Skype Blog

Investigating Skype for Desktop and Windows Application

15/06/2021 Tuesday

Skype is a software that allows users to communicate with one another and is used by millions of individuals and companies to make free video and voice one-to-one and group calls, send instant messages, and exchange files with others. Skype can be used in laptops, mobile devices, or tablets and available for Microsoft Windows, Apple macOS, and Linux computers, and mobile apps for iOS, Android, and Windows Phone smartphones and tablets.

Digital Forensics Value of Skype Artifacts

In Skype, the artifacts hold information about users' accounts, all of their activities, and also contains information about the stored and shared files. From a forensic perspective, it can provide us with a lot of resources that can be used as critical evidence. Suspects, on the other hand, can delete information by wiping conversation archives or physically destroying Skype logs. Tracking such information is critical during the digital forensic analysis process.

Location of Skype Artifacts

In Windows 7 Skype artifacts are located at:

C:\Users\%username%\AppData\Roaming\Skype\SkypeUserName\main.db

In Windows 10 Skype artifacts are located at:

C:\Users\%username%\AppData\Local\packages\Skype\LocalState\SkypeUserName\main.db

Whereas Skype Windows Application artifacts are located at:

C:\Users\%username%\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c/LocalState/live#3akabiletester/main.db
C:\Users\%username%\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c/LocalState

Structure of Skype Artifacts

Skype for desktop and Skype Windows application have identical structure that consist of databases that include information about user accounts, contacts, chats, voice calls initiated and received, and other information. All information is stored in main.db file and these files are SQLite database files.

Analyzing Skype Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Skype artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Skype artifacts:

ArtiFast can analyze Accounts, Calls, Contact Messages, Contacts, File Transfer, Gif Messages, Groups, Location Messages, Other Events, Photo Messages, Text Messages, Video Messages, and Voice Messages for Skype desktop. ArtiFast can also analyze Accounts, Alerts, Audio Messages, Calls, Contact Messages, Contacts, Conversations, Emotions, File Messages, File Transfer, Gif Message, Location Messages, Other Events, Other Messages, Photo Messages, Profile Cache, Scheduled Calls, Text Messages, Video Messages, and Audio Messages for different Skype Windows application versions.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Skype artifacts in ArtiFast software.

For Skype desktop and newer Windows application versions:

Skype Accounts Artifact

Display Name - Account display name.
Home Phone - Account home phone.
Is Blocked - Indicates whether the account is blocked.
Gender - Account gender.
Full Name - Account user full name.
Country - Account country.
Mood Text - Account mood text.
Home Page - Account home page.
Office Phone - Account office phone.
Languages - Account languages.
Signing Name - Account signing name.
About - General information about the account.
Province - Account province.
Birthday - Account user's birthday.
Emails - Account emails.
Mobile Phone - Account mobile phone.
Last Online Date - Account's last online date and time.
Skype Name - Account Skype name.
City - Account city.
Created Date - Account created date and time.

Skype Calls Artifact

Call Members - Members of the call.
Caller Mri Identity - Caller Mri identity.
Call Duration - Call duration.
Is Muted - Indicates whether the call is muted.
Is Conference - Indicates whether the call is a conference call.
Call Type - Indicates the call type (outgoing, ingoing, or missed).
Call Status - Indicates the call status (missed, cancelled, busy, queued, starting, ringing, ongoing, or failed).
Call Source - The call source.

Skype Contacts Artifact

Birthday - Contact birthday.
Gender - Contact gender.
City - Contact city.
Emails - Contact emails.
Display Name - Contact display name.
Avatar URL - Contact avatar URL.
Is Blocked - Indicates whether the contact is blocked.
Province - Contact province.
Full Name - Contact user's full name.
Country - Contact country.
Skype Name - Contact Skype name.
Office Phone - Contact office phone.
Languages - Contact languages.
Last Online Date - Contact’s last online date and time.
Home Page - Contact home page.
Home phone - Contact home phone.
About - General information about the contact.
Mobile Phone - The contact mobile phone.

Skype File Transfer Artifact

Message Date - The date and time of the message.
File Size - The file size in bytes.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Participant Count - The participant count of the file.
From Display Name - The sender(s) of the file.
Author - The author of the file.
File Type - The file type.
File Uri - The file Uri.
Chat Name - The file chat name.
File URL - The file URL.
File Thumbnail - The file thumbnail.
Is Grouped - Indicates whether the file is grouped.
Participants - The participants of the file.
File Original Name - The file original name.

Skype Gif Messages Artifact

Message Date - The date and time of the message.
Is Grouped - Indicates whether the gif is grouped.
Gif original Name - The gif original name.
Participant Count - The participant count of the file.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Gif Uri - The gif Uri.
Gif Size - The gif size in bytes.
File Type - The file type.
Author - The author of the gif.
From Display Name - The sender(s) of the gif.
Chat Name - The gif chat name.
Participants - The participants of the gif.
Gif Thumbnail - The gif thumbnail.
Gif URL - The gif URL.

