SQLite Forensics David Dym G-C Partners.

Slides:



Advertisements
Similar presentations
Computer Forensics Internet Artifacts.
Advertisements

An Introduction to Using
 data/data-storage.html#pref data/data-storage.html#pref 
Session 13 Active Server Pages (ASP) Matakuliah: M0114/Web Based Programming Tahun: 2005 Versi: 5.
Internet Artifacts Dr. John Abraham Professor UTPA.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
HNA-Drive Familiarization Presentation. From the address bar in your preferred internet browser, navigate to Site supports: Internet.
How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,
Hong-Kong, Mar Mobile Data in Legal Proceedings and methods for Extraction, Analysis and Delivering Yuval Ben-Moshe Forensics Technical Director.
Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.
Chapter 12: ADO.NET and ASP.NET Programming with Microsoft Visual Basic.NET, Second Edition.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
Chapter 14 Introduction to HTML
Simple Web SQLite Manager/Form/Report
SQLite BY Jordan Smith Brian Wetzel Chris Hull William Anderson.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Presented by…. Group 2 1. Programming language 2Introduction.
INTRODUCTION TO WEB DATABASE PROGRAMMING
Computer Concepts 2014 Chapter 7 The Web and .
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Microsoft Windows LEARNING HOW USE AN OPERATING SYSTEM 1.
Software All parts of the computer people can NOT touch, such as programs, files, documents and any other data.
2015 Webmaster Training. 1.Site Navigation RWD Structure Sharing content areas 2.Dynamic Content Updates News/Blog Containers Calendars – Priority, Standard.
© 2011 Delmar, Cengage Learning Chapter 9 Collecting Data with Forms.
INFORMATION TECHNOLOGY IN BUSINESS AND SOCIETY SESSION 7 – THE WEB SEAN J. TAYLOR.
1Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall. Exploring Microsoft Office Access 2010 by Robert Grauer, Keith Mast, and Mary Anne.
Build a Free Website1 Build A Website For Free 2 ND Edition By Mark Bell.
1 Chapter 2 & Chapter 4 §Browsers. 2 Terms §Software §Program §Application.
Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.
- your business within reach -. WHY CLOUD? Services run through browsers and apps on Smartphones and Tablets Eliminates physical devices Secured access.
Publishing Technology & Media Solutions.  The flips are back with new features.  Embed Audio & video with seamless streaming.
Internet. The Web as you know it WWW: This is not the internet, but just a part of it. IM, . The web consists of pages that can only be seen by.
Do you spend too much time trying to locate those favorite websites used for research?
1 and Internet Evidence Mark Pollitt Associate Professor, Engineering Technology.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 1 1 Browser Basics Introduction to the Web and Web Browser Software Tutorial.
 Komodo Edit Project › Helping you find your folder  Laptop › Delete what you don’t need › Keep class “doodles” in a single “sandbox” folder  Isis.
The Internet and World Wide Web
Session Objectives • Login to PeopleSoft Test Framework(PTF)
Chapter 11 File Systems and Directories. 2 File Systems File: A named collection of related data. File system: The logical view that an operating system.
Chapter 8 Collecting Data with Forms. Chapter 8 Lessons Introduction 1.Plan and create a form 2.Edit and format a form 3.Work with form objects 4.Test.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Trunica Inc. 500 East Kennedy Blvd #300 Tampa, FL Cross Platform Mobile Apps With Cordova and Visual Studio 2015 © Copyright 2015.
Intro to Datazen.
January 2006Colby College ITS Setting Up Course Pages.
Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.
Differences Training BAAN IVc-BaanERP 5.0c: Application Administration, Customization and Exchange BaanERP 5.0c Tools / Exchange.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Perfecto Mobile Automation
Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.
COM: 111 Introduction to Computer Applications Department of Information & Communication Technology Panayiotis Christodoulou.
CHAPTER 9 File Storage Shared Preferences SQLite.
Tech Tuesday.  Dropbox is a big name in cloud storage, having become one of the most frequently used file sharing platforms in the world. With improvements.
Introduction to Database Programming with Python Gary Stewart
Microsoft FrontPage 2003 Illustrated Complete Creating a Web Site.
Introduction to EBSCOhost
Office 2016 and Windows 10: Essential Concepts and Skills
File Management in the Cloud
2016 Minnesota Assessment Conference
Rachael Sessler Trinkowsky, Ph.D., CRC, CATIS
Directions: GO THROUGH THE FOLLWING SLIDES. Make sure you have quizlet cards for all the vocabulary. Study the terms GCFLearnFree website “Computer Basics”:
AccessData User Summit 2016
WEB PROGRAMMING JavaScript.
ICT Word Processing Lesson 1: Introduction to Word Processing
Digital Literacy 1.00 Computer Basics
Tutorial Introduction to help.ebsco.com.
Presentation transcript:

