Participants tables.
  • SMSes
    • I have no experience with this table but I believe it is used to store SMS texts sent via Skype to a cell phone (a paid feature for Skype users)
  • CallMembers
    • Provides a list of all parties to a call (grouped by Call_Name). 
    • Duration is provided per participant and a Video_Status is provided (I believe 3 = video call)
  • ChatMembers
    • Provides a list of members taking part in a chat (grouped by Chat_Name). 
    • The Adder field provides the SkypeName of the user who added the participant to the chat.
  • Conversations
    • Provides a list of the conversations in which the user participated. 
    • The Identity column provides the SkypeName of the participant or the Chat_Name for group chats/rooms. 
    • The DisplayName field provides the participant's displayed name in Skype or the displayed title of the group chat/room.  
    • The Creator column notes the creator of the group chat/room.
    • Timestamps are provided for Last_Activity, Inbox_Timestamp, Creation_Timestamp and more.
  • Participants
    • Provides a list of conversation participants grouped by the Convo_ID
    • The Adder field notes the SkypeName of the user who added the participant to the conversation
    • The Identity column provides the SkypeName of the participant.
    • Text, Voice and Video status fields are provided.
  • Calls
    • Provides the calls in which the user has participated.
    • Call_Name is provided and maps to the Call_Name column in the CallMembers table.
    • Timestamps for the calls and the Host of the call are provided.
  • Transfers
    • Provides the details of files shared and downloaded by the user.
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    •  FileName and FileSize is provided along with the FilePath (uploads only I believe).
    • Convo_ID is provided which maps to the Participants and Conversations tables.
    • Timestamps are provided.
  • Voicemails
    • Lists voicemails sent to the user
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    • Path column displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Voicemail folder
  • Chats
    • Provides the chats in which the user participated.
    • The Name field follows this structure; #SkypeUserNameOfInitiator/$SkypeUserNameOfPartner;ChatIDString
      • The ChatIDString is a 16-digit alphanumeric string that is unique to the Chat
      • The SkypeNameOfPartner is replaced with the ChatIDString when the chat is a group chat/room. Ex: #SkypeUserNameOfInitiator/$ChatIDString
    • The Friendly_Name column provides the display name of the partner or group chat/room.
    • The Adder field notes the SkypeName of the user who added the participant
    • Timestamps are provided
    • The Posters field is a concatenated list of SkypeUserNames that posted to the chat
    • The Participants field is a concatenated list of SkypeUserNames that received messages from the chat
    • The ActiveMembers field is a concatenated list of SkypeUserNames of those who have recently posted
    • The dbPath field displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Chatsync folder
      • The name of the ".dat" file is a 16-digit alphanumeric
      • The first two characters indicate the subfolder where the ".dat" file is located under the Chatsync folder. Ex- if the dbPath field has the value of 01abc2345def6789.dat; the file is located at ...\Skype\SkypeUserName\Chatsync\01\
  • Messages
    • Provides a Convo_ID to map to Conversations table, Videos table and others.
    • Provides ChatName to map to the Name field in the Chats table.
    • Notes the SkypeName of the Author of the message.
    • Provides the message detail in the Body_XML field. This is the most important field... this is the message sent from one party to another!

Timestamps

The timestamps in main.db follow a format based on UNIX. You will need to convert these timestamps into a human-readable values. For example, the value '1325900664' represents January 6, 2012 8:44pm. I use the following equation in Excel to convert the dates (assuming the Timestamp value is in cell B3):
=IF(B3="","",(B3/86400)+25569+(-5/24))

The IF statement states that if there is no value for Timestamp, then no value should be returned. If there is a value in the Timestamp field, the equation should be executed.

In SQL queries the date is converted using the datetime function. The format of the function is as follows:

datetime(timestamp_field,'unixepoch')

A query to start off with

Not everyone can write SQL queries, but they should! Here is a simple sample query to get you on your way. This retrieves all contacts sorted by the number of times they appear in the participants table:

select c.skypename
         ,c.fullname
         ,c.country
         ,c.province
         ,c.city
         ,c.phone_home
         ,c.phone_office
         ,c.phone_mobile
         ,c.main_phone
         ,c.emails
         ,c.verified_email
         ,datetime(c.lastused_timestamp,'unixepoch') lastused_timestamp
         ,count(p.identity)
from contacts c
    ,participants p
where c.skypename = p.identity
group by c.skypename
         ,c.fullname
         ,c.country
         ,c.province
         ,c.city
         ,c.phone_home
         ,c.phone_office
         ,c.phone_mobile
         ,c.main_phone
         ,c.emails
         ,c.verified_email
         ,datetime(c.lastused_timestamp,'unixepoch')
order by count(p.identity) desc


What's the deal with Chatsync?


