Sqlite is one of the popular database formats is used by many mobile systems including Android devices for structured data storage. Sqlite application is an open source application and resembles SQL server but is lite implementation of it. Android supports Sqlite application through dedicated APIs and it happens to be a crucial source of evidence from forensics prospect. Sqlite files used by the apps are usually stored at the location: /data/data/<ApplicationPackageName>/databases. Forensically, these files are highly important, as these files will store valuable data handled by respective application. Many apps are used for making fund transfers, booking tickets, bank transactions, and personal chats. These details can be found in apps Sqlite files, which can be interrogated for evidence.
Important Sources for Forensics Investigation
- Browser Memory
- Application storage
- External Card & System Storage
- Sqlite Database files
- SMS/Call Records
- GPS Records
- Social Sites (Facebook, Twitter)
- Messenger (MSN, Yahoo)
- Email associated data
Sqlite database analysis of Android device can be done either using an image of the device data or by accessing the files through a rooted device. Once the device is rooted, investigators can acquire all the Sqlite files of apps. These files can belong to many applications and its analysis can lead to multiple pieces of evidence. For instance, database file of a YouTube app of an android device comprises of several tables showing details like _id (for each entry made in YouTube app), display1, display2, query (text typed for searching video) and date (epoch date and time stamp).
Explore Sqlite File for Investigation
Sqlite forensic explorer is adept application software, which is capable to perform complete examination of a Sqlite file. Android application data is saved in different versions of Sqlite file. This application program is capable to explore the Sqlite files and the tables embedded. For this, install the application and launch it.
Learn More about the Product
Product Name: Sqlite Forensic Explorer
Size: 13.3 MB
Version: 2.0
Supported Operating system: Windows 8, 7, Vista, and XP
Free Demo: Available
Product Website Link: http://www.acquireforensics.com/products/sqlite-forensic-explorer/
Step by step guide to perform Sqlite data analysis with SqLite Forensics Explorer:
- Click on Add File which will pop-up another window for adding the file. Click on the Browsing icon to add the Sqlite file saved on the system.
- Left-pane will show up all the tables present in the Sqlite file. Different tables store different data like “urls”, “visits”, “keyword search”, “downloads”, Users can view any of the table and integrated data in it. Here, different rows of the tables can be viewed like title, url, visit_cont, types_count, last_visit_time hidden, favicon_id, etc.
- Users can view the details in Hex tab. Hex view helps in interrogating the data unaltered. Users can perform the analysis on the data here and can check for the manipulation done here.
- This software can also show Deleted tab where deleted data from the Sqlite file can be viewed.
- This application has this Query feature which help to examine the Sqlite database using commands. SQL Editor Functionality helps to add multiple queries for performing execution on the database added. These queries can also be saved for future analysis.
This software also allows recovery of corrupted data from Sqlite database. Its support towards damaged Sqlite files provides an exceptional functionality for forensics investigation. It is a comprehensive application program, which allows users to export the carved details to CSV, PDF or HTML file for further analysis or reporting purpose. It supports varied formats of Sqlite like .db or .sqlite and this allows variant of Sqlite databases to be examined. Investigators can dig into details by viewing the data in Hex format and the deleted data. It also supports BLOB data type for analyzing multimedia components.
Leave a Reply