This tool stems from the need to extract unencrypted Skype chat from a RAM dump.

Its a bit old now and needs some work but people still have good results from it:-

1. Run Strings against your RAM dump
2. Run the Skypeex tool against the resulting Strings file
3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.

It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.

This has been tested on dump files from Windows XP2, XP3 and 7 with Skype 3.8 through 4.2.

Please do not hesitate to get in touch with ideas and improvements.


skypeex26 is designed for use under Python 2.6

For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):

I recommend dumpit from Matthieu Suiche –

Run strings against the RAM image (e.g. Windows version can be found in Helix distro)
example: strings c:\ramdump.dd > c:\stringsout.txt

On linux box do:
strings ramdump.dd > stringsout.txt

Script usage –
from command shell – python – then, when prompted, simply provide the path to the strings output file.

The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.

In the CSV file the ‘Timestamp’ column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I’m writing a UNIX time decoder but it doesn’t work yet.

The primary message content is in the ‘body_xml’ column.