SQLite Forensics

Since their initial introduction in 2007, Smartphones have come to dominate the cellular phone marketplace quickly making feature phones nearly obsolete. This domination is split fairly evenly between two major companies: Google with their Android OS and Apple touting their own iOS. Even though both of these companies are business rivals and their file systems are significantly different, both share a commonality in that they both store a majority of their user data within a data storage container type called SQLite.

SQLite is an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. Mobile Forensic Analysts can easily leverage this commonality, by learning the skills required to perform low-level analysis and recovery on SQLite databases. Once learned and mastered, examiners can then support over 99% of the device data they will come across in the majority of their mobile device examinations.

To illustrate the vast amount of work to be done, as of March 2020, the Google Play Store reported 2.87 Million Applications being available in their Google Play Store. At the same time, the Apple App Store reported over 1.84 Million apps currently being available for download. That’s a combined total of over 4.7 MILLION applications. Even the most popular mobile forensic tools supports parsing of 200 – 300 different applications. This support accounts for a minuscule 0.01% of the total apps and leaves a 99.99% gap!

Taking the course online.

An instructor will go through the course with you online so you can take it from anywhere. The online version of the course comes in two parts: fundamentals and advanced. Each part is 5 days long. Each day consists of 4 hours of instruction typically held in the morning. You can register for the fundamentals portion, the advanced portion, or the complete course which includes both fundamentals and advanced portions. You cannot take the advanced portion without taking the fundamentals portion first.


Taking the course on-site.

Join our instructor and other students in a classroom at one of Teel Tech’s instruction facilities across the country. The class is 5 days long and each day has 8 hours of instruction.


AndroidwSQL
This class will help examiners close that gap by teaching the students:

 

  • How SQLite works at the byte-level
  • What are 5 common locations to recover SQLite data
  • How to perform report data validation
  • What are the different types of SQLite data component types
  • How to Reverse Engineer ANY SQLite database
  • Converting and identifying virtually any date format easily
  • Display SQLite BLOB data within a forensic tool
  • How to recover data from .WAL and .journal files
  • How to generate reports quickly from any SQLite database to include external linked images
  • SQLite Record Recovery (Incomplete or Orphaned Records)
  • Manual Parsing of: Write-Ahead Logs and Journal Files
  • Why use a tool designed from the ground-up as a forensic tool
  • Advanced Data Recovery Scenarios
  • SQLite Payload Examination/SQLite Data Construct Parsing
  • Manual SQLite Data Recovery
  • SQLite Encryption
  • Using simulations to perform data testing/verification/decryption
  • Advance Scenario Exam

This IS the future of digital mobile forensics!

Pre-Requisites:
Navigating and executing programs at the Command Line (Unix or DOS) is required.
Beginner programming/scripting experience is helpful (but not required).


Students will receive:

  • A free one-year license of Sanderson Forensics SQLite Forensic Toolkit Software
  • A free 30-day license of Andriller Software
  • Thumbdrive with a library of useful scripts used in class, course exercises and materials.

PDF: SQLite Class Brochure


For ALL SQLite Students:

All SQLite Students must be currently employed at/for a law enforcement agency and do not charge for any work that they take on. If a student works for a commercial entity (or law enforcement agency) that takes on work from other agencies and accepts payment for this work, then they are NOT eligible. Any student unable to fulfill this requirement in attendance at any SQLite class may be asked to leave by the instructor and Teel Technologies shall refund their tuition fee. Teel Technologies shall not be held responsible for any associated fees (e.g., travel hotel, transportation) should a student be asked to leave.

This is an excellent course to provide the student with the foundation to develop methodologies to validate the findings of commercial tools that attempt to parse SQLite data. This data may or may not be addressed by the tools and thus when dealing with mobile apps, many of which are not parsed out by tools, or are partially parsed, you will be able to export the “backend” data and have the skills to extract, reconstruct (relationally) and inspect the data. The class touches on the internal structure of the SQLite databases and provides the student with skills investigate the data contained in SQLite databases and corresponding journal and wal files.


Doing SQLite forensics is like doing analysis in any other investigation. SQLite forensics is more about formulating a good, repeatable query to tell a story.

 

The material was well put together and the flow made the learning easy. This definitely reinforced previous learning and knowledge in the SQLite database structure.

Perform analysis on SQLite databases

View Upcoming Courses