Bendroid wrote:
Hello, please take my apologies for resurrecting this ancient thread, but the lack of replies here made me wonder if this tool is still working with latest Skype DBs?
If so, would it still be available?
There is a severe lack on Skype carvers out there and I'd be extremely grateful if this still works and would be available.
Thanks
Ben
I have no idea, there are way too many Skype versions (desktop, metro, iOS, android, Windows Phone), also I didn't get any feedback. The tool carves the records directly from the data (raw recovery), it doesn't read the database structure so it won't recognize any new or different Messages table so always make sure to compare the result to NirSoft SkypeLogView or other tools that use the SQLite library to read the database.
When I wrote the tool I made it search for chatnames first (in the #name1/$name2;guid format), because records from the Messages table always contain chatnames (unless new Skype versions moved things around). The tool tries to carve the SQLite record that contains the chatname, providing the record is intact and of a recognized type (unfortunately the record patterns are hardcoded in the EXE, I didn't have the time to add an options dialog). After trying to extract every record the tool writes a DebugFile.log that contains all the offsets where the chatnames were found plus 256bytes chunks starting from the chatname (it will say OK for records that were extracted correctly (the chunk won't be printed in that case) and KO for records which couldn't be recognized). The chunks have CR and LFs removed so you can easily read the DebugFile.log file in any text editor. You may find records that were missed in the DebugFile.log, providing you clean it first: you can easily find patterns to clean it up because most of the garbage are records from other tables (e.g. from the Chats table therefore they will be full of chatnames one next to the other).
I sent you a PM with a download link, also make sure you enable the notifications for private messages (they're off by default on this forum).
To use the carver simply drag&drop the main.db, main.db-journal, eventual older dbb files and even the full (raw) disk image on the executable, preferably in that order (make sure the main.db is the first parameter!) and all at once (duplicates should be removed).
↧