Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to analyze the damaged SQLite database forensics, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

SQLite is one of the most popular databases today, and it is used to store data (such as desktop tools, browsers and social media software, etc.) on desktop computers and laptops in many mobile applications, so SQLite also plays an important role in electronic forensics. Forensics web browsers, messengers and other sources of digital evidence.

There are many tools on the market that support the analysis and forensics of SQLite databases, such as Magnet AXIOM,Belkasoft Evidence Center, BlackBag BlackLight and so on. These tools can automatically parse these databases and even split data from free lists and unallocated space. In addition, they provide a SQLite viewer that allows forensics to manually analyze the type of database.

So how can we obtain evidence for those databases that have been damaged or destroyed?

We received a SQLite database on DFIR that could not be opened with any tool. Before that, the database had been sent to the supplier for solution, but the answer was-no tables were found in the database.

Without saying much, let's get to the point. The database is called "contacts2.db". If you have enough experience in mobile forensics, you should be able to guess that this is a typical Android database that contains contact information about users.

We have many professional forensics kits on hand, so we decided to use the most popular forensics tools to try to open it, including Belkasoft Evidence Center,BlackBag BlackLight,Cellebrite UFED Physical Analyser,SQLite database browser, Magnet AXIOM and Oxygen Forensic Detective. But to our surprise, no tool can open the database, as the publisher said. The screenshot below shows:

Belkasoft Evidence Center

BlackBag BlackLight

Cellebrite UFED Physical Analyzer

SQLite database browser

Magnet AXIOM

Oxygen Forensic Detective

As you can see, there is no tool to open it. So what should we do next? Let's go back to the beginning!

First, we go to the official website of SQLite and download the command-line tool for managing database files.

Then we extract the contents of the archive and put the database in the same folder (optional).

Start the Windows command prompt and change the directory to the directory where the SQLite command-line tool is extracted.

Run the following command sequence:

Sqlite3.exe database_name.db.mode insert.output database_dump.sql.dump.exit

Now you have a SQL file that contains dump database tables. If you are lucky, you can delete transaction statements, such as BEGIN TRANSACTION and ROLLBACK, and import the file into a new SQLite database, for example, using the SQLite database browser. However, due to the serious damage to the database, we must manually check the file and keep the tables of interest in a separate SQL file.

For example, we find the 'accounts' table, which looks like this:

CREATE TABLE accounts (_ id INTEGER PRIMARY KEY AUTOINCREMENT,account_name TEXT, account_type TEXT, data_set TEXT); INSERT INTO accounts VALUES (1grammatical vnd.sec.contact.phonejewelry reparer vnd.sec.contact.phonecircle. Null); INSERT INTO accounts VALUES (2meme play.sim.contact.contact.simm.memoir vnd.sec.contact.simple); INSERT INTO accounts VALUES (4mage vnd.sec.contact.agg.accountplaynamegift parenthesis vnd.sec.contact.contact.agg.roomtplay.contact.contact.agg.characters typewriting INSERT INTO accounts VALUES (506 memoirs); INSERT INTO accounts VALUES (538); INSERT INTO accounts VALUES (655); INSERT INTO accounts VALUES (656); INSERT INTO accounts VALUES (656); and INSERT INTO accounts VALUES (657). INSERT INTO accounts VALUES (658 meme 7 978 000-00-00); INSERT INTO accounts VALUES (672); INSERT INTO accounts VALUES (677); INSERT INTO accounts VALUES (687); INSERT INTO accounts VALUES (792).

We saved it to a separate SQL file and created the database using the SQLite database browser.

The creation process is as follows:

Open the SQLite database browser.

Go from SQL file to file-import-database.

Select the table you are interested in in the SQL file.

Select the name of the database you want to create.

Now you can browse the data and export it using a simple SQL query.

Restored form

If you want to view all the forms, just repeat the above steps. This example also proves to us that digital forensic analysis can not only rely on forensics tools, but should be combined with manual inspection according to the situation, so that data can be obtained and analyzed more accurately.

Thank you for reading this article carefully. I hope the article "how to Forensics and Analysis of the damaged SQLite Database" shared by the editor will be helpful to everyone. At the same time, I also hope you can support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.