Skype Forensic Analysis for In-depth Investigation

MailXaminer | May 7th, 2019 | Forensics

Skype is one of the secured application used by the millions of people to communicate with friends, families, colleagues and all. Which provides the services like instant messaging, voice & video calls and many other communication options. Cyber crimes through digital communication medium are increasing day by day. It increases the necessity of Skype forensic analysis. Proper Skype investigation help the investigators to extract the forensics artifacts from the Skype database. Skype forensics involves the analysis chat, call, SMS and other related information with the help of Skype forensics tool.

Skype is a well known VoIP application which uses the peer to peer architecture instead of a conventional client-server model for instant communication. VoIP (Voice Over Internet Protocol) acts as an alternative for telephonic communication. It replaces through cables and phone numbers by providing communication through Internet Protocols. To manage and secure the connection between the users Skype uses stronger encoding methods like TLS & RTP. This property results in the misuse of Skype platform by the criminals to perform the cyber crimes. The decryption and extraction of the digital evidence/ artifacts fro this secure encoding is one of the main challenge faced by the forensic investigators during the Skype digital forensics.

Location of Skype Log file

Before starting the analysis of the Skype data the first step needs to be performed is finding the Skype log file from the system. The default location of Skype log files is given below which helps to extract the Skype forensics artifacts.

Linux: ~/.Skype/SKYPE-USER/

Windows XP & previous versions: C:\Documents and Settings\WINDOWS-USER\Application Data\Skype\SKYPE-USER\

Windows Vista & later versions: C:\Users\WINDOWS-USER\AppData\Roaming\Skype\SKYPE-USER\

Types of Skype Files Generating

The aim of Skype forensic analysis is to identify the Skype database from the seized and extract the digital evidence from it. Before going to start the Skype digital forensics the important thing which each investigator should know for the efficient analysis of the data are What are types of data files are generated and stored in the system, The location & formats of the files and finally how to examine the data. We already saw the location of the Skype log file in the system next we going to see the various types of files generated in the system that is:

  • Skype Main.db: It is the Skype database file which contains information such as call details, messages, chats, with a list of contacts, time interval, visited websites, etc.
  • Shared XML file: It is an XML file which helps the investigators to check the timestamps of user activities. It will contain the encoded data such as username, last IP used, etc.
  • Skype Config XML file: This is another XML file created on both Windows &Linux. Which contains the configuration information and the timestamp field of the file shows when the user last use the Skype to connect with the contacts.
  • Chatsync folder: It contains the chat history of the user in the DAT file format. It has many files of Skype user chat and also it contains the time of last chat end between two users.

In the modern era, the importance of Skype investigation is increasing day by day. But for the detailed examination of Skype forensics artifacts, the manual method is not enough. Most of the manual methods are very time consuming and not efficient extracting the evidence from the database. Which makes the investigator search for efficient Skype forensics tool that helps in the efficient Skype database forensics.

Skype Forensics with Computer Forensics Tool

Whenever the manual methods are felt as very time consuming and tiring process the users search for the replacement solution which helps to perform Skype forensic analysis inefficiently. MailXaminer is the recommended email forensics tool which helps the investigators to perform the Skype digital forensics in a more effective way. Follow the steps given below to perform Skype database forensics with the help of Skype forensics tool.

Step 1 

Open the software and click on the Add Evidence button to add the Skype database file into the software. Select the Skype option from the Messenger tab of the appeared popup window. The window will allow you to browse Skype database file fro the local system. It will contain Skype data such as “Chat, Call, SMS”.

add evidence

Step 2

To examine the Skype chat while performing the Skype forensic analysis go to the Chat tab from the Mail section of the computer forensics tool and open the main.db file. Which will provide you the information related to the chat occur between two users such as “Sender, Receiver, Message, Start Time, Chat Message Type, MD5, SHA1”. It will help the investigator to perform the Skype chat forensics and extract evidence reside in it.


 Step 3 

If Skype database file contains any call details in it the user can access the data through the Call section of the Skype forensics tool. Go to the Mail tab and select the Call section which will provide you the information such as “Initiator, Participants, Start Time, Duration, MD5, SHA1”.


Step 4 

To analyze the communication take place through the Skype SMS go to the SMS section of the software. Which will give you the information such as “Sender, Receiver, Message, Price”.


Final Words

Skype forensics is an emerging field of forensic investigation which mainly focuses on the criminal activities taken place through Skype communication. The Skype forensic analysis help the investigators to examine the Skype communication and extract the forensic artifacts from the Skype database. With the help of Skype forensics tool user can efficiently perform the analysis of the Skype data and the communication take place through it.