Difference between pages "Windows Vista" and "SQLite database format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Prefetch)
 
 
Line 1: Line 1:
== New Features ==
+
{{expand}}
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
  
== File System ==
+
SQLite databases are used by many programs including several forensics tools, e.g. [[Autopsy]] 3.
The file system used by Windows Vista is primarily [[NTFS]].
+
SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.
  
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:
+
== SQLite3 ==
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem</pre>
+
  
Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
+
SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:
 +
* lock-byte pages
 +
* freelist pages
 +
** freelist trunk pages
 +
** freelist leaf pages
 +
* B-tree pages
 +
** table B-tree interior pages
 +
** table B-tree leaf pages
 +
** index B-tree interior pages
 +
** index B-tree leaf pages
 +
* payload overflow pages
 +
* pointer map pages
  
== [[Prefetch]] ==
+
=== Write-Ahead Log (WAL) ===
Note that the prefetch hash function is different then that of [[Windows XP]].
+
The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.
  
The [[Windows Prefetch File Format]] was changed to version 23.
+
== Use Cases ==
 +
=== Web Browser Data ===
 +
[[Mozilla Firefox]] and [[Google Chrome]] both use SQLite version 3 databases for user data such as history, downloaded files.
  
== Registry ==  
+
== External Links ==
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
+
* [http://sqlite.org/fileformat2.html The SQLite Database File Format], by the [[SQLite|SQLite project]]
 +
* [http://sqlite.org/wal.html Write-Ahead Logging], by the [[SQLite|SQLite project]]
 +
* [http://linuxsleuthing.blogspot.ch/2013/09/recovering-data-from-deleted-sqlite.html Recovering Data from Deleted SQLite Records: Redux], by [[John Lehr]], September 13, 2013
  
== See Also ==
+
== Tools ==
* [[Windows]]
+
* [[SQLite]]
* [[Windows 7]]
+
* [[SQLite Forensic Reporter]]
* [[Windows 8]]
+
 
+
== External Links ==
+
* [https://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf Windows Vista Network Attack Surface Analysis], James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse
+
  
[[Category:Operating systems]]
+
[[Category:File Formats]]

Revision as of 02:49, 30 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SQLite databases are used by many programs including several forensics tools, e.g. Autopsy 3. SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.

SQLite3

SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:

  • lock-byte pages
  • freelist pages
    • freelist trunk pages
    • freelist leaf pages
  • B-tree pages
    • table B-tree interior pages
    • table B-tree leaf pages
    • index B-tree interior pages
    • index B-tree leaf pages
  • payload overflow pages
  • pointer map pages

Write-Ahead Log (WAL)

The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.

Use Cases

Web Browser Data

Mozilla Firefox and Google Chrome both use SQLite version 3 databases for user data such as history, downloaded files.

External Links

Tools