SQLite Forensics David Dym G-C Partners

SQLite Forensics Introduction Who am I? You may recognize me from Contributing author for the Computer Forensics InfoSec Pro Guide by David Cowen. Contributing author for Hacking Exposed Computer Forensics, Second Edition Tools and scripts My blog!

SQLite Forensics Objectives SQLite introduction and basics Help with date-time analysis Stoke your curiosity Scripting hands on Q&A

SQLite Forensics Who is using SQLite? Apple Google Mozilla Dropbox Adobe Skype G-C Partners and more… http://www.sqlite.org/famous.html

SQLite Forensics Where SQLite is used Mobile iOS Android Windows Mobile Apps Web Browsers Mac OSX+ And many more!

? SQLite Forensics Why SQLite? Performance Simplified Application Development Cross-Platform and programming language agnostic Atomic transactions Supports familiar SQL92 features Single file Public domain Refernces from sqlite.org

SQLite Forensics What is SQLite SQLite Database Read Write Read Authored by Dwayne ‘Richard’ Hipp Initial release in 2000 Characteristics Database is a cross-platform No setup, administration or client-server Light footprint Handles large datasets Multiple readers Max database size up to 140 Terabytes Dynamically typed data types Read Write Read

SQLite Forensics Header Identifying a SQLite 3 Databases SQLite format – Offset 0, Size 16 bytes Magic Number 1.2.1 Magic Header String - Every valid SQLite database file begins with the following 16 bytes (in hex): 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00. This byte sequence corresponds to the UTF-8 string "SQLite format 3" including the null terminator character at the end. Referenced from sqlite.org Header size is - First 100 bytes of every database file

SQLite Forensics Header Pages Every SQLite database consists of pages Page size is a factor of 2 and can be between 512 and 65536 Default page size is usually 1024 bytes Default size begins at offset 16 and is a 2 byte integer Page size can be changed after creation http://www.sqlite.org/fileformat2.html

SQLite Forensics DataTypes Referenced from sqlite.org http://www.sqlite.org/datatype3.html

What you may find in SQLite databases SQLite Forensics What you may find in SQLite databases Your typical “Text” and Date-Time information - Contacts, Messages, URL’s and more… Geo Coordinates (GPS) Location data Settings, preferences, etc… Entire Files! We call them BLOBS in database terminology Fore more information on BLOB data types - http://www.sqlite.org/intern-v-extern-blob.html

What you may find in SQLite databases SQLite Forensics What you may find in SQLite databases A BLOB field could contain Icons Images Audio Documents Plists! Any binary data

SQLite Forensics BLOB fields BLOB - storing binary plist in “properties” field of an iOS sms database

SQLite Forensics WAL – Write Ahead Log Introduced in version 3.7 Not enabled by default Improves concurrency – each writer has “end mark” tracked Transactions append to the end of the WAL Checkpoint causes WAL data to be written back to the database Checkpoint occurs when the WAL reaches page size threshold Header Offset Size Description 18 1 File format write version. 1 for legacy; 2 for WAL. 19 File format read version. 1 for legacy; 2 for WAL. Reference sqlite.org - http://www.sqlite.org/fileformat.html

SQLite Forensics Datetimes Handling Referenced from sqlite.org http://www.sqlite.org/datatype3.html

SQLite Forensics Datetime Formats http://www.epochconverter.com/ Unixtime ePoch Begins 1 January 1970 Mac ePoch Begins 2001 rather than 1970. Thanks Steve Increment typically in Seconds Chrome (Webkit) ePoch Begins 1 January1601 Incremented in microseconds Convert by subtracting 11644473600 and divide by a million Firefox Depends Can be in Unixtime or Chrometime http://www.epochconverter.com/

