WEBVTT 0:00:02.960000 --> 0:00:07.520000 In this video, we'll investigate a case which involves Skype, an application 0:00:07.520000 --> 0:00:10.880000 that is used for communication, regardless of the type of communication 0:00:10.880000 --> 0:00:14.500000 which can occur over PC or phone. 0:00:14.500000 --> 0:00:17.160000 As you might come across a case in the future that requires you to investigate 0:00:17.160000 --> 0:00:21.940000 Skype, I wanted to introduce you to a very useful tool called Skypereus. 0:00:21.940000 --> 0:00:26.600000 Skypereus is a very easy tool to use, and we can use it to investigate 0:00:26.600000 --> 0:00:33.140000 a case that has First, if you are using Skypereus in an investigation 0:00:33.140000 --> 0:00:37.760000 on a live system, you can press this button, detect databases, and it 0:00:37.760000 --> 0:00:40.640000 will automatically try to detect if there is any Skype profile on this 0:00:40.640000 --> 0:00:44.980000 machine. Since my machine does not have a Skype profile, it won't be here, 0:00:44.980000 --> 0:00:48.400000 but we have a case that we need to investigate that involves Skype. 0:00:48.400000 --> 0:00:51.560000 Let's first add this case to FTK. 0:00:51.560000 --> 0:00:55.500000 As you may know, to add a case, we'll click on this icon, select image 0:00:55.500000 --> 0:00:57.600000 file, and click the next button. 0:00:57.600000 --> 0:01:02.040000 Then we'll browse to the location of the file, select it, and click open, 0:01:02.040000 --> 0:01:04.880000 and lastly, the finish button. 0:01:04.880000 --> 0:01:07.740000 Now we have an NTFS file system. 0:01:07.740000 --> 0:01:11.600000 This is our Windows machine that we took a forensic image for. 0:01:11.600000 --> 0:01:15.660000 Let's now go to users, and we'll go to Hunter, which is the user we suspect 0:01:15.660000 --> 0:01:17.320000 and want to investigate. 0:01:17.320000 --> 0:01:21.900000 Let's go to this user's profile by selecting Hunter, and now we'll select 0:01:21.900000 --> 0:01:25.580000 Application Data, because that is where the information is stored, like 0:01:25.580000 --> 0:01:28.780000 conversations and other details. 0:01:28.780000 --> 0:01:32.620000 We'll now go to roaming, and now we see Skype. 0:01:32.620000 --> 0:01:36.520000 The database that Skype uses to store this evidence is actually this one, 0:01:36.520000 --> 0:01:38.260000 and these are the evidences. 0:01:38.260000 --> 0:01:45.180000 If you don't know, you can right-click the Skype folder, select Export 0:01:45.180000 --> 0:01:48.460000 Files, and where you want to export them to. 0:01:48.460000 --> 0:01:56.120000 Now we are exporting all the evidences that are related to Skype. 0:01:56.120000 --> 0:01:58.520000 Let's go back to Skype areas. 0:01:58.520000 --> 0:02:02.540000 Now, suppose we don't know which database we actually want to investigate, 0:02:02.540000 --> 0:02:04.760000 or which one is of our interest. 0:02:04.760000 --> 0:02:07.400000 So, let's select Import from Folder. 0:02:07.400000 --> 0:02:13.100000 Let's find our folder, click on Recover, select Skype, and click the Select 0:02:13.100000 --> 0:02:17.120000 Folder button. Skype areas automatically imported all the database files 0:02:17.120000 --> 0:02:19.080000 that it managed to see. 0:02:19.080000 --> 0:02:26.620000 Now, if we click on them, and look over to the left, it is not recognizing 0:02:26.620000 --> 0:02:28.560000 it as a Skype database. 0:02:28.560000 --> 0:02:32.680000 What we can do is remove this database from the list by clicking the Remove 0:02:32.680000 --> 0:02:34.340000 button at the bottom. 0:02:34.340000 --> 0:02:36.940000 This allows us to clear things that we don't need. 0:02:36.940000 --> 0:02:41.260000 Like with this selection here, it's also not related to Skype, so Skype 0:02:41.260000 --> 0:02:45.020000 areas was not able to understand it. 0:02:45.020000 --> 0:02:48.280000 If we double-click it, it does not show anything because it has not been 0:02:48.280000 --> 0:02:50.500000 identified as a database. 