Skype Groups Artifact

Group Display Name - The group display name.
Meta Topic - The group meta topic.
Group Identity - The group identity.
Group Creator - The group creator.
Last Activity Date - The last date and time of the group activity.
Participants - The participants of the group.

Skype Location Messages Artifact

Message Date - The date and time of the message.
Address - The address of messages.
User Mri - The user Mri.
Participants - The participants of the message.
Locale - The message location.
Is Grouped - Indicates whether the message is grouped.
Short Address - The short address of the message.
Is User Location - Indicates whether The User location of the message is activated.
Participant Count - The participant count of the message.
Time Zone - The time zone.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Location Timestamp - The location timestamp of the message.
Latitude - The latitude of the message.
Author - The author of the message.
Address Name - The address name of the message.
Longitude - The longitude of the message.
Location URL - The location URL of the message.
Chat Name - The message chat name.
From Display Name - The sender(s) of the message.
Language - The message language.

Skype Other Events Artifact

Message Date - The date and time of the message.
Chat Name - The chat name.
Author - The author’s name.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
From Display Name - The sender(s) display name.
Message Type - The message type.
Participants - The name of participants.
Message Body - The message body.
Participant Count - The participant count of the message.
Is Grouped - Indicates whether the message is grouped.

Skype Photo Messages Artifact

Message Date - The date and time of the message.
From Display Name - The sender(s) display name of the photo message.
Photo Uri - The photo message Uri.
Author - The author’s name of the photo message.
Chat Name - The chat name of the photo message.
Media Type - The media type.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Participant Count - The participant count of the photo message.
Photo Width - The width of the photo.
Is Grouped - Indicates whether the photo is grouped.
Participants - The name of participants.
Photo Thumbnail - The photo thumbnail.
Photo URL - The photo URL.
Photo Original Name - The photo's original name.
Photo Height - The photo height.
Photo File Size - The photo file size in bytes.

Skype Contact Messages Artifact

Message Date - The date and time of the message.
Author - The author’s name of the message.
From Display Name - The sender(s) display name of the message.
Chat Name - The chat name of the message.
Participants - The name of the message participants.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Is Grouped - Indicates whether the message is grouped.
Participant Count - The participant count of the message.
Contacts - Sent contacts information.

Skype Text Messages Artifact

Message Date - The date and time of the message.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Author - The author’s name of the message.
Chat Name - The chat name of the message.
Is Grouped - Indicates whether the message is grouped.
Participants - The name of the message participants.
From Display Name - The sender(s) display name of the message.
Message Body - The message body.
Participant Count - The participant count of the message.

Skype Video Messages Artifact

Message Date - The date and time of the message.
Chat Name - The chat name of the message.
Author - The author’s name of the message.
Participant Count - The participant count of the message.
From Display Name - The sender(s) display name of the message.
Video Original Name - The video original name.
Video URL - The video URL.
Participants - The name of the message participants.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Is Grouped - Indicates whether the message is grouped.
Video Size - The video size in bytes.
File Type - The file type.
Video Thumbnail - The video thumbnail.
Video URL - The video URL.

Skype Voice Messages Artifact

Message Date - The date and time of the message.
Is Grouped - Indicates whether the message is grouped.
Media Uri - The media Uri.
From Display Name - The sender(s) display name of the voice message.
Chat Name - The chat name of the voice message.
Message Status - Indicates the message status (sent, received, read, failed, or deleted).
Participants - The name of the message participants.
Media Thumbnail - The media thumbnail.
Media URL - The media URL.
Participant Count - The participant count of the voice message.
File Type - The file type.
Author - The author’s name of the author's message.
Media Original Name - The media original name.
Media Size - The media size in Bytes.

For Skype Windows application older versions:

Skype (Win Apps) Alerts Artifact

Time Alert Received - The date and time an alert was received.
GUID - GUID.
Alert Type - The type of the alert.
Is Reads - Indicates whether the alert was read.
Message Summary - Summary of the message content.

Skype (Win Apps) Audio Messages Artifact

Message Date - The date and time of the message.
Link - Audio link.
Original Name - The video original name.
Title - Title.
Description - The audio message description.
File Size - The media size in Bytes.
Thumbnail URL - The media thumbnail URL.
Creator - The user’s Id.
From - The author’s chat.
Uri - The media Uri.
Type - The media type.
Conversation Link - The conversations that the current user has most recently interacted with.
ID - Id.
CUID - CUID.
Conversation ID - Conversation ID.
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
Ams ID - Ams Id.

Skype (Win Apps) Calls Artifact

Start Time - The date and time a call started.
Participants - The participants of the call.
Direction - Indicates the call direction (outgoing or ingoing).
Type - Indicates the call type.
Status - Indicates the call status (missed, cancelled, busy, queued, starting, ringing, ongoing, or failed).
Originator - The call source.
Target - The call destination.
End Time - The date and time a call ended.
Connect Time - The date and time of when the call connected.
ID - Id.
Thread ID - The thread Id of a call.
Message CUID - The message CUID of a call.

