Perform Android SQLite Database Analysis with SQLite Database Viewer

Alessia Manon | Published: October 7, 2015 | SQLite Forensics

SQLite has become the first choice when it comes to selecting a database engine for various application software. Owing to its independence from the ideal client-server relation, it can be easily embedded into the end programs. It is being widely deployed in a range of applications such as browsers, operating systems and others. One such popular operating system that deploys SQLite by default is Android. Primarily, SQLite is used for data storage purpose in Android operating system. Moreover, the Android browsers allow to store and retrieve information from SQLite database from within the browser itself, with the help of the Web SQL Database technology.

Data Storage In Android Using SQLite

Android supports application-specific relational databases that use SQLite for storing its data. Since SQLite databases are both lightweight and based on files, they, make an ideal platform for embedded devices. The default file format for SQLite databases is .db. The other file extensions, which denote the SQLite database, are .sqlite, .sqlite3, .sqlitedb, and .db3, depending on the versions of SQLite that has been deployed. During Android SQLite database analysis, the first step is to extract these SQLite database files from the concerned device. The locations of some of the most important applications in an Android device are:

Text Messages/MMS

The text messages prove to be helpful for the forensicator as they show the entire conversations that have been done between the suspect and others. The text messages and the MMS are stored in the SQLite file named as mmssms.db

The location of this file is /data/data/com.android.providers.telephony/databases

Browser History

Apart from the default browser of Android, a user may also use different browsers like Google Chrome, Firefox, etc. The history of all the browsers is stored in SQLite .db file.

  • The default Android browser stores its data in db file at the location /data/data/com.android.browser.
  • History of other browsers such as Firefox is stored in files, as shown below:

places.sqlite, key3.db, search.db, formhistory.db, cookies.sqlite, cert8.db

Social Networking

In Android SQLite database analysis, the social networking applications such as Skype, WhatsApp, Facebook, etc. may prove to be helpful in revealing sensitive data that can turn out to be helpful for the investigators.

  • WhatsApp

The data is stored in 2 SQLite files-

msgstore.db.crypt8 stored at location /data/data/com.whatsapp/files/key location

wa.db file at the location /data/data/com.whatsapp/databases/wa.db

  • Facebook

The entire data is stored in fb.db file at the location data/data/com.facebook.katana

  • Skype

Calls, contacts, messages, etc. are stored in main.db file the location /data/data/<app_package_name>

Forensic Analysis of Android via SQLite Database Viewer

SQLite Database Reader

Download Now

Analyzing the SQLite database embedded in Android is the task that cannot be accomplished without the assistance of forensic tools. This is due to the reason that extraction and analyzing SQLite database is a very complicated procedure if done manually. Therefore, forensic utilities such as SQLite Database Viewer enable the forensicators to perform a deep analysis of SQLite data of Android device. The software does not impose any limitation on the size of the SQLite database file that needs to be explored. It supports recovery of deleted as well as secured items from the Android SQLite database.

SQLite Database Viewer

The additional benefits that the software offers are:

  • Gives the provision of indexing the SQLite database of Android.
  • Enables to recover evidence from corrupted Android SQLite database.
  • Color schemas to differentiate the data types like deleted, normal, and secured data.
  • Support for analyzing BLOB data type within Android database.