Presented By:Manpreet Singh Randhawa

CSc 253

Chat ForensicsTraditional Chat ForensicsWeb-based Chat ForensicsIM ComparisonSkype SecuritySkype Communication FrameworkSkype As A Threat To Enterprise Network Security Skype Forensics – ToolsParaben Chat ExaminerBelkasoft Forensic IM AnalyzerLegal Issues

More and more people are communicating through chat. Popularity and purported privacy of instant messaging

exploited by criminals, especially online predators. Loads of digital evidence. Digital forensic examiners need to perform a thorough

analysis of chat logs, registry keys and other artifacts. Several chat programs - ICQ, Yahoo, MSN, Trillian, AIM,

Hello, Skype, Miranda, Google Talk, and more. Chat rooms where people from across the world can

communicate using various methods:Text Messaging, Pictures, Audio, Video, Webcam, File Sharing,

etc.

3

Instant messaging is the process of exchange of text messages, etc in real-time between two or more people logged into a particular instant messaging service.

Client-based messaging programs such as AIM, MSN Messenger, Yahoo Messenger, etc.

Require some form of installation on client machine. Users need to authenticate. Messaging server can archive the IP address of the user –

pinpoint a user to a specific computer or geographical location.

Conversations are not logged by messaging servers. Information can be recovered from suspect’s machine.

4

Chat logs saved on user machine as per user specification or at default location such as Program Files.

Several evidentiary artifacts:Chat logsRegistry keysFile transfersConfiguration filesArchived/Deleted messagesStored “buddy” lists

5

Traditional messaging clients that can be accessed using only a web browser viz. AIM Express, Google Talk, Meebo, E-Buddy, etc.

Real-time messaging between two or more people using a web interface (without access to a traditional client).

Volatile nature of the data and artifacts created. After web browser is closed or machine is shut down, no

records of user activity or chat log archives are retained. Programs do not write to registry keys or leave

configuration files on client machine. Investigators can only look at remnants of whole or partial

conversations dumped to page files or unallocated space on hard disk.

7

Artifacts partially recovered include time estimate, conversation details, screen names, and buddy list details.

Browser forensics come in handy. Valuable information found in:

Internet cache filesHistory.IE5Index.dat fileTemporary Internet Files\Content.IE5CookiesPagefile.sys

8

Skype provides transport-layer security to ensure that message content traveling over Skype cannot be tapped or intercepted.

Skype's encryption is always on and cannot be turned off. Skype employs strong end-to-end encryption using 256-bit

AES, which is then authenticated by PKI cryptography, to guarantee authenticity, secrecy, and integrity of communication over Skype.

Only username, version, and IP address are stored at servers.

Skype does not record any content from communications.

11

Skype HTTP Server – HS; Skype Client – SC; Super Node – SN;

Registration Super Node – RSN; Authentication Super Node – ASN;

Location Super Node – LSN; Neighbour Super Node – NSN;

Peer-to-peer (P2P) voice over IP (VoIP) technology. Skype’s super node (SN) mechanism threatens network

availability. Ability to traverse network address translation (NAT)

mechanism. Ability to bypass corporate firewalls. Skype’s payload is encrypted end to end. Skype seems flawless but has one loophole – allows

multiple logins for the same account.

13

14

15

Supports ICQ 1999-2003b, Yahoo, MSN 6.1, 6.2, 7.0, & 7.5, Trillian, Hello, Skype, & Miranda Chat Logs

Auto-search function helps locate Chat Logs Complete bookmarking and reporting functionality Advanced filtering and searching options Open multiple chat databases in one workspace

16

Support for ICQ (all versions from 97a to ICQ6), Microsoft MSN/LiveMessenger, Skype, Yahoo! Messenger, MySpace IM, &RQ, Miranda, SIM, QIP, QIP Infium, Google Hello, Trillian, QQ and AIM.

Intellectual search for history files in folders other than default IM history folders. Search can be performed on all computer's drives as well as on mapped network drives (including Encase mapped drives).

17

United States v. Jackson, 2007 WL 1381772 (D. Neb. May 8, 2007). In a criminal case, the defendant filed a motion in limine to exclude evidence of chat room conversations.

At the conclusion of each chat room session, an undercover police officer conducting the chat room conversation would cut-and-paste the entire conversation into a word document for later review. However, a computer forensics expert testified that this cut-and-paste method created several errors and that several portions of the defendant’s conversations were omitted. The defendant argued the omitted portions of the transcript contained evidence relating directly to his intent and should not be admitted as evidence.

The court found that the cut-and-paste document was not admissible evidence at trial because it was not authentic under the Federal Rules of Evidence.

18

19

Thank You!