Forensic Toolkit for SQLite

From ForensicsWiki
Jump to: navigation, search

The Forensic Toolkit for SQLite includes three comprehensive software applications, The Forensic Browser for SQLite, Forensic Recovery for SQLite and SQLite Forensic Explorer, which make recovering SQLite records from disk, image and database simpler and more intuitive. These tools are an invaluable addition to any investigators tool box.

Forensic Toolkit for SQLite


The Forensic Browser for SQLite

A comprehensive database browser that recovers live and deleted records from SQLite databases as well as rollback journals and write ahead logging journals. The browser provides numerous data conversion facilities and allsow you to display numbers in many datae formats and apply timezone conversions, display blobs as pictures, integrate maps into report, export tables in many formats and provides a comprehensive visual query building interface.

The Browser also supports extensions that can be written by Sanderson Forensic or by our users. Extensions can be used to decode data encoded or encrypted in tables (usually in blobs - such as in Facebook orca2.db blobs) or can be used to decode files to 'import' the data in the the Browser (the latest extension decodes and imports tables from Microsoft ESE/EDB/JetBlue databases)

Kik attachment join.gif


SQLite Forensic Explorer

SQLite Forensic Explorer is an investigative tool designed to show every single byte of an SQLite database or WAL file along with its decoded data. This means you can look at any field in the DB/WAL file header and see what it means, or you can look at an index B-Tree page and see each structure within the page decoded.

SQLite Forensic Explorer provides an unparalleled view into the structure and workings of SQLite at a file level and is invaluable to forensic investigators looking for deleted data (or a corrupt database) or to those who simply want to know more about the structure of a database

SQLite forensic explorer.jpg


SQLite Forensic Recovery

SQLite Recovery is a forensic tool to aid in the recovery of SQLite databases, tables and records. SQLite Recovery can search a disk, volume, image or file for deleted SQLite databases. You can search for specific databases and tables 'described' by a signature or you can let SQLFR search for all databases (known and unknown) on a volume.

Sqlite recovery.jpg