A simple automatic carver to recover messages from Skype's main.db, main.db-journal, .dbb files (Skype v4) and even raw uncompressed disk images. Based on the Automatic SQLite Carver v0.0.0.3.
IMPORTANT This is only a carver, it only looks for recognized hardcoded data-patterns so always assume records could be missed and verify the results with other tools (e.g. Nirsoft SkypeLogView). The tool can find and learn new table patterns prior to scanning but that still doesn't guarantee everything will be recovered. I may integrate a fail-safe native SQLite library support in the future if there'll be enough interest.
IMPORTANT #2 This is an early build, records WILL be missed, especially if you turn off the deleted record detection that usually picks up records where the standard method fails.
IMPORTANT #3 I only use the library this tool is based on, I don't use the tool itself so please provide feedback for any issue/feature request.
- If there are message records straight at the end of the file they may not be recovered and also they may not end marked in the record graveyard file.
- There's a bug in the integrity check code that makes it skip some records (however those same records should be identified by the Deleted record recovery setting)
- The dates are in MM/DD/YYYY in the UI but DD/MM/YYYY in the log file.
Windows XP and above with Framework 4.0 (or 4.5 or 4.5.1)
Add all the files you want to scan, optionally select an output file and a record graveyard file and click on Start. If you choose to export the data to a TXT file the duplicate entries (where author, id and message text are the same) will be automatically removed.
Automatic SkypeCarver v0.0.0.1 (20-Jul-2014)
- Initial release
Can I test this tool?
Can I test this tool?
I sent you a PM, let me know if you encounter any issue.
I'm looking for some testers to get it to a releasable quality level since there will be certainly lots of things to address since it was written quickly and only for personal use. In case hit me up with a PM, thanks!
Sent a PM to you
Also since the SQLite carving code is generic and not tied to Skype I wanted, with time, to write separated tools to recover anything possible from cellphones, browser histories or anything else using SQLite all it takes are the schemas (the code was designed to search several at once) and some code to validate the found records. In anybody is interested (especially developers that could write the validations) let me know.
recover anything possible from cellphones, browser histories or anything else using SQLite
Always welcome new tools to the marketplace.
I got the "generic" SQLite carver addressed. I only need to figure out a decent way to get the data exported and it should be usable though it will be pretty slow on disk images until I'll rewrite the code to scale properly for multiple records at once. The generic SQLite carver can be downloaded here though it only takes basic field declarations in the statement constraints, relations or primary key declarations will be refused (the code doesn't ignore them yet). Other missing features are specifying the database page size, the text encoding and the record size limit that are required when carving disk images.
Skype Autocarver is nice tool!
Hello, please take my apologies for resurrecting this ancient thread, but the lack of replies here made me wonder if this tool is still working with latest Skype DBs?
If so, would it still be available?
There is a severe lack on Skype carvers out there and I'd be extremely grateful if this still works and would be available.
Thanks
Ben
Hello, please take my apologies for resurrecting this ancient thread, but the lack of replies here made me wonder if this tool is still working with latest Skype DBs?
If so, would it still be available?
There is a severe lack on Skype carvers out there and I'd be extremely grateful if this still works and would be available.Thanks
Ben
I have no idea, there are way too many Skype versions (desktop, metro, iOS, android, Windows Phone), also I didn't get any feedback. The tool carves the records directly from the data (raw recovery), it doesn't read the database structure so it won't recognize any new or different Messages table so always make sure to compare the result to NirSoft SkypeLogView or other tools that use the SQLite library to read the database.
When I wrote the tool I made it search for chatnames first (in the #name1/$name2;guid format), because records from the Messages table always contain chatnames (unless new Skype versions moved things around). The tool tries to carve the SQLite record that contains the chatname, providing the record is intact and of a recognized type (unfortunately the record patterns are hardcoded in the EXE, I didn't have the time to add an options dialog). After trying to extract every record the tool writes a DebugFile.log that contains all the offsets where the chatnames were found plus 256bytes chunks starting from the chatname (it will say OK for records that were extracted correctly (the chunk won't be printed in that case) and KO for records which couldn't be recognized). The chunks have CR and LFs removed so you can easily read the DebugFile.log file in any text editor. You may find records that were missed in the DebugFile.log, providing you clean it first you can easily find patterns to clean it up because most of the garbage are records from other tables (e.g. from the Chats table therefore they will be full of chatnames one next to the other).
I sent you a PM with a download link, also make sure you enable the notifications for private messages (they're off by default on this forum).
To use the carver simply drag&drop the main.db, main.db-journal, eventual older dbb files and even the full (raw) disk image on the executable, preferably in that order (make sure the main.db is the first parameter!) and all at once (duplicates should be removed).
Ben - my tool SkypeAlyzer has been carving Skype logs for years
My program SQLite Recovery is also a very advanced Sqlite carver (including Skype) that is not limited to one table at a time (My typical test image has about 100 databases and 800 tables).
Demos of both are available at my web site
http//
please email me if you have any questins - paul@sandersonforensics.com
Cheers
Thanks for all your input!
@francesco answered PM
@Paul I will check them as well, thanks for pointing me.
Ben