The Chatsync folders also contribute a great deal. The main.db database includes pointers to the ".dat" files in the Chat table. I believe that these folders within Chatsync are used to store nodes of information which is retrieved by the Skype application when the chat data is needed. It's sort of like an extended memory to save information about the chat. I do know the Chatsync files are not inclusive of all the information presented in the main.db Chat table and I have found data present in the Chatsync files not present in the main.db tables.

Forensics

Reading the Main.db file with a SQLite utility and the Chatsync files are of limited use when trying to recover data that has been deleted. As I stated in this earlier article, the best approach is to read Main.db with a hexadecimal reader to recover partial records of deleted messages, video calls, voice calls, chats and other data. The Chatsync files are of limited worth as these appeared, in my experience, to have been deleted with more regularity than the old data in main.db was overwritten by new data.

Other Tools

The other helpful tools to user are SkypeLogView and SkypeChatsyncReader. I discussed these in my earlier post:

SkypeLogView

The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD.

SkypeChatsyncReader

A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.

Conclusion

The Main.db file is a useful source of data IF a deletion of data has not occurred. The presentation of files from a SQLite database browsing utility can provide a well-formatted view into Skype usage. Please remember that carving the Main.db file with a hex editor will yield data that has been deleted by the user. However the presentation of this deleted data is nowhere near the organized output of the Main.db file.

-- DNS
Posted by at 26 comments:
Labels: , , , , , , , , ,

Thursday, June 7, 2012

Structure

So you have 1,000 emails, a 500,000 line file full of chats, 30,000 transactions from your cellphone bill, and credit card statements going back six years... What does it mean?

Structure Your Data

Just a thought for today... When compiling forensic data it is important to make it human readable. This isn't just to help those who aren't tech savvy. It is to help consolidate and present information in a coherent manner so it is more readily comprehensible. Isn't that what were doing at the Betrayed Spouses Club when we look at digital data? We're not only finding information we didn't have (or didn't want to see), we are trying to comprehend it. We are trying to put some structure into a subject matter that had suddenly and unexpectedly jumped from our subconscious insecurities into the ever-present lugubrious spotlight of our daily lives. For me, personally, no matter how badly my wife and I were getting along I never thought it I would be a member of this club. It was so horribly unfathomable that I find myself wondering which way is up more days than not. My search for the truth is paired with my need to structure it. I need the facts and a structure with which I can begin to comprehend them. That is why I took some time to write this post.

Mis En Scene

An important part of understanding "what" is to not take it out of context. Nobody lives in a vacuum. External events can be a frame of reference that can help with comprehension. I identified several events which could impact the decisions that were made by my wayward spouse.

It's important here to remember that no one can make someone cheat... No matter what happens the wayward spouse's decisions are their own. That said, the events which may have influenced those decisions can't be ignored. First, it can help you come to terms with what actually happened. Second, if you do try to reconcile, you will need to find and fix the vulnerabilities in your marriage, such as; poor stress coping skills, communication issues, lack of emotional support, etc.

Here are some of my events.
  • Holidays
  • My wife's birthdays
  • Big arguments over money
  • My spouse's mental condition
  • A death in the family
  • My diagnosis with cancer
  • Loosing my job and health benefits

I plot these on the same structure along with milestones I found in my conversations with my spouse and my search for digital information. Here are a few.
  • Meet-ups with the other people
  • Calls, texts, chats, pic/video to the other people
  • Initiating a new relationship with another other person

The Timeline

A chronological structure can begin to help you fit the puzzle pieces together. There are a few options; calendar, timelines and Gantt Chart are what I'll cover here.

Calendar

To start, begin adding the data that you've collected which identify external events and events during the affair(s). I wouldn't recommend going to such detail as to record every text sent or received. You will need to stay at a high level of detail to make sure the calendar doesn't become cluttered and unreadable.

Tools


Timelines

Timelines offer an advantage over the calendar because they can manage the duration component of your data more effectively. The duration could be the time your spouse has associated with one other person or another or it could help identify times where your spouse was well-behaved and acted with the appropriate respect for your marital vows. The basic structure of a timeline is a big arrow signifying time moving from a discreet point in the past and moving forward. Single events are marked as bullets, or milestones, along the path. Events with a duration can be listed with a callout (bracket) that is large enough to cover the span of time in the duration. This makes a better visual representation than a basic calendar and provides quick reference to the concept of duration.

