Forensic analysis of Microsoft Skype for Business

We present three case studies to illustrate a methodology for conducting forensics investigation on Microsoft Skype for Business. The proposed methodology helps to retrieve information on chat and audio communications made by any account who accessed the PC, to retrieve IP addresses and communication routes for all the participants of a call, and to retrieve forensics evidence to identify the end-user devices of a VoIP call by analyzing the CODECs exchanged by the clients during the SIP (Session Initiation Protocol) handshaking phase. This information may help the investigator either to corroborate or to contradict an investigative hypothesis.