IT Security Lab The Playground for IT Security Specialists and Pentesters

20Aug/1012

Skype .dat reader is updated

Happy days! The new version of the Skype ChatSynch reader tool is already [here] (binaries and source files in Delphi). New functionality added:

  • Date-time stamp of every message is extracted
  • The IDs of conversation's parties are properly extracted and matched with the messages.
  • Many different bugs fixed.

Big thanks to Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police for reverse engineering the location of the data in Skype .dat files. This is how the Skype reader looks now:

More information about the tool: read the [previous post]. I am happy to know that the program is used by people (also as a forensic tool!) and still is under development. If you may help with more information about the Skype files data structure - this would be veeeery much appreciated... :)

7Jul/109

Read Skype Data: Chatsync and SQLite

Recently I made some research regarding the way Skype stores the conversation's log. I was nicely surprised that the chat data on the user's computer stored in a very simple form.

The data stored by Skype (I have version 4.2.0.169) seems to be stored in two places and in two completely different formats (btw: does anybody know why? kind of "backward compatibility"?):

  • .dat files in the \chatsync folder
  • SQLite database files (the interesting file: main.db)

So to access the data we need either to read it from the .dat binaries or open the database files with any SQL frontend. Simple.

1. Accessing data from the .dat files

There are plenty of Skype log readers around in Internet, but why not to try to write my own tool in such beautiful summer evening! :)

All right, so what kind of files and data we are dealing with? All conversations are stored in \chatsync folder where you have many subfolders with binary .dat files inside. Each .dat file basically is a new conversation.

So if we want to get all messages exchanged in between User 1 and User 2 we have to:

  • Create one big list of all files in all subfolders and sort them by timestamp.
  • Read conversation id from each .dat file (it is in a fixed offset 0x35 at the very beginning of each file).
  • Create sorted list of all conversations between the pair of users (User 1 <-> User 2) and (User 2 <-> User 1).
  • Read chat messages from every .dat file on such "dedicated list" and store it somewhere.

How to retrieve messages? Each chat message starts from the prefix (0x03 0x02) and ends with the null byte (0x00).

I am quite far from the idea to do a complete reverse engineering of the .dat files, but below you may find a small proof of concept (see the binary file and the source code in Delphi). When you run the application you have to provide the full path to your \chatsync folder. Here how it looks like:

The program can collect a data when the Skype is running. FYI: some of the .dat files may be locked by Skype, so the correct way to open it (in read only mode) is:

   fs := TFileStream.Create(chatSyncFName, fmOpenRead or fmShareDenyNone);

If you'd modify the source code a little and track the changes in those files (e.g.: by monitoring datetime stamp) - you can basically write a Skype conversations sniffer in an hour or so. ;)

2. Accessing SQLite database files

This is even more easy: locate the "main.db" file and open it with SQLite editor (e.g.: SQLIte Spy is good enough). Now you have very nice and elegant way to do whatever you want with the data by executing appropriate SQL query:

User 1 and User 2