Tools


Gantt Chart

A Gantt Chart is a project planning tool from the IT world. It's supposed to let a project planner identify tasks and events which need to occur on the timeline of a project. Additionally, resources needed for the project, costs, materials, dependencies, and all other sorts of project information can be associated with the tasks. The project manager can use it to keep his eye on the dizzying amount of data that is needed to ensure the project gets completed to spec. Now, this isn't a PMP certification blog so that's as far as I'm going to go in the proper use of the Gantt Chart. What it does well that suits our purposes is manage lots of information related to events, the duration of activities, and dependencies on external events.

I prefer the Gantt Chart to an ordinary timeline for a couple of reasons. First, you can add a lot of detail. A normal timeline would get fairly cluttered with a lot of detail is added. Second, you can roll-up activities into a parent task. This is really handy when you are working with a complex data set like figuring out WTF happened to your life to make it go to sh*t.

Tools

  • Microsoft Project ($$$$$)
  • Microsoft Visio ($$$)
  • GanttProject ($0)

Thematic Analysis

This approach takes the events you have compiled and places them in relation to a key concept. A key concept may be "arguments" or "business trips" or "health/getting older" or whatever you and your spouse feel are major influences on the affair(s). You will need to spend some time to classify or label your events with the appropriate concepts. Once you are done, you can begin to see how these themes correlate to the behavior leading to affairs. For example, you find that your spouse is out late at the local meat market club on weekends (event) when they had a health scare (theme), birthday (theme), or a close friend passed (theme). You will be able to cut through the noise of too much data to see relationship between theme and event. If you're lucky, you just may be able to find a better understanding of their decisions and perhaps some hope by finding something you both can work on to strengthen your marriage.

Tools

  • TaggedFrog allows you to make a tag cloud from Windows files
  • Many Eyes is cool site to see thematic visualization in action


It doesn't paint a pretty picture but it is a picture. With structure, I can see more clearly what events influenced her decisions. That gives me a better ability to understand what happened and how to work on the marriage to ensure it never does again.

Nota Bene: if you do use the Google tools make sure you're not sharing that with anyone! Set it to private so your bar buddies don't get a sneak peek at why you're always ordering double whiskeys.

---DNS
Posted by at No comments:
Labels: , , , , , , , , , ,

Friday, June 1, 2012

Mental Disorders in the One You Love

I know I'm crazy... I eat nutella instead of jelly on my pbj. I name my pets after participles. I read books upside down for fun. But this post is about the craziness of being in a relationship with someone who is diagnosed.

My own situation is crazy to an extreme. My wife is bipolar (BP), has borderline personality disorder (BPD), and a rampant history of self-medicating through drugs and alcohol. She was diagnosed a few months ago although her disorders go much farther back. I was the kind of schlep every borderline dreams of- I was supportive, attentive, allowed her to be her own moral guide, and took whatever she said for face value. It has been at least six years, maybe ten, that she has shown behavioral traits which may have helped diagnose her and get her help. It is somewhat unsettling to me to think that being the supportive husband, committed family-man, and respectful partner I always had aspired to be had enabled her to suffer for so long. I'm wracked with as much guilt over this as I am with anger at what she has done over the past few years. That's the point of this post. Maybe someone out there will read it and figure out their own situation before it gets into that hand basket and goes straight to hell.

How to Get Help Fast

The first time I tried to get my wife to a psychiatrist was a nightmare. I called 30+ offices and found only a few that took my insurance (I had really good insurance too). Those that did, either weren't seeing new patients or were focusing in on the elderly market. I finally found one to go to but they were scheduling 3.5 months in advance! It was almost hopeless to try to go see a shrink... I eventually found a quick way in. I wouldn't recommend it though. At one of our marriage counseling sessions I said I was going to go away for a weekend to cool off and my wife snapped. She said she couldn't deal with it and said she'd probably hurt herself. I immediately took her to the hospital ER for a psych evaluation. They enrolled her into a partial hospitalization program and she was able to see a shrink the next day. I wouldn't recommend this approach unless you're actually in fear for their safety but it did get her in the door and get her the help she needed right away.

Nota Bene: I'm not a shrink. I'm just a dude who has to deal with this sh*t on a daily basis. What follows is my opinion. Take it for what it's worth.

Bipolar (BP)

Formerly called manic depression, bipolar is caused by chemical imbalances in the brain. It is generally treated with medication and behavioral therapy. A very important note is that antidepressants alone can cause this disease to get worse.

