Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases

Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases: It is difficult to underestimate popularity of Skype. Hundreds of millions of people use Skype every day, generating a lot of potential evidence.

Recent versions of Skype are using SQLite databases to keep all history items. Chat logs, information about voice calls made and received, and a lot of other information is available in these SQLite databases. Accessing and analyzing this evidence is essential for many investigations involving a seized PC.

At this time, there are lots of tools that can be used to view and analyze SQLite databases. These tools range from freeware utilities to fully featured and highly expensive forensic suites. While viewing records an existing, healthy SQLite database is not a big deal, performing a forensic analysis of such database has quite different requirements.

Suspects may and do destroy evidence by clearing chat histories and/or physically deleting Skype logs. At this point, only dedicated forensic tools can still be used to recover deleted databases and extract evidence from cleared Skype logs.

In this article, we’ll look at tools, methods and techniques used by forensic specialists to handle evidence contained in cleared Skype histories and deleted SQLite databases, particularly those located on formatted or repartitioned hard drives or discovered in the computer’s volatile memory.