SQLite databases are becoming more and more of a focus point for the present day Digital Forensics Specialist, with the increase of applications available on the app store providing a gold mine for digital evidence waiting to be discovered. Commercial forensic software companies are rapidly expanding their research and development departments, which are under constant pressure to keep up with the reverse engineering of applications on the market and despite their best efforts, this is not feasible.
Updated 25th March 2015 at 23:01 by DCS
This article is related to running Sanderson SQLite Forensic Toolkit on a Mac OS X system. I apologize in advance for the lengthy read but please take the time to read everything and understand the concepts. I had to peruse the CrossOver wiki and support areas in order to understand what needed to be accomplished for unsupported applications to work.
Thanks to Paul Sanderson for encouraging me to put together this article.
Disclaimer: I am not affiliated with either
Many recent applications and even operating systems, particularly on mobile phones, have embraced the SQLite database as a standard. This means that as forensic investigators we need to be able to find and parse these databases as part of almost every case.
While there are tools that can examine specific SQLite databases such as SkypeAlyzer and NetAnalysis and these tools provide functionality to parse databases to look for deleted records and carve records from unallocated space.
On occasion I have looked at the fragmentation of a file to try and draw some conclusions as to how the file has been "built" on the disk, i.e. is the file contiguous or is the file fragmented. On one occasion this was used to prove that a file hadn't been part of just a mass copy exercise (where all the other files were contiguous and one after the other), all pretty basic stuff.
However today when playing with MFT entries I saw something that I had not seen before and that
Updated 8th August 2012 at 19:46 by Paul
I had been waiting with some anticipation for this book. I have done a lot with the registry over the years, including writing my own registry viewer, and I was looking forward to what I was hoping would be an authoritative reference, I was both pleased with what I got and a little disappointed.
I wanted to get the paper version but was too impatient to wait until it was released over on this side of the pond so I decided it was time to try a digital book.
To be fair
Updated 15th February 2011 at 19:16 by Paul