Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases

Summary

This article describes common approaches used for the recovery of cleared Skype histories and deleted chat logs, and discusses methods and techniques for recovering evidence from cleared and damaged SQLite databases.

Introduction

It is difficult to underestimate popularity of Skype. Hundreds of millions of people use Skype every day, generating a lot of potential evidence.

Recent versions of Skype are using SQLite databases to keep all history items. Chat logs, information about voice calls made and received, and a lot of other information is available in these SQLite databases. Accessing and analyzing this evidence is essential for many investigations involving a seized PC.

At this time, there are lots of tools that can be used to view and analyze SQLite databases. These tools range from freeware utilities to fully featured and highly expensive forensic suites. While viewing records an existing, healthy SQLite database is not a big deal, performing a forensic analysis of such database has quite different requirements.

Suspects may and do destroy evidence by clearing chat histories and/or physically deleting Skype logs. At this point, only dedicated forensic tools can still be used to recover deleted databases and extract evidence from cleared Skype logs.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In this article, we’ll look at tools, methods and techniques used by forensic specialists to handle evidence contained in cleared Skype histories and deleted SQLite databases, particularly those located on formatted or repartitioned hard drives or discovered in the computer’s volatile memory.

How Skype Stores History Logs

Before we begin analyzing Skype databases, let’s have a brief look at how Skype keeps its records.

  1. Skype maintains a main database in a file named “main.db”. In addition, Skype stores information about its activities in temporary “.dat” files. These files have alphanumerical names such as 0181a0a519e2c304.dat
  2. Skype uses SQLite database format and SQLite engine to keep its records. As a result, certain SQLite-specific considerations are applicable to Skype databases. As an example, records being deleted (“cleared”) from a Skype history are not erased immediately. Instead, they are temporarily placed into a so-called “freelist”. The deleted records will not be kept in the freelist forever, but if an investigator is analyzing the database fairly soon after the user cleans Skype history, the chance of getting some or even most information back is reasonably high.

Having said that, it’s pretty obvious that any Skype analysis tool used in the course of a forensic investigation must be able to recognize and recover records kept in the freelist.

In this article, we’ll be using several tools to analyze a sample Skype database. Our tools of choice are (in alphabetical order):

  • Belkasoft Evidence Center 6.0.527
  • Chat Examiner 3.1.4455.18335
  • Epilog 1.2.1
  • Forensic Assistant 1.3.3
  • Internet Evidence Finder 6.2.0.0202
  • Skype Extractor by Tim Coakley
  • SkypeAlyzer by Paul Sanderson
  • SkypeLogview 1.12

Searching for Skype Histories

During the investigation, experts often use automated disk scanning facilities provided by forensic analysis tools to locate all available Skype databases. Different tools use different approaches, and may or may not be able to locate certain files.

To see how the tools from our shortlist will behave in the course of a forensic investigation, we have created a set of sample Skype databases. The first database (DB1) was a Skype database containing empty strings. The second file (DB2) was a temporary Skype file. The third file (DB3) was also a Skype temporary file, yet it was named “driver_3.stl” (that is, it did not follow the naming convention for Skype temporary files).

Then we used the tools from our list trying to locate these files and extract any evidence available. The results are provided below in Table 1.

Table 1

Results for DB1

Tool

Result

Belkasoft Evidence Center DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call
Chat Examiner DB1 is not recognized as a SQLite database
Epilog DB1 recognized as a SQLite database. Discovered 1 chat message, 1 call
Forensic Assistant The tool crashed
Internet Evidence Finder DB1 is not recognized as a SQLite database
Skype Extractor DB1 recognized as a SQLite database. Discovered 2 chat messages, 1 call
SkypeAlyzer DB1 recognized as a SQLite database. Discovered 61 chat messages, 1 call
SkypeLogview DB1 is not recognized as a SQLite database

When analyzing the results for DB2 and DB3, we decided to put them into one table as the results were similar.

Table 2

Results for DB2, DB3

Tool

Result

Belkasoft Evidence Center DB2 and DB3 not recognized as valid Skype files.
Chat Examiner DB2 and DB3 not recognized as valid Skype files.
Epilog DB2 and DB3 not recognized as valid Skype files.
Forensic Assistant DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages.

 

DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages.

 

Internet Evidence Finder DB2 correctly recognized as a Skype temporary file. Discovered 2 chat messages.

 

DB3 correctly recognized as a Skype temporary file. Discovered 4 chat messages.

