Forensics Journal - Stevenson University 2013 | Page 67

STEVENSON UNIVERSITY Skype from a Windows profile, a folder with that person’s Skype user name is created under the “[Profile]\AppData\Roaming\Skype” folder. Skype creates subfolders: “chatsync,” “voicemail,” and “httpfe”, as well as six database files: “bistats.db,” “dc.db,” “keyval.db,” “main.db,” “main.db-journal,” and “msn.db” (Shafer, Skype Data Experiments). Since the folders aren’t created until Skype is used for the first time, their existence would indicate some Skype usage by that end-user. as the research operating system because as of October 2012 it is the current version of Microsoft Windows (Microsoft Corporation). At the start of the experiment one, Windows 7 was installed on a forensically clean hard drive. Skype version 5.10 [FREE] was installed and a user created and named “joseph.skyperuser” to access the Skype website (Skype version 5.10). The research drive was imaged at this stage [INSTALLATION], in order to determine the default settings and installation files for Skype. Each of these “.db” files is in the SQLite database format (Shafer, Skype Data Experiments). A public-domain, open-source relational database, SQLite is widely used by programmers to store data tables for their programs (Piccinelli). Because SQLite is open-source, there are many tools available to read the tables and data located in these databases. For experiment two, two additional Skype users were created on additional Windows 7 computers. All three computers logged into the Skype application, and multiple Skype sessions were conducted. Skype features such as chat, voice calls, video calls, file transfers and group chats were used. Contact information was sent and received. Unique nonsense text strings such as “ZXCVBNM” and “MNBVCX” were sent during the chat sessions to facilitate later searching. The SUBJECT computer was forced into hibernation in order to generate a “hiberfil.sys” file on the SUBJECT hard drive. SKYPE REGISTRY DATA Another location for Skype installation and data artifacts is the Windows Registry (Shafer, Skype Data Experiments). The Windows Registry is a database that tracks all information and settings for an installation of Windows (Honeycutt). Relevant artifacts in the software Registry file are the installation date and time, the installation folder and version number. The Skype up