Now With 23% More Memory! Grabbing Skype Data

I am on a roll finding cool new programs dealing with memory analysis. This one is Skypeex, and it is developed by Nick Furneaux. This one deals with the same concept as the pdgmail tool I had last posting. You run strings against the memory dump and then run the Skypeex python script against it to find remnants of Skype contacts and conversations.

So like in the previous script (pdgmail) you first run strings. From that you then run the Skypeex. Nick created versions that should run on Windows (if you have Python installed), Linux, and MacOSX. There are two different scripts included for Windows/Linux, the one you use depends on the version of Python you are running. Go to the command line and run 'Python -V' to see what you have. There is a helpful readme file as well.

To run Skypeex, simply type from the command line, 'python skypeex.py' -- it will then ask you for the location of the strings output you created earlier. From that the program creates two output files. From the readme:

The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and 'carved chats'. Please expect many duplicates and some false positives.

Its a bit hard to show my results  just due to me being paranoid, however I can tell you some things I saw:

• Group chat windows and conversations
• Contacts
• IM (one on one) chat windows and conversations

So these two programs clearly show the value of memory dumps from a bit of a different perspective. This will probably not help in malware investigations (never say never though!) but from a LE perspective this could make or break a case. 

This is the last post of 2011--- everyone have a great New Year! I will be spending my holiday geocaching around London, what better way to get to know a new city? Enjoy!