Author Name
Hal Pomeranz
Submission Title
Skype shared.xml and the <ContraProbeResults> tag
Artifact or Program Version
All versions
Artifact Description
Skype is a popular instant messaging, audio, and video teleconferencing program. The Skype application data directory contains a file named shared.xml. As the extension implies, the file is XML formatted, but most of the entries are encoded. This encoding has not been documented or reversed to my knowledge.
Of interest is one of the non-encoded fields, set off with the <ContraProbeResults> tag. This tag contains a list with an IP address and varying port numbers:
…
<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>
…
Testing shows that the IP address reflects the “externally visible” IP address of the workstation where Skype is running– in other words the IP address of the outermost NAT gateway connecting the device to the Internet. There is no documentation from Skype related to the contents of the shared.xml file, so this finding is based purely on observation. Eoghan Casey references this artifact in his “Handbook of Digital Forensics and Investigation” but makes no conclusive statements regarding its meaning.
This artifact can be useful for attribution as it indicates the IP address the computer was connecting to the Internet from as of the last time Skype updated this entry. This may help tie a subject to a particular IP address and activity originating from that address.
Multiple versions of shared.xml may be found in unallocated, indicating that the Skype software sometimes deletes and recreates this file. String searching in unallocated for “<ContraProbeResults>” can turn up historical IP information related to the local system.
Immediately following the <ContraProbeResults> tag are additional encoded entries under the <ProbeResults> list. The individual tags in the list appear to be dates in “Unix Epoch Format” (seconds since Jan 1, 1970) with a leading underscore. While the entries themselves are encoded, hexadecimal IP addresses, possibly followed by 16-bit port numbers, can be observed.
In the example below, you can pick out the encoded form of “71.224.218.86″ as “47E0DA56″. The meaning of the rest of the data in each entry is unknown.
…
<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>
<PreviousNatType>9</PreviousNatType>
<ProbeResults>
<_1369067520>321AEDF742E647E0DA56CAD34E4600653A9D47E0DA56E525182F9A83109E47E0DA56C4836C27919C0A7047E0DA56FEDE9D37388F01BB47E0DA56EB4A6FDD4D9B01BB47E0DA56CBD74108B203F8FD47E0DA56E092AD33B2721E9947E0DA56F319AD3AE4F3925A47E0DA56CC1C424B0CAF0FE747E0DA56C529</_1369067520>
<_1369071616>BCBF23A3557447E0DA56D49EB144790FAF6947E0DA56D23356A428112F0647E0DA56CDE19D37EB9901BB47E0DA56CFA96FDD4A1901BB47E0DA56DB95</_1369071616>
<_1369075712>BDDE8F8C71C847E0DA56F4AB32509337D23E47E0DA56F162</_1369075712>
…
If these observations are correct, <ProbeResults> then gives the analyst a time-stamped history of IP addresses used by the local machine when accessing the Internet. Again, this is obviously useful for attribution, as well as indicating networks that the system may have connected to in the past. Simply decode the XML tag to find the date and time, then take the last six bytes of each entry– the first four bytes of the six should be the IP address.
File Locations
\Skype\shared.xml
Research Links
http://books.google.com/books?id=xNjsDprqtUYC&pg=PA56&lpg=PA56&dq=skype+contraproberesults&source=bl&ots=X1xOC47CuG&sig=-npWdZi2I9zCdhgxWAWqHPOLVc8&hl=en&sa=X&ei=pc2bUf-ZLcOjigKVzoF4&ved=0CE0Q6AEwAw#v=onepage&q=skype%20contraproberesults&f=false