Using FTK forensic software to detect SQLite Database Files

The forensic software tool FTK can be used to good effect for identifying and extracting SQLite database files from a case for further processing using SQLite Forensic Reporter.

Once a case is processed in FTK navigate to ‘Databases’ under ‘File Category’. In the file listing window sort by ‘File Type’. Any identified SQLite database files will be listed under ‘SQLite Database’. The files can then be selected and exported from the case.

SQLite Database Files in Forensic Software FTK

Once the SQLite database files are copied from the forensic tool kit they can be processed using SQLite Forensic Reporter.

More info about SQLite Forensic Reporter here for batch processing SQLite Database Files in a case

SQLite Forensic Reporter how to process unknown databases

SQLite Forensic Reporter is the only tool available which uses template based SQLite DB processing. Any database that is not corrupted can be processed. Analysts and technicians will be able to quickly create new templates and decode data for themselves saving both time an processing costs.

Available for $125USD per license

View the video showing how to process unknown SQLite databases here:

Simple Carver Suite v4.4 Released.

A new version of SC Suite is available, version 4.4 now includes more tools to analyse and extract information from a variety of file types and utilities to assist in every day tasks. Continuing user feedback has resulted in the development of 71 tools packaged as a single suite for $95 per license…

What’s new:

• Quick Search v1.0, small powerful utility for performing text and hexadecimal search on files…
• Gather Window Names v1.0, research tool for extracting the window titles from all hidden and visible windows on the running Operating System…
• Read Time Zone Information v1.0, reads current time zone settings on a running Windows Operating System…
• Various existing tool improvements…

A full listing of the tools can be found here:
Simple Carver Suite – All Tools

In addition to the above new additions SC Suite includes the following tools:

• Hex Map v1.0, file format research/presentation tool…
• Format Seconds v1.0, a research tool which will batch converts seconds to a formatted hours/minutes and seconds…
• Contacts.edb Extractor, a tool designed to extract information contained within the Windows Live Messenger (WLM) contacts file (contacts.edb) file.
• Windows Photo Gallery Viewer (WPG Viewer), is a tool designed to view and extract information contained within the Vista Windows Photo Gallery data file (pictures.pd4).
• Archive View, standalone archive viewer supporting many of the popular archive file formats and more…
• Byte Swapper, a utility useful for conducting research and assisting data recovery allowing the user to manipulate the byte order of a file…
• Create Folders, utility designed to reduce the repetitive task of folder creation through the use of pre-designed templates…
• Delete Files, a utility for batch removing empty files from folders(s)…
• Disk List, lists all physical disks on a computer…
• Disk Map, utility used to create diskette images for test validation or file carving exercises…
• Eml2HTML, a utility for batch converting standard MIME email messages into HTML format report…
• EXE Extractor, batch extracts all version information that may be present within executable and library files…
• File Lister, searches for files using typical wildcard/mask or by using advanced regular expressions…
• Filecat, categorises file types(s) based on file extension/file header information, 100% user configurable…
• FileExt Renamer, batch renames file extensions based on the content of the file (file headers), ideal for recovered data by third party tools…
• Frag View, standalone utility for reviewing ‘web-based’ fragments…
• Frequency Count, very useful tool for counting the number of occurrences of words within a file…
• FTPThumbs Extractor, tool to extract and present the contents of the thumbnail database cache created by the WS_FTP software…
• Grep Test, basic grep testing utility, very useful for research and developing new search terms…
• Gzip Auto Extract, batch decompresses gzip files, useful for inspecting compressed live/recovered web content…
• Hash File, basic MD5 hashing tool…
• Header Grab Advanced, useful research tool, reads the file header and extension information from a specified volume/folder, stores this information in an Access database for review…
• HP Thumbs Extractor, a new tool for extracting and presenting the content of the thumbnail cache files created by the HP Digital Imaging and HP Photosmart Essential software…
• HTML Viewer, 100% standalone HTML viewer…
• List Video Codecs, lists all currently available codecs installed on the computer system…
• PMBThumbs Extractor, tool to extract and present the contents of the thumbnail database cache created by the Sony Picture Motion Browser software…
