Difference between pages "Network forensics" and "SQLite database format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Open Source Network Forensics)
 
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
{{expand}}
  
There are both open source and proprietary network forensics systems available.  
+
SQLite databases are used by many programs including several forensics tools, e.g. [[Autopsy]] 3.
 +
SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.
  
== Open Source Network Forensics ==
+
== SQLite3 ==
  
* [[Snort]]
+
SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:
* [[OSSEC]]
+
* lock-byte pages
* [[Xplico]] Internet/IP Traffic Decoder (NFAT)
+
* freelist pages
 +
** freelist trunk pages
 +
** freelist leaf pages
 +
* B-tree pages
 +
** table B-tree interior pages
 +
** table B-tree leaf pages
 +
** index B-tree interior pages
 +
** index B-tree leaf pages
 +
* payload overflow pages
 +
* pointer map pages
  
== Commercial Network Forensics ==
+
=== Write-Ahead Log (WAL) ===
===Deep-Analysis Systems===
+
The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.  
+
* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
  
===Flow-Based Systems===
+
== Use Cases ==
* Arbor Networks
+
=== Web Browser Data ===
* GraniteEdge Networks http://www.graniteedgenetworks.com/
+
[[Mozilla Firefox]] and [[Google Chrome]] both use SQLite version 3 databases for user data such as history, downloaded files.
* Lancope http://www.lancope.com/
+
* Mazu Networks http://www.mazunetworks.com/
+
  
===Hybrid Systems===
+
== External Links ==
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
* [http://sqlite.org/fileformat2.html The SQLite Database File Format], by the [[SQLite|SQLite project]]
* Q1 Labs  http://www.q1labs.com/
+
* [http://sqlite.org/wal.html Write-Ahead Logging], by the [[SQLite|SQLite project]]
 +
* [http://linuxsleuthing.blogspot.ch/2013/09/recovering-data-from-deleted-sqlite.html Recovering Data from Deleted SQLite Records: Redux], by [[John Lehr]], September 13, 2013
  
== Tips and Tricks ==
+
== Tools ==
 +
* [[SQLite]]
 +
* [[SQLite Forensic Reporter]]
  
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
[[Category:File Formats]]

Revision as of 01:49, 30 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SQLite databases are used by many programs including several forensics tools, e.g. Autopsy 3. SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.

Contents

SQLite3

SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:

  • lock-byte pages
  • freelist pages
    • freelist trunk pages
    • freelist leaf pages
  • B-tree pages
    • table B-tree interior pages
    • table B-tree leaf pages
    • index B-tree interior pages
    • index B-tree leaf pages
  • payload overflow pages
  • pointer map pages

Write-Ahead Log (WAL)

The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.

Use Cases

Web Browser Data

Mozilla Firefox and Google Chrome both use SQLite version 3 databases for user data such as history, downloaded files.

External Links

Tools