I had used forensic browser for SQLite Database at University of Washington Tacoma for our class project. Forensic browser for SQLite software is easy to learn and user friendly. YouTube videos by Paul Sanderson make it more easier to understand the tool and it's different field to create a read able report. We used different tool to extract the data and used forensic browser for SQLite to create a report.
While presenting in the class it came to our attention that after changing the date
SQLite databases are becoming more and more of a focus point for the present day Digital Forensics Specialist, with the increase of applications available on the app store providing a gold mine for digital evidence waiting to be discovered. Commercial forensic software companies are rapidly expanding their research and development departments, which are under constant pressure to keep up with the reverse engineering of applications on the market and despite their best efforts, this is not feasible.
Updated 25th March 2015 at 23:01 by DCS
This article is related to running Sanderson SQLite Forensic Toolkit on a Mac OS X system. I apologize in advance for the lengthy read but please take the time to read everything and understand the concepts. I had to peruse the CrossOver wiki and support areas in order to understand what needed to be accomplished for unsupported applications to work.
Thanks to Paul Sanderson for encouraging me to put together this article.
Disclaimer: I am not affiliated with either
Many recent applications and even operating systems, particularly on mobile phones, have embraced the SQLite database as a standard. This means that as forensic investigators we need to be able to find and parse these databases as part of almost every case.
While there are tools that can examine specific SQLite databases such as SkypeAlyzer and NetAnalysis and these tools provide functionality to parse databases to look for deleted records and carve records from unallocated space.
On occasion I have looked at the fragmentation of a file to try and draw some conclusions as to how the file has been "built" on the disk, i.e. is the file contiguous or is the file fragmented. On one occasion this was used to prove that a file hadn't been part of just a mass copy exercise (where all the other files were contiguous and one after the other), all pretty basic stuff.
However today when playing with MFT entries I saw something that I had not seen before and that
Updated 8th August 2012 at 19:46 by Paul