Sanderson Forensic Toolkit for SQLite

Forensic Browser for SQLite

• Have you ever needed to create a report from an SQLite database that is not supported by your current forensic tools?
• Have you ever been frustrated by SQLite date columns displayed as a string of unfriendly digits?
• Would you like to look at a blob field as a picture rather than just see “blob” displayed in the field?
• Would you like to create a PDF report with just a few columns in a particular order from certain users sorted by a date field?
• Would you like to do this just using drag and drop and your mouse?

Forensic Browser for SQLite allows you to do the following — All without having to type a single line of SQL:

• Automatically recovered deleted records (and distinguish between them) from DBs and associated journals/WALs
• Remove duplicate records if required
• Perform a simple visual select on some or all of the fields in a table
• Perform more complex visual joins on multiple tables
• Add groups, aliases and where clauses if required
• Choose which columns to sort on
• View the resulting SQL select commands of the above
• See the resulting table in a grid form
• Convert numbers to dates (Unix10/13, Windows 64 bit, NSDate/Chrome, Mac absolute and more)
• Find and display pictures in blobs (JPG, PNG, GIF, TIF etc.)
• Import pictures held in the file system to associate and display in a query/report
• Display a number as meaningful text (sent/received/draft etc.)
• Display latitude and longitude fields on a map
• Export a selected blob or all blobs in DB to a file
• Build and integrate custom extensions
• See hex view of blobs
• Decode a binary plist stored as a blob
• Decode base64 encoded text/data
• Choose which columns you want to see in the grid/report
• Iteratively go back and modify your SQL if the results are not as expected
• Preview a report with custom headers/footers/formatting
• Print the report to a HTML/XLSX/CSV/PDF
• Unicode support
• Add different formats for dates and times in individual fields
• On the fly Timezone adjustments
• Find and review all SQLite databases in a folder structure
• Translate IOS backup folder names
• Maintain a query history that you can revisit
• Provide a case manager for often used queries that you can share between users
• Attach and query across multiple databases
• Maintain a case log of actions

Forensic Browser for SQLite contains browser extensions that:

• Extract and display the images (attachments) for the Kik messenger stored in external binary plists
• Convert Facebook geolocation fields so that the browser can display a map of where a message was sent
• Decode Tango messenger base64 encoded message structures
• Import downloaded pictures saved with Blackberry messenger on IOS
• View the content of the Google Chrome Cache files
• Decode the usernames and IP addresses from Skype ChatSync files

SQLite Recovery

Modern operating systems typically contain many sqlite databases (often in excess of 100), SQLite Recovery can be used to display all of them alongside each other allowing the investigator to gain an overview of the type and content of all of the databases on the suspects computer. These databases can contain anything from SMS messages to lists of passwords and are an invaluable source of evidence.

SQLite Recovery is a forensic tool to aid in the recovery of SQLite databases, tables and records. SQLite Recovery can search a disk, volume, image or file for deleted SQLite databases.

The output of SQLite Recovery is individual sqlite databases that can be investigated with other forensic software such as SkypeAlyzer.

SQlite Recovery can now keyword search on multiple keywords across ALL carved sqlite tables simultaneously irrespective of the table schema.

Features

• Simple to use
• Template based
• Carves deleted journal and WAL files
• Distinguish between live and deleted records in a database
• Carves unknown databases (including those in unallocated space)
• Search all tables for multiple keywords at one
• Template constraints can override column affinity
• Extracts to sqlite databases to investigate with ‘other’ forensic software
• Extract every bob from every database to view in another forensic tool
• Export a recovered table to XLS
• Parse time filtering to improve quality of recovered data
• Optionally display numeric columns as formatted date
• Advanced filters to clean up data post parse
• Automatically identify and delete duplicate rows
• Supports parsing from individual files (DD/Unallocated), logical and physical devices, EWF images.

Basic Operation of SQLite Recovery

SQLite Recovery searches multiple carved databases irrespective of the table schemas:

SQLite Forensic Explorer

SQLite Forensic Explorer is an investigative tool designed to show every single byte of an SQLite database or WAL file along with its decoded data. This means you can look at any field in the DB/WAL file header and see what it means, or you can look at an index B-Tree page and see each structure within the page decoded.

SQLite Forensic Explorer provides an unparalleled view into the structure and workings of SQLite at a file level and is invaluable to forensic investigators looking for deleted data (or a corrupt database) or to those who simply want to know more about the structure of a database.

Features

• Supports SQLite databases and WAL and Journal files
• Can display tables and rows from corrupt databases
• Decodes every SQLite structure
• Follow an SQLite table or index B-Tree from the root to its leafs
• Recover deleted data from unused space
• Follow the reverse pointer tree
• View the freelist and every page within it
• Highlight and examine unused spaces in tables and indexes for deleted data
• Automatically decode deleted data in the hex view and display as a record
• See how each record is encoded and stored in a table or index

In the display below the unused space in this interior table (actually a root B-Tree page) is highligted in the hex view in grey. The highlighted byte at offset 106 is the start of the payload data for this SQLite record, SQLite Forensic Explorer has identified this as from the Skype messages table and has displayed the decoded row in table form, as below: