2 SQLite Forensics Introduction Who am I? You may recognize me from Contributing author for the Computer Forensics InfoSec Pro Guide by David Cowen.Contributing author for Hacking Exposed Computer Forensics, Second EditionTools and scriptsMy blog!
3 SQLite Forensics Objectives SQLite introduction and basics Help with date-time analysisStoke your curiosityScripting hands onQ&A
4 SQLite Forensics Who is using SQLite? Apple Google Mozilla Dropbox AdobeSkypeG-C Partnersand more…
5 SQLite Forensics Where SQLite is used Mobile iOS Android Windows Mobile AppsWeb BrowsersMac OSX+And many more!
6 ? SQLite Forensics Why SQLite? Performance Simplified Application DevelopmentCross-Platform and programming language agnosticAtomic transactionsSupports familiar SQL92 featuresSingle filePublic domainRefernces from sqlite.org
7 SQLite Forensics What is SQLite SQLite Database Read Write Read Authored by Dwayne ‘Richard’ HippInitial release in 2000CharacteristicsDatabase is a cross-platformNo setup, administration or client-serverLight footprintHandles large datasetsMultiple readersMax database size up to 140 TerabytesDynamically typed data typesReadWriteRead
8 SQLite Forensics Header Identifying a SQLite 3 Databases SQLite format – Offset 0, Size 16 bytesMagic Number1.2.1 Magic Header String - Every valid SQLite database file begins with the following 16 bytes (in hex): c f 72 6d This byte sequence corresponds to the UTF-8 string "SQLite format 3" including the null terminator character at the end.Referenced from sqlite.orgHeader size is - First 100 bytes of every database file
9 SQLite Forensics Header Pages Every SQLite database consists of pages Page size is a factor of 2 and can be between 512 and 65536Default page size is usually 1024 bytesDefault size begins at offset 16 and is a 2 byte integerPage size can be changed after creation
10 SQLite Forensics DataTypes Referenced from sqlite.org
11 What you may find in SQLite databases SQLite ForensicsWhat you may find in SQLite databasesYour typical “Text” and Date-Time information -Contacts, Messages, URL’s and more…Geo Coordinates (GPS) Location dataSettings, preferences, etc…Entire Files!We call them BLOBS in database terminologyFore more information on BLOB data types -
12 What you may find in SQLite databases SQLite ForensicsWhat you may find in SQLite databasesA BLOB field could containIconsImagesAudioDocumentsPlists!Any binary data
13 SQLite Forensics BLOB fields BLOB - storing binary plist in “properties” field of an iOS sms database
14 SQLite Forensics WAL – Write Ahead Log Introduced in version 3.7 Not enabled by defaultImproves concurrency – each writer has “end mark” trackedTransactions append to the end of the WALCheckpoint causes WAL data to be written back to the databaseCheckpoint occurs when the WAL reaches page size thresholdHeaderOffsetSizeDescription181File format write version. 1 for legacy; 2 for WAL.19File format read version. 1 for legacy; 2 for WAL.Reference sqlite.org -
15 SQLite Forensics Datetimes Handling Referenced from sqlite.org
16 SQLite Forensics Datetime Formats http://www.epochconverter.com/ Unixtime ePochBegins 1 January 1970Mac ePochBegins 2001 rather than Thanks SteveIncrement typically in SecondsChrome (Webkit) ePochBegins 1 January1601Incremented in microsecondsConvert by subtracting and divide by a millionFirefoxDependsCan be in Unixtime or Chrometime
17 SQLite Forensics Datetime Converting Chrome – Top_Sites SELECT last_updated, datetime(((last_updated )/ ),'unixepoch','localtime') As ‘last_updated’ FROM thumbnails;Ref:
18 SQLite Forensics Deleted Records Deleted records can be recovered! (but not always)Deleted records not overwrittenDeleted records are added to a “freelist” pageDeleted records are reassignedDeleted records expunged by “vacuum()”
19 SQLite Forensics MacOSX+ Important Databases QuickLook Document RevisionsSources:Items in grey: Shawn Cavina -Items in blue and white: David Dym –
20 SQLite Forensics MacOSX+ DocumentRevisions Stores previous versions of documentsAlso stores chunks of changed documentsFile path in database links to physical path in folder treeNot user configurableFilenamedb.sqlitePath/.DocumentRevisions-V100/db-V1Tablesfiles, generations, storage
21 SQLite Forensics MacOSX+ Quicklook Cached thumbnails for file previews in FinderThumbnails for files with associated viewersFilenameindex.sqlitePath/private/var/folders/<dynamic>/<dynamic>_<dynamic>/C/com.apple.QuickLook.thumbnailcacheTip to Locatefind /var/folders –name “Quicklook*”
28 SQLite Forensics SQLite Scripting Python as a review tool Build a script (to read “Favicons” database from Chrome)Run the scriptReview the output
29 SQLite Forensics SQLite Scripting Python Convert to datetime Linking the tables
30 SQLite ForensicsSQLite ScriptingPythonRun the script
31 SQLite Forensics SQLite Scripting Python Here’s what we get as output ConvertedtoDatetime!Python Here’s what we get as output'http://static01.nyt.com/favicon.ico''http://www.nytimes.com/2014/01/31/technology/amazons-shares-fall-as-revenue-disappoints.html?nl=todaysheadlines&emc=edit_th_ '' :31: ''http://www.nytimes.com/glogin?URI=http%3A%2F%2Fwww.nytimes.com%2F2014%2F01%2F31%2Ftechnology%2Famazons-shares-fall-as-revenue-disappoints.html%3Fnl%3Dtodaysheadlines%26emc%3Dedit_th_ %26_r%3D0''http://www.schaeffersresearch.com/favicon.ico''https://lyris.schaeffer.com/t/113127/ /8359/50/'' :32: ''http://www.southwest.com/assets/images/favicon.ico''http://www.southwest.com/'' :01: ''https://ssl.gstatic.com/s2/oz/images/faviconr3.ico''http://ow.ly/t9y7h '' :40: '
32 SQLite Forensics SQLite Lab Lets get hands on with Python if time permits
33 SQLite Forensics Links and references SQLite 3 Documentation: sqlite.orgOS X Lion Artifacts: by: Sean Cavanaugh, linkRecovering deleted recordsEpilogOxygen ForensicsAnother Forensics Blog, Python Parser
34 SQLite Forensics Q & A Read our book! David Dym Phone: (214) My Blog:Read our book!