SQLite Database Forensics

Alessia Manon | Modified: July 21st, 2015 | SQLite Forensics

SQLite (Structured Query Language) is a widely desired database that has grown in demand over the past several years, because of the extensive use of SQLite engine in iPhone iTunes and Android applications. SQLite is the ubiquitous database for Internet Browser, Web application and Software products to keep their data. This flexible database has some limitations; it stores all the information of users’ in the form of files.

As a result, the opportunities for cyber crooks to perform their illegitimate activities are also increased on this platform. While doing investigation, expert analyze that all the crucial information of users accounts like usernames, account number, password, etc., are anxiously saved in these databases that gives an open invitation to criminals to perform their illicit activities. This gives rise to situations where experts need to perform SQLite forensic analysis on applications that used SQLite to store database to come up with evidence. The following section gives a detailed view of the same.

Restore Evidence from a SQLite Database

  • Structure of Database: Records of users’ deeds are stored on a disk. Investigators can carve the deleted or partial records from page structure of SQLite that starts with an 8 or 12-byte header. There is unused space within a database page that needs to be analyzed when carving records.
  • Recover Deleted Data: To carve evidence from deleted page, experts need to analyze the “Cell Pointer Array”. It is a type of database that stores the address of each cell.
  • Browser History Analysis: During SQLite database forensics, experts can also extract the evidence from browser history that contains the information of downloads, keywords, urls, visits and many more such vital activities. The “urls” table is the most relevant table that holds information of all visited urls.

Export History From:

Android SQLite Forensics

Extract Key Artifacts from Social Networking/IM Chats

Rapid growth of the usage of social networking sites and Android applications has enthused forensics investigators to perform SQLite forensic analysis and extract the evidence from such applications:

  • Whatsapp Forensics: There are two SQLite database files that are created in Whatsapp: msgstore.db and wa.db. The msgstore.db file embraces the conversation details between a user and their contacts whereas wa.db stores information of users’ contacts. The location of both the files is:
    • /data/data/com.whatsapp/databases/msgstore.db
    • /data/data/com.whatsapp/databases/wa.db
  • WeChat Forensics: WeChat chat messages get saved in encrypted EnMicroMsg.db SQLite database file. SQL Cipher is an open source extension that is used to encrypt EnMicroMsg.db file available in /data/data/com.tencent.mm directory.

SQLite Database Forensics

  • Facebook Forensics: Facebook application stores users’ SQLite database such as Facebook chats, messages, status update, comments, etc., in fb.db folder that can be extracted from /data/data/com.facebook.katana/database/fb.db. To perform the forensic investigation on Facebook database; firstly, experts need to copy the data on computer. Artifacts of chat and messages mainly exist in the memory of running machine.
  • Skype Forensics: Skype is also using SQLite database to store contacts, calls information, history items, SMS, and a lot of other information. All of these artifacts are found in main.db file located at ROOT\Users\%userprofile%\AppData\Roaming\Skype\%SkypeName%\main.db. The main.db file consists of two tables in which all the objects related to call log are stored. During SQLite forensic analysis, accessing and extracting the evidence from this file is obligatory for many investigations.

All of the above mentioned manual processes assist experts to perform the investigation on SQLite database. But, these processes are very time consuming and in forensic analysis, time is a very challenging factor. To overcome this, Forensicators need a platform that helps to analyze and extract evidence from SQLite (.db) database file.

Perform Forensic Investigation via SQLite Database Forensics Tool

The software is one the most notable and impeccable tool developed to enhance the investigation process and to ease the efforts put forth by experts in forensic analysis of SQLite database. The tool is armed with some key features that assist the investigators to yield a better output of their investigation in least possible time.

SQLite Forensic Analysis

System Requirements: –

  • Operating System Supported: Windows 8.1 and below Windows versions
  • Processor: 1GHz
  • RAM: 512 MB
  • Hard Disk Space: 5 MB

download

To recover deleted records from SQLite (.db) file is the most crucial part of any forensic investigation. Therefore, by using this tool Forensicators can create a comprehensive report of the case. Moreover, the tool also provides the option to export the DB file into MS Access or SQL Server database for further analysis process.