Thursday, March 11, 2010

Skypeex - additional comments

I've had some very good feedback about the Skypeex tool and I appreciate all your comments.

One or two have not really seen the point of the tool as there are plenty of Skype log viewers around such as from Nirsoft and Skypr. I will repeat what I posted on the LinkedIn discussion board.

"the Nirsoft tool, and others, are log viewers and this presupposes that you have access to the disk/logs. A covert live acquisition will often just take RAM and other volatile data, RAM may be taken before the plug is pulled only to discover that the disk is Full Disk Encrypted or that the logs are in a Truecrypt container. The user could even be using 'Portable Apps' Skype on a USB key which would mean no log files at all on the disk, however the data could still be in RAM.

This little tool is not meant to be a replacement for the excellent chat log viewers out there but provides a way of getting the data from RAM where circumstances dictate."

I'm working on an improved version where Strings isnt needed and hope to have that sorted in the next couple of weeks.

Tuesday, March 9, 2010

Skype Chat Carver from RAM - Skypeex

Well I was going to keep testing but it just seems to keep working, so here it is in version 0.5.


I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script ( to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.

The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.

The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.

The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.

This is very much work in progress but will simply do the following:-

1. Run Strings against your RAM dump
2. Run the Skypeex tool against the resulting Strings file
3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.

It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.

This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.
I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.

Please do not hesitate to get in touch with ideas and improvements.


There are 2 versions in the zip file. is designed for use under Python 3.1.1 and above

skypeex26 is designed for use under Python 2.6

Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.
For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):

I recommend Win32dd (or Win64dd) from Matthieu Suiche -

Run strings against the RAM image (e.g. Windows version can be found in Helix distro)
example: strings c:\ramdump.dd > c:\stringsout.txt

On linux box do:
strings ramdump.dd > stringsout.txt

Script usage -
from command shell - python - then, when prompted, simply provide the path to the strings output file.

The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.

In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.

The primary message content is in the 'body_xml' column.


The key elements of the code are:-

if "INTO Messages" in line:
def extract(text, sub1):
return text.split(sub1)[-1]
str2 = extract(line, 'VALUES (')

This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-

Chatname – the initiator and recipient of the session
Timestamp – The time and data the message was sent in UNIX time
Author – the sender of the message
From_dispname – the screen name being used by the sender
Body_xml – the body of the message, can slip into the chat_msg column
GUID – session identifier


if "#" and "/$" in line:
nxt = next(data)

This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:


This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.

Sometimes we recover session line like the following:

#bennyboy/$nfurneaux;9fa7c85b71354392Jd1bbennyboy1982Ben Brown
#andyw/$nfurneaux;9fa7c85b71354392Jd1TnfurneauxNick Furneaux

We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-

#bennyboy/$nfurneaux;8f915423c984767aJ[VonfurneauxNick Furneaux
ok quite close
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown
Aug 23
# bennyboy /$nfurneaux;8f915423c984767aJ[VQnfurneauxNick Furneaux
when are you presenting at HTCIA
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown

Interestingly this conversation is carved in reverse. We can ascertain that bennyboy started the conversation but see the sender in the second part of the session line, followed by the chat.

I've never released a tool to the community before so be kind! Let me know how you get on.
Nick Furneaux


Unfit and unblogged!

Im just preparing to release a Skype RAM carver written in Python and I thought that my blog would be the best place to put it. However, I just checked it to make sure I remembered how to log in and noticed that my last blog was in Oct. This is a coincidence as Oct was the last time I went for a run! I was thinking that there was no correlation but actually, moving house, traveling all over the place and a very busy work 6 months has contributed to both.

Yesterday I went out with my lad and ran for 2.5 miles, including loads of up hill and was pretty surprised at my retained fitness, which is good, however my blogging looks in much worse shape.

It doesn't help that the eponymous Happy Monkey is regularly blogging fabulously funny and insightful ditties that anything I do will be put to shame. However, watch this space for a free, and rather cool, Skype Chat RAM Carver.