Skype (Win Apps) Contact Messages Artifact

Creation Time - The date and time the message was created.
Contact Info - The contact information.
Creator - The author’s Id.
From - The author’s chat.
Conversation Link - The conversations that the current user has most recently interacted with.
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
ID - Id.
CUID - CUID.
Conversation ID - Conversation ID.

Skype (Win Apps) Conversations Artifact

Creation Time - The date and time the last message was created.
Conversation Link - The conversations that the current user has most recently interacted with.
Last Received Time - The date and time the last message was received.
Conversation Status - Conservation status.
Conversation ID - Conversation ID.
Last Message Content - The last massage body.
Last Message Type - The type of the last message.
Last Message Creator - The author’s Id.
Last Message From - The author’s chat.
Is Blocked - Indicates whether the contact is blocked.
Is Empty Conversation - Indicates whether the conversation is empty.
Last Message ID - Id of the last message.
Last Message Arrival Time - The Original Arrival date and time of the message.
Last Message Compose Time - The date and time a message was composed.
CUID - CUID.

Skype (Win Apps) Emotions Artifact

Contact Reacted Time - The date and time the contact reacted.
Emotions - The contact’s reaction.
Skype Name - The contact’s skype name.
Massage Content - The reacted message content.

Skype (Win Apps) File Message Artifact

Creation Time - The date and time the message was created.
Link - The file URL.
Original Name - The photo's original name.
Thumbnail URL - The photo thumbnail URL.
Uri - The file Uri.
Title - Title.
File Size - The file size in bytes.
Description - The file description.
Creator - The author of the file Id.
From - The author’s chat.
CUID - CUID.
File Type - The file type.
ID - Id.
Conversation Link - The conversations that the current user has most recently interacted with.
Conversation ID - Conversation ID
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
Ams ID - Ams Id.

Skype (Win Apps) Location Messages Artifact

Creation Time - The date and time the message was created.
Address - The address of messages.
Address Friendly Name - The address of messages.
Short Address - The address of messages.
Latitude - The latitude of the message.
Longitude - The longitude of the message.
Timestamp - The location timestamp of the message.
Time Zone - The time zone.
Creator - The user’s Id.
From - The author’s chat.
User Mri - The user Mri.
Locale - The message location.
Conversation Link - The conversations that the current user has most recently interacted with.
CUID - CUID.
ID - Id.
Conversation ID - Conversation ID
Original Arrival Time - The Original Arrival date and time of the File message.
Compose Time - The date and time the file message was composed.
Ams ID - Ams Id.

Skype (Win Apps) Other Messages Artifact

Creation Time - The date and time the message was created.
Content - The message body.
Message Type - Indicates the message type.
Creator - The user’s Id.
From - The author’s chat.
Conversation Link - The conversations that the current user has most recently interacted with.
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
CUID - CUID.
Conversation ID - Conversation ID
ID - Id.

Skype (Win Apps) Photo Messages Artifact

Creation Time - The date and time the message was created.
Link - The photo URL.
Original Name - The photo's original name.
Title - Title.
Description - The photo's description.
Thumbnail URL - The photo thumbnail URL.
File Size - The photo's size in bytes.
Photo Width - The width of the photo.
Photo Height - The hight of the photo.
Creator - The user’s Id.
From - The author’s chat.
ID - Id.
CUID - CUID.
Type - The media type.
Meta Type - Meta type.
Conversation Link - The conversations that the current user has most recently interacted with.
Conversation ID - Conversation ID
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
Uri - The photo message Uri.
Ams ID - Ams Id.

Skype (Win Apps) Profile Cache Artifact

Date - The date and time a profile was fetched.
User Mri - User mri.
Full Name - User full name.
Display Name - User display name.
Gender - user gender.
City - The city the person lives in.
Province - The province the person lives in.
Country - The country the person lives in.
Thumbnail Url - Thumbnail URL.
Birthday - The birth date of the user.
Mood Text - The user mood text.
Phone Numbers - The user phone number.
Emails - The user email address.
Is Authorized - Indicates whether it is authorized.
Is Manually Added - Indicates whether it is manually added.
Is Favorite - Indicates whether it is favorited.
Is Blocked - Indicates whether it is blocked.

Skype (Win Apps) Scheduled Calls Artifact

Scheduled Call Time - The date and time a call is scheduled.
Subject - Subject of the scheduled call.
Organizer - The user’s Id.
Receivers - The participant(s) Id.
ID - Id.
CUID - CUID.
Conversation ID - Conversation ID.

Skype (Win Apps) Text Messages Artifact

Creation Time - The date and time of the message.
Content - The message body.
Creator - The user’s Id.
From - The author’s chat.
Conversation Link - The conversations that the current user has most recently interacted with.
Conversation ID - Conversation ID
Original Arrival Time - The Original Arrival date and time of the message.
Compose Time - The date and time a message was composed.
CUID - CUID.
ID - Id.

Skype (Win Apps) Video Messages Artifact