• PPThumbs Extractor, tool to extract and present the contents of the thumbnail database cache created by the Photophilia software…
• PSP Browse File Viewer, tool to extract and present the contents of the thumbnail database cache created by the Paint Shop Pro software…
• Registry Examiner, offline registry viewer supporting registry files from WinNT and above…
• Sector Search, identify fragments of a known file anywhere on a disk image, or compare the contents of two files at the sector level…
• Simple Carver, basic data recovery software, the first tool released starting this suite!
• Skype Extractor, a utility for viewing and extracting user information from the Skype user data files (call logs, contacts information, sms messages, chat messages and more…)
• Sort Folder, automatically sorts the contents of folder(s) into more manageable sizes…
• Structured Storage Extractor is a utility for reading and extracting information from the Structured storage format (ole container) files.
• Text Extract, useful analysis tool which extracts fragments of text from any file…
• Title Extractor, batch extracts the field information from all specified web pages…
• URL Previewer, batch extracts the information from Windows URL files, auto decodes date/time information and presents in a single report for review…
• Video Previewer, utility for creating preview reports producing a basic report showing the overall content of a video file (based on Media Player Classic thumbs option)…
• Vista Recycle Bin Reader, utility to read the recycle bin records of the recycle bin in Windows Vista…
• Windows Search Index Extractor, extracts information that may be present within the Windows Desktop Search Database (windows.edb file)…
• WinHex POS Viewer, a new tool to view and extract the content of POS files (Winhex search results) used by the Winhex program. Useful if you need to use the results from a previous search within a third party tool.
• WinThumbs Extractor, tool to extract and present the contents of the thumbnail database cache created by Windows OS…
• WMDB Extractor, a tool designed to extract information contained within the Windows Media Player data file (CurrentDatabase_360.wmdb). Extracts playlist, video, music and photo information to CSV, HTML and Text file report formats.
• PicViewer Extractor, is a tool designed to view and extract information contained within the PicViewer picture browser thumbnail cache file.
• LAN Search, perform filtered searches for files and folders across a network
• ABCThumbs Extractor (ABC Viewer thumbnail cache/database)
• Directory Opus Extractor (Directory Opus thumbnail cache/database)
• WinNCThumbs Extractor (WinNC file management tool, thumbnail cache/database)
• WildbitThumbs Extractor (Wildbit Viewer thumbnail cache/database)
• ValThumbs Extractor (Vallen Jpegger thumbnail cache/database)
• PIEThumbs Extractor (Picture Information Extractor software)
• Windows Live Photo Gallery Viewer (WPG Live Viewer), is a tool designed to view and extract information contained within the Vista Windows Live Photo Gallery data file (pictures.pd5).
• XLS Worksheet Detect, a tool for detecting hidden worksheets in Microsoft excel spreadsheets supports both xls and xlsx formats
• Windows Reg. Extract, a tool for previewing operating system ownership details
• Split Paths a utility which breaks down file paths into component parts and saves to CSV
• Worksheet Name Extract a utility for reading and extracting the titles of all worksheets from excel spreadsheet files
• Chrome Thumbs Extractor for extracting webpage thumbnails from the Google Chrome browser software
• Intel Extract, fully user configurable intelligence gathering tool gathers webmail activity (usernames, email addresses and more), search engine activity (default covers all main search enqines), online auction activity, online shopping activity and more…
• Drive Harvest, file/folder caturing for ‘offline’ review, includes powerful SQL search querying for searching and filtering…
• CSV2HTML, portable utility for quickly converting CSV formatting text to HTML format…
• Base64 Decoder, standalone base64 file decoder, works on single and multiple encoded files…
• Tested on Microsoft Windows 7 64-bit
• Windows Mail Store Extractor v1.0, extracts information from the Windows Mail repository file WindowsMail.MSMessageStore…
• PicIT Extractor v1.0 extracts thumbnail and associated data from the Microsoft Picture It thumbnail cache (piorg.db cache files)
• New tool added, Average File Sizes v1.0, calculate the average size of a group of
  files, useful for determining the optimal carve size for specific file type recovery…
• New tool added, Filename Convertor v1.0, batch converts long filenames listing to
  short filename 8.3 format, useful for keyword search creation…
• Edit File Times v1.0, file date/time manipulation and research tool…
• Hash File Reviewer v1.0, standalone hash file previewer…
• Various existing tool improvements…