 

Skype Extractor DB2 and DB3 not recognized as valid Skype files.
SkypeAlyzer DB2 and DB3 not recognized as valid Skype files.
SkypeLogview DB2 and DB3 not recognized as valid Skype files.

 

.

Recovering Cleared Skype Histories and Deleted SQLite Databases

In real life, the evidence often is not easily available. Deleted files, formatted hard drives, reinstalled operating systems, the use of privacy protection software and cleared histories are routinely encountered during investigations. As a result, a forensic tool working with Skype must be able to carve the hard drive (or disk image) for any remaining evidence. The ability to access deleted records in Skype/SQLite  databases is a must as well.

For our test, we prepared a 250 GB disk image in the DD format. The disk was mounted with FTK Imager 3.1.3. The image was taken from a live system, and contained the following information:

–         The operating system was first installed on Mar 16, 2011

–         Skype was installed on Sep 28, 2012

–         Skype was being actively used until the operating system was re-installed on January 16, 2013

–         At the same time, the hard drive was formatted before having the new OS installed

–         A different Skype instance was installed on Mar 5, 2013

–         The system was in active use for 4 month until it was seized

Upon acquisition, the active copy of Skype “main.db” contained records going back to March 5th, 2013. It contained 29948 records, but did not contain information for 2012.

Our goal was attempting to recover old Skype records going all the way back to the initial instance.

Method 1: Using a Combination of Data Recovery and Forensic Tools

We used a data recovery tool Recover My Files 5.2.1.1964 to recover an old partition on the hard drive being acquired. However, the tools was unable to locate and recover Skype “main.db”. At the same time, the tool was able to recover a number of temporary files created by that old instance of Skype. In order to analyze the files, we used the following tools: Belkasoft Evidence Center, Forensic Assistant and Internet Evidence Finder .

As a result, Internet Evidence Finder was able to extract 21152 records; Forensic Assistant extracted 20395 records, Belkasoft Evidence Center extracted 5352 records. What’s important, all of these records belong to the period of interest before the new operating system was installed on January 16, 2013.

Method 2: Using Forensic Toolkits

Another method of recovering Skype data that goes missing involves carving of the fragments of SQLite databases used by the Skype instance of interest. The carving is a complex and time-consuming process. For that reason, it’s only implemented by few forensic tools. In our sample, only three products have the ability to carve SQLite databases: Belkasoft Evidence Center, Internet Evidence Finder and SkypeAlyzer. SkypeAlyzer was not tested but does have this facility.

To give an idea on how fast (or how slow) the carving process can be, here is our test bench configuration:

–         Supermicro – X8DTH-6F-O motherboard with Intel i5520 chip set supporting Intel Xeon X5500 series CPUs

–         Dual-CPU configuration with two Intel Xeon E5620 processors (2.4 GHz, 12 MB second-level cache)

–         48 GB DDR3 RAM (Kingston KVR1333D3D8R9S/4G DDR3-10600)

–         NVIDIA Quadro2000 with 1 GB DDR5 RAM, PCIExpressx16

–         Two HDDs Western Digital HDD SATA-II 2000Gb RE4, 7200 RPM, configured as a RAID1 array

–         Four HDDs Seagate 2000 GB SAS  Constellation ES 64Mb, 7200 RPM, configured as RAID0

–         Windows 7 Ultimate 64-bit SP1

By no means is this a high-end configuration for a PC used in the course of forensic investigations. In our experience, this is a typical configuration for intended use in 2013.

We used the corresponding carving features of Internet Evidence Finder and Belkasoft Evidence Center to collect SQLite/Skype evidence. Both tools offer fully automated carving, so we timed the process from start to finish.

–         Belkasoft Evidence Center: located 245,948 records in 110 minutes (2235 records per minute)

–         Internet Evidence Finder: located 154,056 records in 190 minutes (811 records per minute)

Conclusion

We performed a series of tests using real-world scenarios to discover Skype evidence located in SQLite databases as well as temporary files produced by Skype using multiple forensic tools including Belkasoft Evidence Center, Chat Examiner, Epilog, Forensic Assistant, Internet Evidence Finder, Skype Extractor, SkypeAlyzer, SkypeLogview. We have experienced the following results:

–         When analyzing corrupted and cleared Skype SQLite databases, Belkasoft Evidence Center and SkypeAlyzer revealed the most evidence.

–         When analyzing temporary files produced by Skype, Belkasoft Evidence Center, Internet Evidence Finder and Forensic Assistant are the best tools.

–         When carving the disk image for SQLite records Belkasoft Evidence Center and Internet Evidence Finder recover a similar number of records. However, Belkasoft Evidence Center demonstrates almost double the performance compared to Internet Evidence Finder.

