Has anybody had success at finding the main.db in unallocated space and piecing it back together to analyze, or analyze fragments. I have suspect who uninstalled skype. Have main.db from other side of conversation, even where other party tells him to uninstall.
Thanks
Bill
Bill,
Do you know about how long it was between the deletion and the image acquisition? Also, which version of Windows? I ask, as it may be possible to find the MFT entry and use the data runs to piece it back together.
I happened more than once to carve (e.g. with photorec) images, find sqlite files (a quick look inside and you can immediately tell if they are Skype main.db files or other sqlite DBs). I then did parse them successfully with the free tools available on the net (e.g. Nirsoft), extracting Skype conversations and artifacts.
Thanks for info. Only 3 days from deletion (taking deletion date from other parties chat) and when I acquired. I'll check that out.
And it is Win XP pro.
Has anybody had success at finding the main.db in unallocated space and piecing it back together to analyze, or analyze fragments. I have suspect who uninstalled skype. Have main.db from other side of conversation, even where other party tells him to uninstall.
Thanks
Bill
My company has a product specially designed for retrieving chats (Belkasoft Forensic IM Analyzer). Ultimate version of it can carve drives with excellent results. You can try a free demo and see if it works for you.
