Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Go to court with compelling digital evidence
Nowadays, the basic exchange of information is carried out through Instant Messengers by using social networks. Some social networks have their own mobile apps which functionality can be compared with that of IM Messengers.
Where is History of Instant Messengers stored?
Some Instant Messengers store history locally (on a computer or mobile device) such as Skype, WhatsApp, etc.
Some Instant Messengers store history partly locally, partly in the cloud such as Telegram, etc. The amount of information stored locally can be different. For example, it can be account info, cache, chats, calls or maybe just account info, cache.
Where can I find the history of Instant Messengers?
1) Physical dumps of mobile devices.
2) File systems of mobile devices.
3) Backups (history of Instant Messengers can be present in backups completely or partially, depending on the security settings of the operating system of the mobile device). Backups can be detected on computers (or laptops), clouds: Google Cloud, iCloud, etc. Backups can be “standard” (made by using ADB for Android devices, iTunes for Apple devices), and “non-standard”, for example Smart Switch backup (backup made by the proprietary Smart Switch utility (Samsung), or a backup made by the program DrFone (Wondershare) Practice shows that owners of mobile devices do not always realize that when a mobile device is connected to a computer, backup can be created automatically. Therefore, the owner of the device may not take measures to destroy such backups.
4) Hard drives.
5) Memory cards.
6) RAM memory dumps.
7) For Instant Messengers such as Telegram, data can be extracted from their Clouds.
Belkasoft Features
Belkasoft can analyze and extract History of Instant Messengers from mobile devices, PCs, laptops, clouds.
Supported Operating Systems:
* This list is not exhaustive
BEC (Belkasoft Evidence Center) automatically locates and extracts chat history from hundreds of Instant Messengers
Instant Messengers usually store its history in a SQlite file. Therefore, if it is not possible to extract its chats for a Instant Messenger, it can be done manually using SQLite Viewer, integrated into Belkasoft.
An example of a restored chat from SQLite-file
Example of the Instant Messenger analysis: Skype
The main data of the work of this messenger is in the file main.db
Main.db location:
Windows 7 or higher: ROOT\Users\%userprofile%\AppData\Roaming\Skype\%SkypeName%\main.db
Windows XP: ROOT\Documents and Settings\%userprofile%\Application Data\Skype\%SkypeName%\
or RUN: AppData\Skype\%SkypeName%\
Linux: ~\.Skype\%SkypeName%\
Android: \data\data\com.skype.raider\databases\main.db
Displaying data of a main.db-file in SQLite viewer
Also, it is possible to restore some of the Chats from data files, which are temporary synchronization database files (ChatSynk).
The types of data that are contained in Skype and can be extracted:
A complete list of data that can be extracted from Skype
Accounts: the information about the user’s account can be obtained by analyzing the relevant fields of the main.db file in the SQLite Viewer.
It is most convenient to navigate the extracted data in the Overview tab.
Chats
BEC automatically locates and extracts chat history from Skype database, as well as hundreds of other messengers
The window displays chat properties in the lower part of the window, where the following is indicated:
UIN of the sender and the recipient, External IPs and Internal IPs.
Calls: Voice calls made via Skype.
Contacts: Contents of Skype address book.
File transfers: Files sent and received via Skype.
Geolocation data: mobile Skype client allows a user to send their current location to an interlocutor. BEC extracts the data.
BEC can display extracted geotags on Google Maps.
BEC can visualize one or multiple locations on Google Maps or Google Earth
Other artifacts: BEC can recover other artifacts of Skype. Such us: voicemails, group chats, etc.
Deleted chats
BEC can recover deleted records of Skype chats. BEC does this automatically. But, an examiner can do it in the manual mode, using SQLite viewer.
An SQLite database may have one or more unused pages. These pages be created and reserved for future use to improve performance, in which case they contain no meaningful data. Unused pages in the database are stored on what is called a “freelist”.
Freelist’s can contain remote chats and can be extracted manually or automatically.
A part of the deleted data can be in the Unallocated space area. For their restoration, an in-depth analysis is required.
Phone number in Unallocated space
Write Ahead Logs
Another artifact from which you can extract Skype data is WAL-files. These files contain new and updated records and are used to ensure the integrity of the data when the content is updated of a main SQLite database. Data in WAL-files can be stored for a very long time. A WAL-file is cleared when it reaches the size of 1000-pages or when it receives a special command.
BEC also knows how to extract data from WAL-files automatically.
Conclusion
In this article, the functionality of Belkasoft Evidence Center for extracting Chats was reviewed. It was considered where the Chats are stored and from what objects the Chats can be extracted (computers, clouds, mobile devices, etc.).
With the example of Skype, it was shown what types of artifacts of Instant Messengers can be extracted and analyzed with the help of Belkasoft Evidence Center.
Happy forensicating!
About the authors Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now