The Forensic Browser for SQLite is the tool for you?
Forensic Browser for SQLite is part of the SQLite Forensic Toolkit
|For corporate or law enforcement investigators a fully functional demo licence for the Forensic Toolkit for SQLite can be obtained by clicking here and providing your official email address, full name and position within your organisation|
Forensic Browser for SQLite allows you (all without typing a single sql query) to:
- Automatically recovered deleted and partial records from DBs and associated journals/WALs
- Remove duplicate records if required
- Identify multiple previous database states from DBs with WAL files
- Break down complex Binary Plist and facebook orca2 blobs and perform queries on resulting data
- Perform a simple visual select on some or all of the fields in a table
- Perform more complex visual joins on multiple tables
- Add groups, aliases and where clauses if required
- View the resulting SQL select commands of the above
- See the resulting table in a grid form and further sort and filter results
- Convert numbers to dates (Unix10/13, Windows 64 bit, NSDate/Chrome, Mac absolute and more)
- Find and display pictures in blobs (JPG, PNG, GIF, TIF etc.)
- Import pictures held in the file system to associate and display in a query/report
- Display a number as meaningful text (sent/received/draft etc.)
- Display latitude and longitude fields on a map
- Export a selected blob or all blobs in DB to a file
- Build and integrate custom extensions
- See the hex that relates to as particular record and identify exactly where in a DB/journal/WAL the record comes from
- See hex view of blobs
- Decode a binary plist stored as a blob
- Decode base64 encoded text/data
- Choose which columns you want to see in the grid/report
- Iteratively go back and modify your SQL if the results are not as expected
- Highlight SQL errors if you choose to create queries by hand (no errors if you use the drag and drop visual query designer)
- Preview a report with custom headers/footers/formatting
- Print the report to a HTML/XLSX/CSV/PDF and save your SQL query with the report
- Unicode support
- Add different formats for dates and times in individual fields
- On the fly Timezone adjustments
- Find and review all SQLite databases in a folder structure
- Translate IOS backup folder names
- Maintain a query history that you can revisit
- Provide a case manager for often used queries that you can share between users
- Attach and query across multiple databases
- Maintain a case log of actions
and lots more...
I have written browser extensions to:
- Extract and display the images (attachments) for the Kik messenger stored in external binary plists
- Convert Facebook geolocation fields so that the browser can display a map of where a message was sent
- Decode Tango messenger base64 encoded message structures
- Import downloaded pictures saved with Blackberry messenger on IOS
- View the content of the Google Chrome Cache files
- Decode the usernames and IP addresses from Skype ChatSync files
* These extensions are unsupported and may be written by third parties
Dates and times in databases are rarely stored in human readable format, but rather are normally stored as one of a variety of encoded values, usually a large number. The Forensic Browser allows you to use an alternate display for a numeric field (without cluttering the output grid with extra columns), this display will also be carried through to any report.
A number of applications embed images as blobs within tables (Skype and WhattsApp are two common ones). The Forensic Browser allows the user to display blob fields as pictures (jpg, ico, png, bmp, gif, tif), and again carry through these pictures to any report.
Database designers regularly use numbers to represent different values yes/no male/female sent/received/draft etc. the Forensic Browser allows you to provide custom aliases for numbers in columns and save them for re-use.
This animated gif shows a 10 digit unix epoch date converted to a date/time string, a jpg held in a blob displayed as the users picture/avatar and a numeric "gender" field converted to a pre-entered set of aliases "male, female or unknown".
Creating a report with The Forensic Browser is as simple as choosing what tables and fields you want, convert date formats and press the create report button. Reports can be customised for layout with user defined headers and footers, background colour, landscape or portrait page orientation... Reports can be saved to HTML/XLSX/CSV.
The Forensic Browser can do much more than create a simple report on one table from a database. More complex queries can be designed to amalgamate data from two or more tables (for example you could show the avatar of a Skype user next to each message they authored). Or, as in the example below from the Kik application, join two tables so that the username can be shown next to a message, rather than the user ID. Alternatively, you could create a report showing just the messages between a selection of users from a Skype database, or as in the screen shot below the Skype conversations using the messages table joined with the contacts table to show the avatar image of the author of each message.
The Forensic Browser for SQLite is part of the SQLite Forensic Toolkit.
The short video shows the basic operation of The Forensic Browser from opening a database to creating a report: