Forensic Browser for SQLitePart of the Forensic Toolkit for SQLite
The Ultimate Browser for SQLite
• Have you ever needed to create a report from an SQLite database that is not supported by your current forensic tools, or your current forensic tool only supplies a subset of the data?
• Have you looked at an SQLite database and been frustrated that a date column is displayed as just a string of user-unfriendly digits?
• Would you like to look at a blob field as a picture rather than just see “blob” displayed in the field? Would you like to create a PDF report with just a few columns in a particular order from certain users sorted by a date field?
• Would you like to do this just using drag and drop and your mouse?
Then Forensic Browser for SQLite is the tool for you!
Forensic Browser for SQLite allows you (all without typing a single SQL query) to:
- Automatically recovered deleted and partial records from DBs and associated journals/WALs
- Remove duplicate records if required
- Identify multiple previous database states from DBs with WAL files
- Break down complex Binary Plist and facebook orca2 blobs and perform queries on resulting data
- Perform a simple visual select on some or all of the fields in a table
- Perform more complex visual joins on multiple tables
- Add groups, aliases and where clauses if required
- View the resulting SQL select commands of the above
- See the resulting table in a grid form and further sort and filter results
- Convert numbers to dates (Unix10/13, Windows 64 bit, NSDate/Chrome, Mac absolute and more)
- Find and display pictures in blobs (JPG, PNG, GIF, TIF etc.)
- Import pictures held in the file system to associate and display in a query/report
- Display a number as meaningful text (sent/received/draft etc.)
- Display latitude and longitude fields on a map
- Export a selected blob or all blobs in DB to a file
- Build and integrate custom extensions
- See the hex that relates to a particular record and identifies exactly where in a DB/journal/WAL the record comes from
- See hex view of blobs
- Decode a binary plist stored as a blob
- Decode base64 encoded text/data
- Choose which columns you want to see in the grid/report
- Iteratively go back and modify your SQL if the results are not as expected
- Highlight SQL errors if you choose to create queries by hand (no errors if you use the drag and drop visual query designer)
- Preview a report with custom headers/footers/formatting
- Print the report to a HTML/XLSX/CSV/PDF and save your SQL query with the report
- Unicode support
- Add different formats for dates and times in individual fields
- On the fly Timezone adjustments
- Find and review all SQLite databases in a folder structure
- Translate IOS backup folder names
- Maintain a query history that you can revisit
- Provide a case manager for often used queries that you can share between users
- Attach and query across multiple databases
- Maintain a case log of actions
The browser extension was created to:
- Extract and display the images (attachments) for the Kik messenger stored in external binary plists
- Convert Facebook geolocation fields so that the browser can display a map of where a message was sent
- Decode Tango messenger base64 encoded message structures
- Import downloaded pictures saved with Blackberry messenger on IOS
- View the content of the Google Chrome Cache files
- Decode the usernames and IP addresses from Skype ChatSync files
* These extensions are unsupported and may be written by third parties
Use Custom Aliases In Your Reporting
Dates and times in databases are rarely stored in a human-readable format, but rather are normally stored as one of a variety of encoded values, usually a large number. The Forensic Browser allows you to use an alternate display for a numeric field (without cluttering the output grid with extra columns), this display will also be carried through to any report
A number of applications embed images as blobs within tables (Skype and WhatsApp are two common ones). The Forensic Browser allows the user to display blob fields as pictures (jpg, ico, png, bmp, gif, tif), and again carry through these pictures to any report.
Database designers regularly use numbers to represent different values yes/no male/female sent/received/draft etc. the Forensic Browser allows you to provide custom aliases for numbers in columns and save them for re-use.
This animated gif shows a 10 digit Unix epoch date converted to a date/time string, a jpg held in a blob displayed as the user’s picture/avatar and a numeric “gender” field converted to a pre-entered set of aliases “male, female or unknown” gs.
Customized Reporting Capabilities
Creating a report with The Forensic Browser is as simple as choosing what tables and fields you want, convert date formats and press the create report button. Reports can be customized for layout with user-defined headers and footers, background colour, landscape or portrait page orientation… Reports can be saved to HTML/XLSX/CSV.
More Than Just Reporting
The Forensic Browser can do much more than create a simple report on one table from a database. More complex queries can be designed to amalgamate data from two or more tables (for example you could show the avatar of a Skype user next to each message they authored). Or, as in the example below from the Kik application, join two tables so that the username can be shown next to a message, rather than the user ID. Alternatively, you could create a report showing just the messages between a selection of users from a Skype database, or as in the screenshot below the Skype conversations using the messages, table joined with the contacts table to show the avatar image of the author of each message.
Learn more about the powerful tools included in our Forensic Toolkit for SQLite
SQLite Forensic Explorer
Part of the Forensic Toolkit for SQLite
Learn more about the
SQLite Forensic Recovery
Part of the Forensic Toolkit for SQlite
Forensic Toolkit for SQLite
To request your quote!