About the Author: Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Contacting the Author: http://linkedin.com/in/igormikhaylovcf
Site: http://computer-forensics-lab.org

28 thoughts on “Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases”

  1. Belkasoft is mentioned as one of the best tools for analyzing Skype temporary files, while in table for analyzing DB2 and DB3 (both temporary Skype files) there’s a note that it did not recognized those bases as Skype files… Could you please send me or publish here those DB1-DB3 files to test them against other tools ?

    • While Belkasoft cannot detect renamed/recovered temporary files, the information from these files is perfectly found by their tool using chatsync carver. Thus, communication is not missed. Besides, regular temporary Skype files, if not renamed, are perfectly processed by Evidence Center.

      In my article I also did not touch questions of freelist recovery and SQLite database carving, what, as far as I know, if unique feature of Belkasoft, comparing to reviewed tools. Correct me, if I’m wrong.

    • I am not sure what are you referring to about “promote a lot”. This is my first post mentioning this company. Please be so kind and give me proof links of your words to make such statements.

      I am not an employee of Belkasoft nor I have any contracts with them. However, I have a paid license of their tool, which I like very much.

      Finally, if you don’t trust my conclusions about Skype extraction, you can check my results yourself.

  2. Igor,

    I’m very surprised at your results with Epilog as I have had a lot of success with recovering skype data from both good and corrupt databases.

    Would it be possible for you to share the settings you were using and also the test data? I would appreciate the opportunity to re-run your tests and if improvements to the tool are required, I can make them in the next version.

    Thanks,

    Alex

  3. I need to retrieve deleted skype chat history form my daughter’s cell phone. (chats were week of feb 19,2015). she has a stalker and we need evidence for court. Skype is unable/willing to help

  4. Hey Igor. I need some help. I need to retrieve a deleted skype chat history from my skype account. I think the chats were around February 2015 or earlier. I deleted the main.db a few times after that, so I don’t know how to recover it now. I did in fact try a third party file recovery tool, but I got the main.db file from 16 of November. I need it from 2014 October till March 2015. Is it possible to retrieve it?
    Thanks.

  5. Hi Igor, I need your help on retrieving my deleted main.db file of my Skype account back around January 2016. I reinstalled my Skype and I am having a problem on retrieving the chat history before the Skype was uninstalled. If it is possible, I hope you can assist me with this problem. Thanks a lot. Calvin.

    • Hello discussanythingdotcom, I can recover your Skype History from your mobile device (a smartphone, a tablet PC) or your account of Cloud (iClod or Google) or a backup of your smartphone of a hard drive from your PC.

      Best regards, Igor

  6. Hi,

    Is it possible to recover the deleted Skype chat between two parties. One was using android tablet and other one was using Samsung Galaxy Phone. They have deleted the chat and also the tablet and mobile phone has been changed as well and now they are using new tablet and mobile phone.

    Can you still recover the deleted chat between during the time period of February 2016 and April 2016 ?

  7. Hi Igor, very informative analysis. I am trying to recover deleted skype history from an android mobile phone. I have a dd raw disk image, taken in March 2016. However, the skype data was deIeted in the skype settings page “clear all data” in January 2016 so There is no main.db or even account showing thats recognisable in the normal directory structure. The period for which i need is October 2015-January 2016 and all communication was on this mobile phone for which i have the raw dd disk image taken in March 2016. I have tried as an amateur using some of the programs you kindly recommended for months. I cannot work out how to use a Hex viewer! Winhex etc. Internet evidence finder found carved chatsync chat messages (i assume from freelist?) for about 1 hour on one day only on Dec 2 2015, some image files are present, but there was a lot of skype chat/history data between October 15-Jan 16 that I desperately need and am struggling as to how to try and extract it from the phones raw disk image. I appreciate you’re probably very busy, but as an obvious expert who knows how to use these programs, may I humbly ask if I may use/hire your professional services. Many thanks, Igor and at a very minimum your article is extremely helpful. Thank you and Best Wishes

  8. I want to hire an expert forensics person to recover and deciipher Skype chatsync files on my Desktop PC. I am especially interested in recovering voice chat records from about 2012. I have already installed SQLite and ran the chatsync files through it. I got very few chat messages but did get a list of names, record numbers, dates of messages and time of messages. Can you provide this service and what approximately is the cost? Thank you.

  9. Hi – Great post – I am attempting to extract IM chats going back 5 years ago – the chats were deleted on the skype app around this time aswel – please can you email me – thanks

Leave a Comment

Latest Videos

Latest Articles