Extracting Skype Histories and Deleted Files Metadata from Microsoft Account

December 19th, 2019 by Oleg Afonin
Category: «Clouds», «Elcomsoft News», «Tips & Tricks»

Skype synchronizes chats, text messages and files sent and received with the Microsoft Account backend. Accessing Skype conversation histories by performing a forensic analysis of the user’s Microsoft Account is often the fastest and easiest way to obtain valuable evidence. Learn how to use Elcomsoft Phone Breaker to quickly extract the complete conversation histories along with attachments and metadata from the user’s Microsoft Account.

What’s It All About?

With over 1.55 billion accounts and more than 420 million daily users, Skype is one of the world’s biggest instant messaging apps. While there is no lack of competition in the highly crowded market of instant messaging apps, Skype maintains its user base. This feature-rich app is available for all relevant platforms, and is actively developed and frequently updated by Microsoft. Skype is secure (enough) while maintaining transparency to the law enforcement, which makes Skype the only allowed VoIP communication app in countries such as the UAE. The free Skype-to-phone calls included with all Microsoft Office 365 subscriptions help Skype gain popularity among corporate and small office users, while integration with Alexa and Cortana voice assistants makes Skype the tool of choice for voice calls.

Skype conversations are automatically synced with the back end along with attachments. While text chats are stored on Microsoft servers indefinitely or until manually deleted by the user, attachments are only kept for the maximum period of 30 days. After the 30-day retention period, any files users send or received are automatically purged from the server and are no longer accessible. However, Microsoft still retains information about these files (the metadata), allowing experts to find out the name and type of attachments, file sizes, as well as the date and time.

Having said that, one can use Microsoft’s own tool to request and view Skype data from the account. However, information returned by the Microsoft’s tool lacks certain data about the chats and files that have been either deleted by the user or purged from Microsoft servers as a space-saving measure. This is why we developed the tools to extract and view all Skype-related information available in the user’s Microsoft Account.

Tools to Extract Skype Chats, Attachments and Metadata from Microsoft Account

We have exactly two tools to be used in connection with Skype data. First, there is Elcomsoft Phone Breaker, a tool to download Skype conversation histories from Microsoft servers. You would then use Elcomsoft Phone Viewer to browse through and analyze the downloaded data.

Available information

We download Skype conversation histories, messages, media files, contact lists and metadata directly from the user’s Microsoft Account.

What is required to download Slype data?

In order to access this information, full authentication credentials are required including the user’s Microsoft ID (typically, their Hotmail.com, Live.com or Outlook.com email address), password, and the second authentication factor if two-factor authentication is enabled.

Skype metadata

In addition to existing data, Elcomsoft Phone Breaker can extract so-called Skype metadata. Skype metadata gives experts insight about stuff that is no longer stored on Microsoft servers. Users can delete chats and conversations, and they will be gone from the server. Files sent and received in Skype are automatically purged from Microsoft servers after the 30-day retention period. Traces left behind these deleted chats and purged files are called metadata. Skype metadata includes information such as the date and time, size, file name, sender, and chat name.

The How-To Guide on Extracting Skype Data

In order to download Skype data, you’ll need Elcomsoft Phone Breaker 9.40 or newer.

  1. Launch Elcomsoft Phone Breaker and select Tools | Microsoft.
  2. In the “Download data from the Microsoft Account” dialog, enter the user name (Microsoft Account) and password of the user whose Skype data you are about to obtain.
  3. If the account is protected with two-step verification, you will be offered the choice of the second authentication method. In our example, we opted to receive the one-time authentication code via a text message (SMS). Click “Send code” to request a code. The one-time code will be sent to the trusted phone number registered on the user’s account.
  4. After passing the two-factor authentication prompt, select the “Skype” check box.
  5. The data will be downloaded from the Microsoft Account. Depending on the speed of your Internet connection and the amount of data in the user’s account, the download time can range from several seconds to several minutes (more if there are many chats and/or large attachments).
  6. Once download is finished, you will have the ability to open the data in Elcomsoft Phone Viewer by clicking the “Open in EPV” link.

In order to view the data you have just downloaded, use Elcomsoft Phone Viewer 4.20 or newer.

  1. Use the “Open in EPV” link to launch Elcomsoft Phone Viewer.
  2. The user’s Skype conversation history will be opened.
  3. You can also access attachments. For attachments older than 30 days, you will still have access to file metadata, although the actual files will not be available for download.

 

 


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »