Skype Forensics

Skype Forensics: Explore Skype Account Thoroughly!

Skype is an instant messenger that allows text, voice and Video calling. Millions of people use this messenger to communicate with friends, families or colleagues. Skype forensic analysis can give important documents for a Forensic Analyst for his investigation. Digital crimes are increasing day by day and becoming a part of the corporate world. All the chat data recorded to the devices application memory. Anyone who can access the device can get the .db file to extract the chat details using any editor tool. In following section we will see how to access chats, messages, files from user's account.

Informant of Digital Evidence

The main information of the digital evidences for Skype Forensics is Log File Folder. This is the place where Skype stores relevant forensic data. The Skype log files complete details about the activities in Skype which includes incoming and outgoing calls, chat messages, etc. In Windows platform, all the conversions are stored in a SQLite file named main.db. And many more details are stored as binary files with .dat files extension in chatsync folder. For Linux, these files are stored as .dbb and .dat extensions.

The default location of Skype log files is


Main DB

main.db is a SQLite file. So, it can be opened only using any SQLite3 client to extract the details. By opening the main.db file one can access all the stored conversations, members, file transfers, calls, and contacts.

The SQLite file main.db stores data in different tables. Consider the table, CallMember, this contains different attributes like identity, display name, guid, start_timeStamp, call_duration, etc.

While considering the Call table it contains certain columns like host_identity, current_video_audience, begin_timestamp, duration, etc. Some other important tables are Transfer table and message table.

Another important file that is to be investigated is 'config.xml' file. This holds the information about the Skype configuration settings and other relevant information. This file can be opened in text editors or using any web browser. This file contains the timestamp when the Skype was last used. This is indicated between a start tag and end tag as "<LastUsed> </LastUsed>". The contacts with its names are also stored in this configuration file in the tag " ".


Moreover, another important information file in config.xml is the HostCache tag. Host cache contains the system IP address plus port number and it will be displayed in hex values.

The UI version tag indicates the version of the application used and language indicate the language used that is English. Information regarding the devices like microphone, speakers can also be discovered from this file.

Directories contain sub folders and files which mostly contains calls, chats, voice mail logs etc. The chatsync folder contains the .dat files that hold chat history between the Skype user and the other end user. The timestamps are also included with these files indicating chat start time and its duration.

Extract evidence from Destroyed Log Files

There exists A to Z tool to analyze the healthy SQLite files which ranges from freeware to costly forensic wares. In most of the cases the suspects destroy the evidences from the databases. Rather than clearing history the log files may to deleted/ altered. SQLite Recovery Tool is perfect tool to recover all the altered corrupted main.db files thereby an aid in Skype forensics. This recovery tool helps the investigator to export the corrupted files to other formats also.