General Traits

Mood swings between depression and manic phases. Depression is a common term thrown around these days but BPs have clinical depression. Clinical depression is a long term period of low mood that interferes with daily life. It can cause a loss of pleasure in once enjoyable activities, constantly feeling helpless, sleeping too much or too little, eating too much or too little, lack of energy, thoughts of death and suicide. The BP will have shifts in mood from the depressed state to a manic state which can occur quickly or over a prolonged period. The mood shift is often unconnected with events in real life. There are two types of BP; Type 1 (manic) and Type 2 (hypomanic).

BP Type 1

This is the mainstream bipolar. They have crippling depression followed by a feel-good manic phase. The manic phases are really, truly highs where they feel invincible, unable to make mistakes and euphoric. Type 1s are often trying to get back to being manic when they are in their depressed state.

BP Type 2

Type 2 is a subset of BP where the manic phase isn't a real high, it's a hyper-energized state of anxiety. The manic phase can often be seen as irritable or angry to an observer. BP type 2s often have crippling depression intermixed with crippling panic and anxiety which leads to further depression.

Mania

Type 1s and Type 2s often have similar traits in manic phases. The Type 2 doesn't have the euphoric high and may have less extreme traits.
  • Easily upset
  • High energy levels, talking a lot, racing thoughts
  • Little need for sleep
  • Poor judgment
  • Reckless and impulsive behavior, over-spending, gambling, substance abuse, hypersexuality

Causes

Most BP develops between 15-25. Some potential causes are genetics, drug use, and (proving kids can actually make you crazy) childbirth.

Resources for BP


Borderline Personality Disorder (BPD)

BPD is a cognitive disorder rather than a chemical imbalance. It's a learned set of coping skills, usually created from a distressed childhood or unstable family setting, which are ultimately destructive. BPD gets its name from the old terminology used for the disorder: 'borderline schizophrenic'. It is also commonly referred to as being a 'sociopath'. There's a lot of stigma being diagnosed with BPD. Some shrinks treat BPD with medication but ultimately therapy is needed.

General Traits

People suffering from BPD often feel uncertain about their identities, see things in a black/white or all/nothing perspective, change interests and personalities quickly, have a fear of abandonment, frequently feel bored/empty, have inappropriate displays or acts of anger, are impulsive (gambling, hypersexuality, substance abuse), and can often be in crisis or attempt self-harm. They can feel like they're "wearing masks" when they need to interact with others. BPD sufferers often have moods swings that occur more frequently than BPs and are more rooted in reactions to events in their lives.

Sub-types

There are a lot of classifications within BPD. The most often referred to is Narcissistic Personality Disorder. However, most discussions make a distinction between high-functioning and low-functioning. The high-functioning BPD is the type which is most difficult to treat. The disorder itself has roots in self-preservation, pursuing selfish goals, and a profound lack of empathy for any of the people they may wrong in said pursuits. Low-functioning BPD are at least aware that something may be wrong and they may have hurt people.

Treatments

Bad news folks. BPD has long been said to be untreatable. There are some docs which prescribe medications for mood stabilization and depression. The therapy options available for BPD are often classified as behavioral (mentalization, transference) or cognitive (dialectical behavior therapy (DBT), schema therapy). The dialectical therapy seems to be the go-to treatment option for many and has shown moderate success. However, the time commitment for patient and therapist is quite significant and it is a costly treatment program. I haven't gone far enough down the rabbit hole to offer a personal opinion on treatment.. Yet.

Resources for BPD



Substance Abuse

For us this was an out growth of BP and BPD but it is a huge issue in-and-of itself. No healing or emotional growth can occur while drugs or alcohol are in the picture. Some shrinks won't even start therapy or medications until the substance abuse problem has been addressed.

Resources for Substance Abuse


Conclusion

Get help! A BP, BPD or abuser of substances will not seek help as long as they're not at rock bottom. As long as you, the spouse, is supporting them by tolerating their behavior or protecting them from the consequences of their actions they will never hit rock bottom. The hardest thing in the world I ever had to do was to look at the woman I've loved for 15 years, my wife and mother of my children, and tell her that I wanted her out of my life. There was no way we could continue as we had. I just hope you can address these issues if they are present in your life before they destroy everything.

---DNS


Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, May 30, 2012

Skype

Where would the wayward spouses of this world be without Skype?

Skype Primer

Skype is an IM/chat/voice/webcam platform now belonging to Microsoft. There are no public chat rooms, ala AOL, but users can create a group and invite other users to join. Files can be shared between users and groups and desktops can be shared.

