AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

No Image Available
SQLite Forensics
 Author: Paul Sanderson  Publisher: Independently published  Published: 12 May, 2018  ISBN: 1980293074  Pages: 315  Language: English  Dimension: 19.05 x 1.8 x 23.5 cm
 Description:

SQLite is a self-contained SQL database engine that is used on every smartphone (including all iOS and Android devices) and most computers (including all Macs and Windows 10 machines). Each computer or phone using SQLite often has hundreds of SQLite databases and it is estimated that there are over one trillion SQLite databases in active use. Given the above, the importance of examining all of the data held in these databases in an investigation is paramount, and of course this includes examining deleted data whenever possible. In this book we cover the format of the SQLite database, and associated journal and Write-Ahead Logs (WAL) in great detail. We show how records are encoded, how to decode them manually and how to decode records that are partially overwritten. We also describe how the workings of SQLite, and in particular the journal and WAL, can be used to ascertain what has happened in a manner that cannot be determined from the data alone. We cover basic SQL queries and how they can be used to create a custom report that includes data from different tables, and we show how we can use SQL queries to test hypothesises about the relationships of data in different tables.This book is aimed mainly at forensic practitioners, and it is assumed that the reader has some basic knowledge of computer forensics; it will also be of interest to computer professionals in general particularly those who have an interest in the SQLite file format.