Since their initial introduction in 2007, Smartphones have come to dominate the cellular phone marketplace quickly making feature phones nearly obsolete. This domination is split fairly evenly between two major companies: Google with their Android OS and Apple touting their own iOS. Even though both of these companies are business rivals and their file systems are significantly different, both share a commonality in that they both store a majority of their user data within a data storage container type called SQLite. “SQLite is an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.” Mobile Forensic Analysts can easily leverage this commonality, by learning the skills required to perform low-level analysis and recovery on SQLite databases. Once learned and mastered, examiners can then support nearly 99% of the device data they will come across in the majority of their mobile device examinations.
To illustrate the vast amount of work to be done, as of January 2015, the Google Play Store reported 1.43 Million Applications being available in their Google Play Store. At the same time, Apple’s iTunes Store reported over 1.4 Million apps currently being available for download. That’s a total of over 2.8 MILLION apps. Even the most popular mobile forensic tool only supports parsing of 200 different applications. This support accounts for a miniscule %001 of the total apps and leaves a 99.999% gap!
This class will help examiners close that gap by teaching the students:
- How SQLite works at the byte-level
- What are the different types of SQLite data components
- What are the 5 common locations to recover SQLite data
- How to perform report data validation
- How to Reverse Engineer ANY SQLite database
- Converting and identifying virtually any date format easily
- Display BLOB data within the forensic tool
- How to use a tool designed from the ground-up as a forensic tool
- How to recover data from .SHM, .WAL and .journal files
- How to generate reports quickly from any SQLite database to include external linked images
This IS the future of digital mobile forensics!
Students Receive a Full Version of Sanderson Forensics SQLite Forensic Toolkit Software ($495 value)
Students Also Receive a free six-month license of Andriller software
PDF: SQLite Class Brochure
This is an excellent course to provide the student with the foundation to develop methodologies to validate the findings of commercial tools that attempt to parse SQLite data. This data may or may not be addressed by the tools and thus when dealing with mobile apps, many of which are not parsed out by tools, or are partially parsed, you will be able to export the “backend” data and have the skills to extract, reconstruct (relationally) and inspect the data. The class touches on the internal structure of the SQLite databases and provides the student with skills investigate the data contained in SQLite databases and corresponding journal and wal files.
Taught by Sam Brothers
Sam Brothers is currently working as a Digital Forensic Specialist for US Law Enforcement. He has been in the IT field for over 30 years, and currently specializes in the field of Mobile Device Forensics. He has completed analysis work on hundreds of mobile and computer forensics cases. He and his team had the honor of briefing the then DHS Deputy Secretary on their accomplishments and digital forensic capabilities. He enjoys the opportunity to teach forensic analysis for various law enforcement organizations both in the US and around the world.
Mr. Brothers is an active member of: the Scientific Working Group on Digital Evidence (SWGDE) serving his second term as chairman for the Forensics Committee and with the American Academy of Forensic Sciences (AAFS) as both a Fellow member and as Program committee chairman for the Digital and Multimedia Evidence Section. He also serves as Vice-Chair for the OSAC Subcommittee on Digital Evidence.
Mr. Brothers has been requested internationally for speaking engagements on the topic of Advance Mobile Device Forensic Analysis and always looks forward to sharing what he knows with other investigators in the field to make the forensic community stronger and further the field of Digital Forensics.
In 2008, he developed and published the Mobile Device Tool Classification System. Since then, this system has come to be used by many of the top practitioners in the field and has been featured in many books and digital forensic publications around the world. His classification system serves as a benchmark in the industry to classify method of mobile device forensic extraction. His work is referenced in both NIST and SWGDE best practice documentation and used in several graduate level courses on forensics.
Pre-Requisites: Command line (Unix or DOS), JTAG and/or Chip-off data extraction and beginner programming/scripting experience will be helpful.
 Source: https://www.sqlite.org/about.html
 Source: http://en.wikipedia.org/wiki/Google_Play