SQLite Forensics Datetime Converting Chrome – Top_Sites SELECT last_updated, datetime(((last_updated -11644473600000000)/1000000),'unixepoch','localtime') As ‘last_updated’ FROM thumbnails; Ref: http://stackoverflow.com/questions/18898652/in-what-format-does-google-chrome-store-extension-install-dates http://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/

SQLite Forensics Deleted Records Deleted records can be recovered! (but not always) Deleted records not overwritten Deleted records are added to a “freelist” page Deleted records are reassigned Deleted records expunged by “vacuum()”

SQLite Forensics MacOSX+ Important Databases QuickLook Document Revisions Sources: Items in grey: Shawn Cavina - scavanaugh@appleexaminer.com Items in blue and white: David Dym – ddym@g-cpartners.com

SQLite Forensics MacOSX+ DocumentRevisions Stores previous versions of documents Also stores chunks of changed documents File path in database links to physical path in folder tree Not user configurable Filename db.sqlite Path /.DocumentRevisions-V100/db-V1 Tables files, generations, storage

SQLite Forensics MacOSX+ Quicklook Cached thumbnails for file previews in Finder Thumbnails for files with associated viewers Filename index.sqlite Path /private/var/folders/<dynamic>/<dynamic>_<dynamic>/C/com.apple.QuickLook.thumbnailcache Tip to Locate find /var/folders –name “Quicklook*”

Browser SQLite databases SQLite Forensics Browser SQLite databases Chrome databases Top Sites Shortcuts History Favicons Archived history Cookies

Browser SQLite databases SQLite Forensics Browser SQLite databases Firefox databases Cookies Signons Places extensions

SQLite Forensics SQLite Tools Way’s to review SQLite databases Forensic tools Database managers Python

SQLite Forensics SQLite Tools Encase: enscript – sqlitequery Guidance Software – App Store Decoding dates - http://www.digital-detective.net/digital-forensic-software/free-tools/

SQLite Forensics SQLite Tools SQLiteDiver

SQLite Forensics SQLite Tools Database Managers Sqliteman – database manager SQLiteManager Firefox extension Navicat - commercial

SQLite Forensics SQLite Scripting Python as a review tool Build a script (to read “Favicons” database from Chrome) Run the script Review the output

SQLite Forensics SQLite Scripting Python Convert to datetime Linking the tables

SQLite Forensics SQLite Scripting Python Run the script

SQLite Forensics SQLite Scripting Python Here’s what we get as output Convertedto Datetime! Python Here’s what we get as output 'http://static01.nyt.com/favicon.ico' 'http://www.nytimes.com/2014/01/31/technology/amazons-shares-fall-as-revenue-disappoints.html?nl=todaysheadlines&emc=edit_th_20140131' '2014-01-31 08:31:39 ' 'http://www.nytimes.com/glogin?URI=http%3A%2F%2Fwww.nytimes.com%2F2014%2F01%2F31%2Ftechnology%2Famazons-shares-fall-as-revenue-disappoints.html%3Fnl%3Dtodaysheadlines%26emc%3Dedit_th_20140131%26_r%3D0' 'http://www.schaeffersresearch.com/favicon.ico' 'https://lyris.schaeffer.com/t/113127/6595615/8359/50/' '2014-01-31 09:32:07 ' 'http://www.southwest.com/assets/images/favicon.ico' 'http://www.southwest.com/' '2014-03-19 10:01:18 ' 'https://ssl.gstatic.com/s2/oz/images/faviconr3.ico' 'http://ow.ly/t9y7h ' '2014-03-12 21:40:37 '

SQLite Forensics SQLite Lab Lets get hands on with Python if time permits

SQLite Forensics Links and references SQLite 3 Documentation: sqlite.org OS X Lion Artifacts: by: Sean Cavanaugh, link Recovering deleted records Epilog Oxygen Forensics Another Forensics Blog, Python Parser

SQLite Forensics Q & A Read our book! David Dym Email: ddym@g-cpartners.com Twitter: @dave873 Phone: (214) 377-1363 My Blog: www.easymetadata.com/news Read our book!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.