0:02:50.500000 --> 0:02:55.800000 So, we can go ahead and clear this one too, and any others that are not 0:02:55.800000 --> 0:03:03.060000 recognized. Now this particular selection has details that tell us it 0:03:03.060000 --> 0:03:07.700000 was last modified on June 21, 2016, which could be the last time there 0:03:07.700000 --> 0:03:10.940000 was a conversation. 0:03:10.940000 --> 0:03:15.840000 It was between this user, HunterHPT, which is this Skype ID, and another 0:03:15.840000 --> 0:03:18.940000 person called Linux, RUL3Z. 0:03:18.940000 --> 0:03:24.700000 There are 46 messages, and as mentioned a bit earlier, this was the date 0:03:24.700000 --> 0:03:26.680000 that they last had a conversation. 0:03:26.680000 --> 0:03:31.800000 So, now if we double-click on it, we can see 45 messages. 0:03:31.800000 --> 0:03:35.800000 When it was created, the first message date and time, the last message 0:03:35.800000 --> 0:03:39.880000 date and time, the type is single, which means the conversation was only 0:03:39.880000 --> 0:03:43.580000 between two people, Linux rules, and HunterHPT. 0:03:43.580000 --> 0:03:46.760000 There was another message, which shows that they were testing the Echo 0:03:46.760000 --> 0:03:50.460000 service, where Skype allows you to test your mic. 0:03:50.460000 --> 0:03:54.260000 If we double-click on their chat, we can see all of the messages between 0:03:54.260000 --> 0:04:01.820000 them. In here on the right, you can see the option to show messages from 0:04:01.820000 --> 0:04:03.080000 a particular user. 0:04:03.080000 --> 0:04:07.120000 Allowing you to filter the messages based off of a sender. 0:04:07.120000 --> 0:04:16.900000 There are more useful features to explore. 0:04:16.900000 --> 0:04:21.000000 Here, you can search for a keyword in the Find message with text field. 0:04:21.000000 --> 0:04:24.300000 We can even export messages to a file. 0:04:24.300000 --> 0:04:27.280000 Let's go ahead and do that and export these messages. 0:04:27.280000 --> 0:04:33.560000 If you have a password, you can edit here. 0:04:33.560000 --> 0:04:37.800000 If you don't, there will be an error, as it will try to log into Skype. 0:04:37.800000 --> 0:04:39.360000 However, it won't. 0:04:39.360000 --> 0:04:41.440000 I'll just go ahead and click Cancel. 0:04:41.440000 --> 0:04:46.180000 The export shows us the messages between these two users, HunterHPT, and 0:04:46.180000 --> 0:04:50.340000 Linux rules. It also shows us where the database is from and the total 0:04:50.340000 --> 0:04:51.760000 number of messages. 0:04:51.760000 --> 0:04:55.520000 We also see when the first message was, what they were talking about, 0:04:55.520000 --> 0:04:58.700000 as well as the duration, which is here on the right. 0:04:58.700000 --> 0:05:03.740000 If we click on the information, it provides us even more details. 0:05:03.740000 --> 0:05:07.240000 We can see that HunterHPT is from a Monjordan. 0:05:07.240000 --> 0:05:10.800000 The birth date is here. 0:05:10.800000 --> 0:05:14.260000 We have the database tables here, and we can even expand and check them 0:05:14.260000 --> 0:05:16.100000 out if we wanted. 0:05:16.100000 --> 0:05:23.360000 If we click on the SQL window, we can write a query here. 0:05:23.360000 --> 0:05:27.520000 SkyPerius is a great tool to investigate a case that involves Skype. 0:05:27.520000 --> 0:05:30.900000 As we saw earlier, this tool allows you to know what country and city 0:05:30.900000 --> 0:05:34.920000 the user is communicating from, the number of messages, how many contacts 0:05:34.920000 --> 0:05:39.060000 were in the conversation, how many messages were sent, how many messages 0:05:39.060000 --> 0:05:43.920000 were received, and the date and time of the first and last message. 0:05:43.920000 --> 0:05:48.140000 SkyPerius is a free, open-source tool and is easy to install. 0:05:48.140000 --> 0:05:51.740000 I highly recommend that you use it. 0:05:51.740000 --> 0:05:55.660000 This concludes our video lesson on how to collect and analyze Skype artifacts. 0:05:55.660000 --> 0:05:57.480000 Thanks for joining us.