Well I was going to keep testing but it just seems to keep working, so here it is in version 0.5.
Download
I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script (http://www.jeffbryner.com/code/pdgmail) to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.
The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.
The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.
The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.
This is very much work in progress but will simply do the following:-
1. Run Strings against your RAM dump
2. Run the Skypeex tool against the resulting Strings file
3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.
It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.
This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.
I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.
Please do not hesitate to get in touch with ideas and improvements.
Usage:
There are 2 versions in the zip file.
skypeex.py is designed for use under Python 3.1.1 and above
skypeex26 is designed for use under Python 2.6
Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.
For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):
I recommend Win32dd (or Win64dd) from Matthieu Suiche - http://windd.msuiche.net/
Run strings against the RAM image (e.g. Windows version can be found in Helix distro)
example: strings c:\ramdump.dd > c:\stringsout.txt
On linux box do:
strings ramdump.dd > stringsout.txt
Script usage -
from command shell - python skypeex.py - then, when prompted, simply provide the path to the strings output file.
The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.
In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.
The primary message content is in the 'body_xml' column.
Code:
The key elements of the code are:-
if "INTO Messages" in line:
def extract(text, sub1):
return text.split(sub1)[-1]
str2 = extract(line, 'VALUES (')
This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-
Chatname – the initiator and recipient of the session
Timestamp – The time and data the message was sent in UNIX time
Author – the sender of the message
From_dispname – the screen name being used by the sender
Body_xml – the body of the message, can slip into the chat_msg column
GUID – session identifier
Next:
if "#" and "/$" in line:
outfile.write(line)
nxt = next(data)
outfile.write(nxt)
This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:
#nfurneaux/$bennyboy1982;810b0fd9ef04db08
This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.
Sometimes we recover session line like the following:
#bennyboy/$nfurneaux;9fa7c85b71354392Jd1bbennyboy1982Ben Brown
#andyw/$nfurneaux;9fa7c85b71354392Jd1TnfurneauxNick Furneaux
We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-
#bennyboy/$nfurneaux;8f915423c984767aJ[VonfurneauxNick Furneaux
ok quite close
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown
Aug 23
# bennyboy /$nfurneaux;8f915423c984767aJ[VQnfurneauxNick Furneaux
when are you presenting at HTCIA
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown
Interestingly this conversation is carved in reverse. We can ascertain that bennyboy started the conversation but see the sender in the second part of the session line, followed by the chat.
I've never released a tool to the community before so be kind! Let me know how you get on.
Nick Furneaux
Download
Subscribe to:
Post Comments (Atom)
10 comments:
Nick,
thank you for the post and for your efforts.
This tool I am sure will prove to be exceptionally useful and will help many who have captured a live image of ram.
I haven't had chance to really thrash it, but can confirm I had amazing results from one test machine! Conversations dating back 4 years I didn't realise skype still stored...
Hi Nick, the tool worked flawlessly on a Windows XP Professional 32bit machine with Skype 4.2.0.155.
But on a Windows 7 Professional 64bit machine only the carved sessions file (skypesessions.txt) was created correctly.
I just posted about your tool on my blog: http://sseguranca.blogpost.com
Thank you for your contribution and keep the good work!
Nick...
Thank you for your effort...
I'll be able to use our field.
How do I run strings over my ram dump? sorry, i'm new to this
Great program. Will the 2008 version of Helix work, or Will I need to buy Helix?
Hi to mo3578, sorry I missed your post. The answer should also answer Shlomo's question too.
Strings is a program (UNIX really) that parses through a file and by default extracts all the ACSII test strings 3 characters long and above. Its useful in a RAM dump for getting rid of all the non-human readable stuff.
There is a ported version to Windows on the Helix disk 2008/2009 (not pro) available from www.e-fense.com.
Simply open a command shell (from the Helix GUI if you are using it) and type:-
strings ramdump.dd > c:\stringsout.txt
..where ramdump.dd is the ramdump you have taken and the txt file is the output file name you have chosen
Virtually any Linux distro will have strings too, just the pathing will be different, for example:-
strings /root/ram.dd > /media/sda1/stringsout.txt
I do intend to build the strings capability into the tool but Ive been a tad busy.
Hope that helps
Nick
Hello Nick
This tool seems quite exciting and a milestone in Skype forensics. Thanks for providing such a good tool.
But I was not able to Download the .Zip file, the link seems to be broken. It would be really helpful if you can provide a working link of the same.
Thanks and Regards
Hi the link for Skypeex is offline at the moment, I'll update the link as soon as I can.
Thanks
Nick
Hey Nick
It will be very kind of you if you update the Skypeex link at the earliest or
please mail it to me at
rokkingdheeraj@gmail.com.
I need it urgently. Thanks in advance.
Thanks and regards
Post a Comment