Hello, I wanted to release my Skype carving program as freeware. It takes the Skype messages table SQLite schemas and finds any possible record on the main.db file, DBB files or even the whole (!) RAW disk image.
It can find any record as long as it knows the schemas. I already supply the schemas I've identified for possibly all the Skype versions and it's also easy to add new ones since it takes CREATE statements as input (many SQLite editors can print those). Since cluster sizes on most NTFS partitions are equal (4K) or bigger than Skype main.db files' page sizes the recovery rate is exceptionally good, it should find everything. It also supports overflow pages if you supply a valid SQLite file.
How it works is actually very simple, it finds valid chatnames and then "brute-forces" record reads starting from the precedent bytes, enough bytes to ensure the header must be always there. I chose that way that to make sure I didn't miss any possible record since the tool prints the failed reads with the data around them (that's how I made sure I read all of them) and also doesn't scan the same file twice (it keeps a cache file with the chatnames positions) so an extraction can be repeated in a few seconds. A first-time scan runs at 100+ MB/s on a 3ghz C2D so even though it's pretty fast it's still hours, keeping a cache of possible record positions cutting the time to seconds seems the best compromise to me.
Once it finds the records it validates the fields and looks for record-header like text in the messages (typical on overwritten records) so it usually leaves only integral records, except those overwritten in the very last 4-5 bytes of the message though those would be hard to detect too on a manual carving (but it can be improved), I think I can also kick those out though. Those checks can be turned off if you really want to find possibly everything but I wouldn't really advise doing that.
After finding all the records it removes duplicates by comparing either timestamp/message or timestamp/record ID tuples and prints everything, sorted by date, in a nice TXT file. The code supports organizing in contact groups, conversations, printing to HTML or XLS and some other useful things though I don't think I will ship the application with that since it will require a lot of UI work.
As said in the title it also finds "l33l" DBB records and carves them correctly (there's a value for each record that indicates the total record length just like SQLite does so it does quick and precise reads).
It can also read the main.db-journal file since it often stores full records in it though I'd really like to write a proper parser for that, if I'll find the time, since it can contain lots of missed messages text. I didn't support Chatsync files but it seems to be pretty easy, mostly because I didn't find anything interesting in the ones I had that hadn't been picked up by the whole drive scan.
I'm looking for some testers to get it to a releasable quality level since there will be certainly lots of things to address since it was written quickly and only for personal use. In case hit me up with a PM, thanks!
Also since the SQLite carving code is generic and not tied to Skype I wanted, with time, to write separated tools to recover anything possible from cellphones, browser histories or anything else using SQLite: all it takes are the schemas (the code was designed to search several at once) and some code to validate the found records. In anybody is interested (especially developers that could write the validations) let me know.
↧