Viber.db

[Ena Marklund]

Iwas using Viber in both PC (not the windows 8 metro style app) and Mobile phone. Unfortunately I lost my phone. Still I can use the desktop version of Viber . I can see all my contacts there (Viber + non-Viber). I need to retrieve those contacts as .vcf or any other standard format which we use to store contacts.

You can open viber.db in C:\Users\USERNAME\AppData\Roaming\ViberPC\YourNumber with WordPad and somewhere in the beginning of the file you will find contacts phone numbers. Just enter them manually in your new phone and they will appear on you contacts list in Viber.

Or download command-line shell for accessing and modifying SQLite databases and copy sqlite3.exe , viber.db and data.db to C:\. Then in CMD(start -> run -> cmd.exe) position yourself on C:\ and enter sqlite3.exe viber.db

Then enter:

I may end up putting more queries here when I discover them but below you'll find the basic one to dump out a summary of messaging. It converts the Unix timestamp dates into readable ones, and tells you which way the messsage went too. If you have any other such queries, let me know, and I'll include them: there didn't seem to be much on this around the internet.

How you run the query is up to you. I previously used an SQlite extension for Firefox, but recently found the DBeaver cross platform Database app, and its working a treat across sqlite, mysql, postgresql, so that's my favourite right now. Just run the query and export to CSV, using a strange delimiter such as '' so the message isn't split into many fields at each comma.

You could also run the query from the commandline: copy the command to a file, say viber.sql, and then use the following, suitable for a backup script perhaps.

After a comment about the query no longer working, I discovered that Viber has changed the database format, and the Events.Timestamp field now contains thousandths of a second (although it doesn't seem to use them). So if the one above returns null values for Time, then try dividing it by 1000 like this.

Sorry for the late reply. I'm not used to getting comments here that aren't spam!

With Dbeaver, first you have to set up a connection. For Sqlite, that's basically pointing it at the file you want to open. I'd recommend copying the database to another file, so you don't mess up the original.

=fmq6-wvbxyA

You'd also have to make sure the dbeaver sqlite driver extension is installed. And you may have to install support in your OS too. For debian/ubuntu that would be "apt install sqlite3"

I think the database contains some extra information that ties it to your current installation. I did try copying the db, but it didn't work.

Possibly the way to do this would be to insert the old messages into the new database. But that looked like a lot of work. In the end I just settled for a historic, archival record of the messages.

Hi there, thanks for this. I managed to extract the messages, however the time is null.

If I put Event.TimeStamp infornt of the Select statement, I can get the timestamp in Unix time.

What is the correct way to convert the time stamp?

Hi Rob. I've updated the query above. Seems that they're now using a different unixepoch format that includes an extra three zeros on the end, which I haven't seen before. Dividing by 1000 solves this.

Hi, so can you confirm, that the ViberPC viber.db file is not encrypted? Can I open it just like that?

My problem is that the Viber on PC, which I had been using for 5 years kicked me out for some reason, invalid registration etc. and now asks me sign in as I would not be an existing user. So I am afraid now, if it will destroy my old messages, and sync them with my Viber mobile, which has history only for 2 years, not 5 years. So 1) I'm happy if I can access, read, search etc. viber.db messages, but 2) extremely happy, if I could restore the old viber.db in place in case the new installation deletes the old messages.

Do you have any experience on this kind of problems? Or where could I find help? After 5 hours of browsing the internet with multiple specific key words I find very little information. Maybe because Viber is not close as popular program as WhatsApp. But I like Viber quite a lot because of the crazy stickers and more relaxed environment than WhatsApp.:)

Hi, quick update after my previous post, I could actually use your script quite easily. First time I play with sql database, but it is not so difficult. I installed also the DBeaver, but I didn't find the Query window, so I figured out to try with old fashioned way with the Windows cmd and the sqlite3 script. It did the work very fast. Then it was just regular excel work to transfer text to columns, and the '' helped a lot. By the way, the only problem was, that the cmd did not approve the '', it gave strange error message. But luckily I tried to change that to "" and it worked.

sorry and is there a way to extract a specific bit of text from a message using part of the message text? e.g If the message was "This is the message text I am looking for and don't know how to do it"; can I use part of the text as an example: "This is the message text"

Hi John H. If you used this bit of the sqlite command

-csv -separator ''

Then it will separate fields with that character. If you import the file into Excel, just tell it to use that character as the delimiter instead of a comma, and it should import the file fine.

John H. Sorry for the confusion. The "-csv-separator ''" was referring to the command-line method of extracting the data. But if you're using the DBeaver method that won't be relevant. It's a long time since I wrote the original post, so I'd forgotten that I was giving you two ways to get the data.

I came across this and really need some help. You would probably come the closest to someone who would understand. I have an iPhone 6 (I realize it's different, but) and due to my own fault, my storage got really full and overloaded the phone. It corrupted the photos app (iphone's own photos app that contains camera roll) somehow and I couldn't even open the app- it would just be a blank screen and crash. However, all the pictures remain and take up the same storage (100 gb). Yesterday, my Viber app glitched too and suddenly I couldn't scroll back up to my old messages like I could before- it just stopped at a very recent date. Tragically this happened but the app data still takes up the same amount of storage (400 mb) so I'm hoping somehow, I can do something to repair the Viber cache/database/sqlite/file/whatever it is, reboot it, and the app will magically repopulate all the messages. Problem is I can't back up my phone to itunes or any program before I start on a solution. Because of the glitches/corruption, I can't even do that. Would you know any solution? Or know anyone who could?? I would be willing to pay.

The forensic investigation of this messaging application is extremely straight forward, as all the information are stored in a single SQLite database named viber.db along with other db and config files. This file is located under AppData Roaming on Windows. The full path will follow this structure:

Please note that the phone number neither includes a + nor 00 for the country code, for the US this would be just 1. Once located, the file can easily be loaded into a SQL lite browser of your choice. I was using DB Browser for SQLite, but pretty much any software such as DBeaver or HeidiSQL would do.

In the current version (14.6.0), the database consists out of 15 tables, which are most interlinked through an events table (click on the image to make it bigger or open in a new tab). From a digital forensics perspective, the most interesting ones are undoubtedly the messages, calls and the contact tables as these might hold some potential evidence about the case you are inspecting.

This was a really fun little project, as it allowed me to play around with a previously unknown messenger and do some investigative work. Seeing that all messages can be synced in there entirety and stored in an unencrypted format, makes it an extremely interesting target for any forensic investigation. Even though this post could only scratch the surface of the data stored in the SQLite database, due the limited time which I could spend on this project, it should be enough to get your own investigation started. I hope this post is also useful for your own forensic investigation.

One of the ways to recover lost or deleted files is the RS Partition Recovery program, with which you can quickly recover all lost data, including the file viber.db, which is necessary to recover the message history.

3a8082e126