Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.encase.com/ceic SQLite Forensics David Dym G-C Partners.

Similar presentations


Presentation on theme: "Www.encase.com/ceic SQLite Forensics David Dym G-C Partners."— Presentation transcript:

1 SQLite Forensics David Dym G-C Partners

2 Who am I? You may recognize me from Contributing author for the Computer Forensics InfoSec Pro Guide by David Cowen. Contributing author for Hacking Exposed Computer Forensics, Second Edition Tools and scripts My blog! Introduction SQLite Forensics Page 2

3 SQLite introduction and basics Help with date-time analysis Stoke your curiosity Scripting hands on Q&A Objectives SQLite Forensics Page 3

4  Apple  Google  Mozilla  Dropbox  Adobe  Skype  G-C Partners  and more… Who is using SQLite? SQLite Forensics Page 4

5 Mobile iOS Android Windows Mobile Apps Web Browsers Mac OSX+ And many more! Where SQLite is used SQLite Forensics Page 5

6 Performance Simplified Application Development Cross-Platform and programming language agnostic Atomic transactions Supports familiar SQL92 features Single file Public domain Why SQLite? SQLite Forensics Page 6 ?

7 Authored by Dwayne ‘Richard’ Hipp Initial release in 2000 Characteristics Database is a cross-platform No setup, administration or client-server Light footprint Handles large datasets Multiple readers Max database size up to 140 Terabytes Dynamically typed data types What is SQLite SQLite Forensics Page 7 ReadRead SQLite Database WriteWrite ReadRead

8 Identifying a SQLite 3 Databases SQLite format – Offset 0, Size 16 bytes Magic Number  Magic Header String - Every valid SQLite database file begins with the following 16 bytes (in hex): c f 72 6d This byte sequence corresponds to the UTF-8 string "SQLite format 3" including the null terminator character at the end. Header SQLite Forensics Page 8

9 Pages Every SQLite database consists of pages Page size is a factor of 2 and can be between 512 and Default page size is usually 1024 bytes Default size begins at offset 16 and is a 2 byte integer Page size can be changed after creation Header SQLite Forensics Page 9

10 DataTypes SQLite Forensics Page 10

11 Your typical “Text” and Date-Time information - Contacts, Messages, URL’s and more… Geo Coordinates (GPS) Location data Settings, preferences, etc… Entire Files! We call them BLOBS in database terminology What you may find in SQLite databases SQLite Forensics Page 11

12 A BLOB field could contain Icons Images Audio Documents Plists! Any binary data What you may find in SQLite databases SQLite Forensics Page 12

13 BLOB - storing binary plist in “properties” field of an iOS sms database BLOB fields SQLite Forensics Page 13

14 Introduced in version 3.7 Not enabled by default Improves concurrency – each writer has “end mark” tracked Transactions append to the end of the WAL Checkpoint causes WAL data to be written back to the database Checkpoint occurs when the WAL reaches page size threshold Header WAL – Write Ahead Log SQLite Forensics Page 14 OffsetSizeDescription 181 File format write version. 1 for legacy; 2 for WAL. 191 File format read version. 1 for legacy; 2 for WAL.

15 Datetimes Handling SQLite Forensics Page 15

16 Unixtime ePoch Begins 1 January 1970 Mac ePoch Begins 2001 rather than Thanks Steve Increment typically in Seconds Chrome (Webkit) ePoch Begins 1 January1601 Incremented in microseconds Convert by subtracting and divide by a million Firefox Depends Can be in Unixtime or Chrometime Datetime Formats SQLite Forensics Page 16

17 Chrome – Top_Sites SELECT last_updated, datetime(((last_updated )/ ),'unixepoch','localtime') As ‘last_updated’ FROM thumbnails; Datetime Converting SQLite Forensics Page 17

18 Deleted records can be recovered! (but not always) Deleted records not overwritten Deleted records are added to a “freelist” page Deleted records are reassigned Deleted records expunged by “vacuum()” Deleted Records SQLite Forensics Page 18

19 MacOSX+ SQLite Forensics Page 19 Important Databases QuickLook Document Revisions

20 Stores previous versions of documents Also stores chunks of changed documents File path in database links to physical path in folder tree Not user configurable MacOSX+ SQLite Forensics Page 20 Filenamedb.sqlite Path/.DocumentRevisions-V100/db-V1 Tablesfiles, generations, storage

21 Quicklook Cached thumbnails for file previews in Finder Thumbnails for files with associated viewers MacOSX+ SQLite Forensics Page 21 Filenameindex.sqlite Path/private/var/folders/ / _ /C/com.apple.QuickLook.thumbnailcache Tip to Locatefind /var/folders –name “Quicklook*”

22 Chrome databases Top Sites Shortcuts History Favicons Archived history Cookies Browser SQLite databases SQLite Forensics Page 22

23 Firefox databases Cookies Signons Places extensions Browser SQLite databases SQLite Forensics Page 23

24 Way’s to review SQLite databases Forensic tools Database managers Python SQLite Tools SQLite Forensics Page 24

25 Encase: enscript – sqlitequery SQLite Tools SQLite Forensics Page 25

26 SQLite Tools SQLite Forensics Page 26 SQLiteDiver

27 Database Managers Sqliteman – database manager SQLiteManager Firefox extension Navicat - commercial SQLite Tools SQLite Forensics Page 27

28 Python as a review tool Build a script (to read “Favicons” database from Chrome) Run the script Review the output SQLite Scripting SQLite Forensics Page 28

29 SQLite Scripting SQLite Forensics Page 29 Python Convert to datetime Linking the tables

30 Python Run the script SQLite Scripting SQLite Forensics Page 30

31 'http://static01.nyt.com/favicon.ico' 'http://www.nytimes.com/2014/01/31/technology/amazons-shares-fall-as- revenue-disappoints.html?nl=todaysheadlines&emc=edit_th_ ' ' :31:39 ' 'http://static01.nyt.com/favicon.ico' 'http://www.nytimes.com/glogin?URI=http%3A%2F%2Fwww.nytimes.com%2F20 14%2F01%2F31%2Ftechnology%2Famazons-shares-fall-as-revenue- disappoints.html%3Fnl%3Dtodaysheadlines%26emc%3Dedit_th_ %26_r %3D0' ' :31:39 ' 'http://www.schaeffersresearch.com/favicon.ico' 'https://lyris.schaeffer.com/t/113127/ /8359/50/' ' :32:07 ' 'http://www.southwest.com/assets/images/favic on.ico' 'http://www.southwest.com/' ' :01:18 ' 'https://ssl.gstatic.com/s2/oz/images/faviconr3.ic o' 'http://ow.ly/t9y7h ' ' :40:37 ' Python Here’s what we get as output SQLite Scripting SQLite Forensics Page 31 Converted to Datetime!

32 Lets get hands on with Python if time permits SQLite Lab SQLite Forensics Page 32

33 SQLite 3 Documentation: sqlite.orgsqlite.org OS X Lion Artifacts: by: Sean Cavanaugh, linklink Recovering deleted records Epilog Oxygen Forensics Another Forensics Blog, Python ParserPython Parser Links and references SQLite Forensics Page 33

34 David Dym Phone: (214) My Blog: Q & A SQLite Forensics Page 34 Read our book!


Download ppt "Www.encase.com/ceic SQLite Forensics David Dym G-C Partners."

Similar presentations


Ads by Google