Skype Guts

Skype is a platform based on SQLite3 databases (like Chrome and Firefox). The files for Skype in Windows Vista and 7 are normally located at C:\Users\USER\AppData\Roaming\Skype. In this directory, you'll see the Skype user name set up as a folder. You'll have one such folder for every Skype user to log in through that computer. Clicking on the Skype user name, you are presented with the data files for that user.

You will see the following folders:
  • chatsync
  • httpfe
  • voicemail
You will also see the following files:
  • bistats.db
  • config.xml
  • dc.db
  • griffin.db
  • keyval.db
  • main.db
  • msn.db
You may also see several .db-journal files. These are temporary files SQLite uses to perform a rollback.

Brass Tax

The main.db file is the primary focus here. According to the SQLite3 documentation at www.sqlite.org:
A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Richard Drinkwater, blogger at Forensics from the Sausage Factory wrote a brilliant article in April 2011 titled Carving SQLite Databases from Unallocated Sectors. He posited it could be possible to write a parsing program to retrieve these "inactive" pages in a systematic manner utilizing the SQLite header information. That's beyond my skills... but like any good caveman with a blunt instrument, it just takes the right amount of brute force to get through it.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good.

From windows explorer, right click the target main.db file and select Open With... Pick HxD Hex Editor to open the file. In HxD, click View then Select Visible Columns, check Text Only. Click File, then Export and select to export the "Editor View". You now have a more-or-less human readable record of all the IMs, chats, file sharing and records of web cam sessions. Import into Excel and search for your favorite keyword.

You may want to use a tool called Windows Grep to pull out all references to a user, keyword, or conversation code. This is a shareware app and they request you purchase a license after evaluating the tool.

Inside Main.db

For user-to-user messages, the syntax used in main.db to identify the sender of a message is the hash (#), then Skype user name, then slash (/). The receiver is preceded by the dollar ($). A 16 digit alphanumeric conversation code is present as well. If you only see the conversation code then it came from a user that has since been blocked/removed or is a message sent to a group.

The leading two characters of the conversation code also appear as sub-folders within the Chatsync folder. Additional data is presumably stored in these files related to the conversation. The conversation folders in Chatsync may be empty where a conversation has been deleted by the user.

Other Handy Tools

Since main.db is a SQLite database, you can open and copy tables using SQLite Database Browser. Unfortunately, only active records are read by the database viewer. You will not see all of the records the user tried to delete.

SkypeChatsyncReader
This application reads the .dat files in the Chatsync folder and tries to reintegrate the conversations. Unfortunately, I have not had much luck with the application reading all of the deleted data. I have found that the delete process in Skype appears to clean up the .dat files before addressing main.db.

One useful aspect of this tool will provide the members belonging to a group conversation. That is, if the Chatsync files are present.

SkypeLogView
This application will provide a handy list of all messages in and out of the account. It includes voice and video. Unfortunately, it doesn't read the deleted records in the unallocated memory.

Video Chat/Voice

There is nothing able to retroactively recall the contents of a video chat or a voice call. The chat session is done on a peer-to-peer basis and the content of the session is not stored. The metadata surrounding the session (participants, time, video quality, etc) may be found in main.db but there are no saved video or audio files.

There are several add-ons around that allow a Skype user to record calls and video but it is user-initiated and is not a stealthy operation. There are rumors of a trojan virus which does record audio. This is far beyond the scope of this blog entry. I wouldn't ever recommend intentionally installing a virus on any machine.

Conclusion

Get a copy of main.db now! Run it through HxD and see what kind of deleted data you can retrieve. If your partner hasn't deleted data, SkypeChatsyncReader and SkypeLogView are excellent tools to review the contents of their Skype history.

Please post questions or comments. Also, let me know if you found a tool to read from the unallocated memory of that pesky Skype main.db file.

---DNS
Posted by at 2 comments:
Labels: , , , , , , , , ,

Tuesday, May 29, 2012

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Tools
Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

Spyware
We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS
Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Monday, May 28, 2012

Hello World!

Welcome to the club no one wants to join. I am hoping this blog will help you in your path to healing.

I'll post stuff here about my own struggles and pointers on the healing process. Others are encouraged to comment and share their own stories.

There is a resource page where websites and books will be posted which can help you on your own journey.

I am not a computer forensics person but I will post some techniques I know about computers. You're your own moral guide when it comes to this information. I highly recommend you do not pursue these activities... Work on communication and get the answers to your questions from your wayward spouse. That is the best way forward..

---DNS
Posted by at No comments:
Subscribe to: Posts (Atom)