Home > Belkasoft Forensic IM Analyzer

QQ 2009/2010 Extraction

In this article you will find details on how to make it possible to extract QQ 2009/2010 history using Belkasoft Forensic IM Analyzer. For the Chinese version, please, refer to Sprite Guo's blog post.

QQ messenger version 2009 and 2010 is very cryptic. Unlike many other messengers, QQ 2009/2010 makes it impossible to extract history if you have just a history file.

The following list shows what you need to successfully extract history of QQ 2009 or 2010:

  1. A user's hard drive
  2. History file Msg2.0.db
  3. File Registry.db
  4. Connection to the Internet

It is not possible to extract any history without these prerequisites. You cannot extract history if you have no access to the original drive. You cannot extract history without an Internet connection.

Finally, conversation extraction is possible if a user saved their password (i.e. ticked Remember my password checkbox) before you seized the computer in question, or if you know a user's password.

You will need to indicate the following in the software:

  1. A drive letter for Windows installation of a user's computer. For example, if you connected a user's drive to your computer and you now have drives M, N and O for the user's logical drives, you probably should select M drive if M:\Windows exists there (or maybe N:\Windows or O:\Windows)
  2. A drive letter for QQ installation. Usually, this is the same drive as for Windows installation, but some users may install to another drive
  3. A path to the user's registry (Software branch). Usually this file is stored at the path like the following: C:\Windows\System32\config\SOFTWARE. Do not forget: it's the user's registry, not yours. If you use the drive letters above, it will probably be M:\Windows\System32\config\SOFTWARE.

When you have supplied all this data, the product will try to connect to the Internet. This is required in order to connect to a QQ server. You will have to allow such connection in your firewall or antivirus tool. In order to protect your computer, you can restrict IP addresses to only QQ server addresses:

  • 121.14.75.64
  • 58.60.14.37
  • 219.133.60.36
  • 58.60.15.39
  • 58.251.63.61
  • 121.14.75.50

If everything is set up correctly, the product will be able to decrypt the history.

How to test?

To test the product against new QQ, you have to create your own history as sample history from another computer will not work on yours. Do the following:

  1. Install the latest QQ, do some chats.
  2. Close the QQ (otherwise it will lock the history)
  3. Copy your SOFTWARE file using HoboCopy, e.g.
    hobocopy c:\windows\system32\config c:\Temp\Test software
    where c:\Temp\Test is an existing folder that you would like to copy SOFTWARE file to.
  4. Run our tool, locate the history and fill required fields described above, using copied, not the original SOFTWARE file, as the original file is locked by Windows.