Hello all,
What if the suspect deleted his main.db file?(Where chat-conversations are stored from Skype).
I still find some text messages back by keyword searches. However there are a lot of weird symbols around the message. It's hard to define a structure/header/footer.
Is there any possibility to carve out the main.db file itself?
All tips are welcome.
I created a tool for recovering Skype messages from unallocated clusters
http//
Just use FTK imager to mount the image and then point it at the physical disk
Hello all,
What if the suspect deleted his main.db file?(Where chat-conversations are stored from Skype).
I still find some text messages back by keyword searches. However there are a lot of weird symbols around the message. It's hard to define a structure/header/footer.Is there any possibility to carve out the main.db file itself?
All tips are welcome.
Please try our Belkasoft Evidence Center at http//belkasoft.com (demo is free).
SkypeAlyzer can also recover deleted skype sqlite messages and can scan a physical/logical volume, dd or e01 image
http//
That's all nice for suggesting these products, but I'm not planning on buying these.
I'm a student that is focussing on a school project. The main focus is on carving data with EnCase, by using EnScripts for example.
So the main point is trying to understand the structure, because I know it should be possible.
That's what this topic is for, exchanging information or thoughts.
Hello all,
However there are a lot of weird symbols around the message. It's hard to define a structure/header/footer.
All tips are welcome.
The records you are seeing are SQLite records which have a well defined header and are easy to carve if you know how to figure out the structure. I suggest you read up on recovery of SQLite records, I believe Sausage Factory has a good article on this.
Hi,
You mentioned that all tips are welcome.
The 2 software recommendations are good ones and the fact that you are a student should have 0 bearing on the answer you are given.
When you graduate and get into RL, you will see that you will need to have these programs, why not get into them now and see what they do and how they do it so you can grasp the ideals and principles.
Hello all,
What if the suspect deleted his main.db file?(Where chat-conversations are stored from Skype).
I still find some text messages back by keyword searches. However there are a lot of weird symbols around the message. It's hard to define a structure/header/footer.Is there any possibility to carve out the main.db file itself?
All tips are welcome.
Hi,
You mentioned that all tips are welcome.
The 2 software recommendations are good ones and the fact that you are a student should have 0 bearing on the answer you are given.
When you graduate and get into RL, you will see that you will need to have these programs, why not get into them now and see what they do and how they do it so you can grasp the ideals and principles.
Because using these programs isn´t hard at all, the program does all the work for you.
If you dig in deeper you´ll find out how exactly things work, which I believe are great for boosting your forensic skills.
@minime2k9 Thanks, very useful info!
Hi,
You mentioned that all tips are welcome.
The 2 software recommendations are good ones and the fact that you are a student should have 0 bearing on the answer you are given.
When you graduate and get into RL, you will see that you will need to have these programs, why not get into them now and see what they do and how they do it so you can grasp the ideals and principles.
Going to disagree there.
If he is a student then he is pretty abstracted from real life.
Also "I ran a tool" doesn't quite cut it in a piece of coursework, although they may be useful for comparisons.
To get a true understanding of the structure and the records themselves, his idea of creating an Enscript which would recover the records would give him the best understanding of Skype SQLite records, their structure and their recovery.