Simple Carver Suite costs $95 per license and includes all the above tools, includes free customer support and updates. www.simplecarver.com

SQLite Forensic Reporter v1.2 Released.

A new version of SQLite Forensic Reporter, Universal SQLite database examination tool is available, version 1.2 now includes more features to analyse, extract and report on information from any SQLite database (not corrupted or encrypted). Useful for Computer & Phone Forensic Analysts and Data Recovery Technicians. Searches, indentifies and decodes all SQLite database files in a case. Identify SQLite databases containing evidence you never knew existed. Available for $125 per license with discounts for Government and Law Enforcement Agencies…

What’s new:

• More templates added!!!
• Added Polish Language
• Password and Username Identification, scans all identified SQLite database files for possible user credentials (saved as a separate listing).
• Collates date and time activity from all identified SQLite database files in a case and saved as a seperate listing for timeline analysis
• Added Unattended Mode, Identification and Processing of all SQLite database files is performed with a single mouse click

SQLite Forensic Reporter is the only universal SQLite database examination tool available to date, more information :
SQLite Forensic Reporter (Universal SQLite database examination tool)

In addition to the above new additions SQLite Forensic Reporter also includes the following features:

• File Header Analysis for reliable file identification
• Advanced identification using automated Table Analysis, Column Analysis and Field Data Analysis
• Easy to manage template interface, create new templates for newly encountered database formats
• User optional extraction of ‘undecoded’ data during processing for raw data comparison
• Built-in MD5 hashing
• Date / Time display user customisable
• Once installed, can be setup and running in as little as 3 mouse clicks
• Unattended mode, process an entire case overnite, come back to the results in the morning
• Optional single folder or recurse folder
• Handles unlimited number of templates
• Templates are portable, develop and share with colleagues, can be stored locally or on a network location (ie mapped drive)
• Supports numerous datatypes including all known date/time formats presently used in SQLite databases
• User can select and decode columns using built in data types
• User can selectively extract rows and columns matching any criteria using SQL scripting
• Decodes Windows FILETIME Date/Time stamps (Big Endian, Little Endian, hexadecimal or numerical)
• Decodes DOS 32-bit Date/Time stamps (hexadecimal or numerical)
• Decodes Unix Date/Time stamps (Big Endian, Little Endian, Seconds, Millisecond and Precision based formats, hexadecimal or numerical
• Decodes MAC Absolute Date/Time stamps
• Decodes OLE Date/Time stamps
• Decodes Base64 Encoded Text
• Decodes PRTIME Date/Time stamps
• Decodes WEBKIT Date/Time stamps
• Decodes Julian Date/Time stamps
• Decodes Display Boolean values (user customisable, Yes/No, True/False)
• Decodes Uppercase Text
• Decodes Lowercase Text
• Decodes Text to Hexadecimal
• Decodes Integer to Hexadecimal
• Decodes Display number formatted as filesize (examples: 3 bytes,3GB,3TB)
• Decodes seconds to hours/minutes/seconds
• Inexpensive, affordable to both individuals and multiple users, additional discount is available to Law Enforcement & Government
• Identifies fields containing possible usernames and passwords
• Advanced Identification not available anywhere else
• Identify files that have there file extensions renamed, a technique used by developers for basic data protection. also may be used for malicious purposes
• Unicode enabled, reports will export text correctly (arabic etc)
• SQLite automatically creates reports in HTML and CSV formats decoded as the user specifies
• Utilitises both Default (simple SQL processing) and/or Advanced User Defined SQL querying, link and reference tables for automatic decoding and reporting
• SQLite is available in English, German, Spanish, French and Indonesian Languages

SQLite Forensic Reporter costs $125 per license includes free customer support and updates. http://www.filesig.co.uk/ Discounts are available for Government and Law Enforcement Agencies…

More useful software: www.simplecarver.com

Processing SQLite Databases using Templates (applicable to forensic analysis and data recovery)

This article covers the processing of SQLite database files for forensic analysis, security auditing and data recovery purposes.  A growing number of software applications on computer systems and mobile devices are using SQLite database to store data.  A few examples of usage of SQLite databases includes but is not limited to:

• Software settings, SQLite databases are used to store not only general settings for software applications but you will also find user specific settings.

• Chat history, a number of products use SQLite databases for storing conversations between users on computer and mobile devices.

• Keyloggers, some key logging software use SQLite databases to store all recorded information and is well suited being capable of writing and holding millions of records containing pictures and text information.

• Virtually and data can be stored in a SQLite database…

SQLite databases typically consist of a single (sometimes multiple files linked) with each database file containing one or many tables.  Each database table will contain a certain number of columns in a set order and each row or record will store data accordingly.  SQLite databases can store virtually any data including:

• Text – this could be human readable or encoded
• Date and Times – any date format or specification of designers choosing
• Binary (BLOB) – this can be pictures, documents or any data of designers choosing.

Problems and Issues

• Due to the growing number of SQLite databases present in both computer and mobile devices the time to open, process and review the data contained within each SQLite database is becoming problematic.

• Formats change, from time to time SQLite databases for a specific product will be updated, columns removed or added, tables renamed or removed and so on.  When these changes occur it can prevent software designed to process a specific SQLite database from working correctly or produce incorrect results.

• Simple Calculation: Quantity of SQLite databases to analyse x Using the correct tool for each database x Time to Process each database x Review each database = A LOT OF WASTED TIME!

Solution

Template processing SQLite databases is an automated method of batch processing SQLite databases for end user review.  First correctly identify each SQLite Database by user configurable identification of internal and external file properties then process each table and each column in the correct matter with as little user intervention as possible.

1. Correctly identify each database – this must be user configurable!  If a new SQLite database is encountered then allow the user to identify characteristics associated with the given database.  For example: File header and internal settings of SQLite database.

2. Correctly process each table in turn and columns within each table for a particular SQLite database – this must be user configurable!  If a new SQLite database is encountered or a small variation occurs in an existing database the user can create a new template to deal with this.  At this stage custom queries can be devised to filter and/or present data in a similar fashion to that presented to the user as originally intended.

• There are infinite variations of how a table in a SQLite database can be laid out.  How the data is actually stored within each column is typically only limited to a handful of data types.

SQLite Forensic Reporter in a Nutshell

SQLite Forensic Reporter allows you to process virtually any SQLite database using predefined templates.  SQLite Forensic Reporter is template driven and fully user configurable which means when a new SQLite database is identified a new template is created by the user.  Columns are processed correctly and decoded if required using built in processing routines for date/time formats etc.  The user has full control and does not need to wait for an update from the software developer.  SQLite Forensic Reporter batch processes SQLite database en-masse greatly reducing the time to extract and present data from SQLite databases present in both computer and mobile devices.

For more information: http://www.filesig.co.uk/sqlite-forensic-reporter.html

SQLite Forensic Reporter is $125USD per license and priced to be affordable to both individual and organisations alike.