Wednesday, January 29, 2014

EnCase EnScript (v6 & v7) to parse Skype chatsync files for IP addresses (internal & external) of each user

Most people are aware of the SQLite databases that Skype uses and the information they contain. Another common file associated with a Skype chat is the 'chatsync' file. This file is a proprietary format and it contains some very useful information, such as the user names of the people in the chat (even group chats).

In addition to the usernames of each user, each user's local (LAN) and external (WAN) IP addresses are often recorded in this file. This information can be very useful in helping identify or locating a particular user during a specific time. A chatsync file is generally created for each shat "session'.

The beginning of a chatsync file will appear like this:

You can select (blue check) any/all chatsync files in EnCase v6 or 'tag" them with 'chatsync in EnCase v7 and run the below linked EnScript. This EnScript will parse out the IP addresses and write them to the console as well as bookmark the artifacts.

Download Encase EnScript (v6 & v7) here

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles