SQLite Forensics Training

SQLite-Hero-1280x540.jpg

In this 5-day course students will develop the skills required to perform low-level analysis and recovery of SQLite databases.

Description


android logo

In this course you'll discover:

  • How SQLite works at the byte‐level
  • What are the different types of SQLite data components
  • What are the 5 common locations to recover SQLite data
  • How to perform report data validation
  • How to Reverse Engineer ANY SQLite database
  • Converting and identifying virtually any date format easily
  • Display BLOB data within the forensic tool
  • How to use a tool designed from the ground‐up as a forensic tool
  • How to recover data from ‐WAL and ‐journal files
  • How to reverse engineer and generate reports quickly from any SQLite database

 

Why SQLite Forensics?

Both Google’s Android OS and Apple’s iOS are the dominant forces in today’s cellphone market – with the market share split fairly evenly between the two companies. While these two companies are rivals, with vastly different file systems, they do share one commonality; both use SQLite as a storage container for user data. “SQLite is an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.”

Mobile Forensic Analysts can easily leverage this commonality by learning the skills required to perform low-level analysis and recovery on SQLite databases. Once learned and mastered, examiners, can then support nearly 99% of the device data they will come across in most of their mobile device examinations.

To illustrate the vast amount of work to be done, as of January 2015, the Google Play Store reported 1.43 Million Applications being available in its Google Play Store[2]. At the same time, Apple’s iTunes Store reported over 1.4 Million apps currently being available for download. That’s a total of over 2.8 MILLION apps. Even the most popular mobile forensic tool only supports parsing of 200 different applications. This support accounts for a miniscule %001 of the total apps and leaves a 99.999% gap!

Prerequisites

It is recommended students have an understanding of:

  • Navigating and executing programs at the Command Line (Unix or DOS) is required.
  • Beginner programming/scripting experience is helpful (but not required).

This course is reserved for active & retired Law Enforcement Only, or in certain cases examiners that have been contracted by a Law Enforcement, Military or Government Agency.

Due to the sensitive nature of our curriculum, and industry, all potential students are subject to vetting prior to enrollment. We reserve the right to refuse registration to any person that does not meet our established criteria.

Course Itinerary


Day 1 Overview

  • Understand WHY manual SQLite forensics is so necessary
  • Understand basic SQL data structures and data constructs.
  • Understand the different Journaling methods for SQLite and how they relate to recovery.
  • Understand how to recognize and convert common SQLite timestamp encodings
  • Know why different tools you have been using erase evidence.
  • Setup your PC for SQLite Command‐Line analysis
  • Create SQLite Database using Command Line Interface (CLI)
  • Learn about SQLite Header structures (Hex)
  • Parse SQLite Headers using an automated tool
  • Learn how to use SQLite3 and SQLite3_Analyzer for reporting data from ONE table.
  • Parse several SQLite DB’s using CLI through reality based scenarios.

Day 2 Overview

  • Review Exercise
  • Automate the export of all SQLite Tables to CSV and XLSX
  • Andriller Setup/Data Parsing/Reporting
  • SQLite Forensic Browser Setup
  • Using SQLite Forensic Browser Single Table Analysis
  • Scenario Exercises
  • Understand how SQL Joins work and why we use them
  • Using SQLite Forensic Browser Multi‐Table Analysis

Day 3 Overview

  • Complete Startup Exercise
  • Learn how to displaying SQLite BLOB data
  • Learn how to perform automated SQLite recovery
  • NIST Test Specifications for SQLite Data Recovery
  • Final Wrap-Up Exercise
  • Additional data joins
  • Advanced functions
  • Spoofing
  • Data manipulation
  • Page storage with the database

Day 4 Overview

  • Structure of SQLite database pages
  • Manual data carving

Day 5 Overview

  • Overflow pages
  • Encryption
  • Journal and WAL file structure
  • Orphaned records
  • Overwritten records
  • Importance of record validation

Evaluation Procedures:

Students will be completing over 33 practical exercises that will provide the instructor with an idea of their understanding of SQLite.  No formal exam will be given.   All students receive a certificate of completion.

Included with Training


Sanderson Foernsics Logo

  • A free one-year license of Sanderson Forensics SQLite Forensic Toolkit Software
  • Students will receive a link to download the course material and datasets to be used in class.

 

Laptop Requirements


Digital Forensics Google Group

  • Windows PC with two (2) USB A ports.
  • Windows OS
  • macOS with Bootcamp Windows
  • macOS alone will not work (No Virtual Machines)
  • 8GB RAM (minimum)
  • 100GB storage (minimum)
  • You must have admin rights or have the admin password for software installation.
  • NOTE: ALL Windows updates should be done prior to class.