Support Articles
for Sanderson Forensics SQLite Software SuiteSpeech Bubbles
This short video shows how to use the speech bubbles report functionality for the Forensic Browser for SQLite. This new report option will be available in version 3.3.0 which will be released shortly. https://youtu.be/qrLk6U-XSpk
Investigating a database using foreign keys
SQL is an extremely powerful programming language, and understanding SQL database schemas can often help immensely when creating queries on the database in question. The particular feature that I want to discuss in this blog is foreign keys, and I intend to show...
How NOT to examine SQLite WAL files
At a recent conference while talking about SQLite forensics I found out that some people still use non-forensic tools to investigate databases with WAL files and were quite happy that they would not miss anything of importance. This is something I disagree with very,...
Why can’t I see who sent that deleted IOS SMS message
I have seen a number of posts on bulletin boards recently that refer to some of the mainstream software failing to be able to attribute a contact to a deleted message on IOS SMS.db recoveries. My previous post “SMS recovered records and contacts – three ways” shows...
SMS recovered records and contacts – 3 ways
In a recent forensic case involving recovered deleted SMS messages from an sms.db file on an IOS mobile device, none of the mainstream mobile phone forensic software made the link between sender and recipient for the recovered records of interest. I have been asked a...
Forensic Browser for SQLite – Structured Storage Manager
Often data held within tables in databases is stored within a BLOB (Binary Large OBject) this data is often structured data that is encoded in a particular format. XML and Binary Plists are examples of these structured storage objects. Often the data in each blob in a...
Using the Forensic Browser for SQLite to display maps based on data from exiftool Edit
I recently saw a Twitter conversation where a user wanted to see the EXIF data from some image files displayed as maps and showing a clickable URL for Google Maps. The latter part of this problem can easily be solved with the Browser - the steps are as follows: Run...
Q. When is secure delete not secure?
A. When a journal is in use (potentially). The raison d'etre for a journal, be it a traditional rollback journal or the newer SQLite Write Ahead Log (WAL) file is to maintain database integrity. Simply put if an operation fails for whatever reason then the changes to...
Determining when a record was deleted in SQLite
In a recent article, I discussed how I identified deleted records in a database that was using WAL journalling. In this article, I want to take this a little further and show how we can see what the live records were at a specific point in time and how we can timeline...
Identifying deleted records in DB and WAL
I have been working with a user who is processing an Android mmssms.db with its associated WAL journal and it became clear that another forensic tool that he was using was not identifying deleted records. My colleague wanted to create a report showing just the deleted...
Validating a timestamp
The Forensic Browser for SQLite incorporates features such that you can right click on a numeric date column and have the Browser convert a number to one of the supported date formats, applying a timezone offset as required. The process is simply - right-click the...
ESE/EDB/Jetblue – Edge, WebCache & Cortana
Along with SQLite, the Microsoft Extensible Storage Engine (ESE) is becoming increasingly common on Windows mobile phones and desktop operating systems. ESE, also known as Jetblue or EDB DBs, is the technology that underpins these databases such as Windows search and...
Forensic Browser for SQLite – Creating a custom report
Creating a custom report on the Kik messenger database In this article, I want to take you through the process of creating a custom, but simple, report on a Kik messenger database step by step. As we work through the process we will choose which columns we think will...
Forensic Browser – deleted records, journals, pictures and filtering
In this article, I want to cover a few of the areas where the Forensic Browser for SQLite provides features that are missing in other browsers or where it complements other more generic forensic software by providing features that are specific to general databases...
Recovering deleted records from an SQLite database
In this article, I want to discuss how we can recover deleted records from an SQLite database, or rather how we can recover all records and distinguish between those that are live in the DB and those that are found in unused areas and do not match a live record. I...
Forensic examination of SQLite Write Ahead Log (WAL) files
I am sure that you are aware that when an SQLite database is opened if there is an associated WAL file then the pages in this WAL are automatically written to the main database, thus overwriting records, and the WAL file is reset. You may not be aware though that the...
Investigating Skype cloud-based media_cache/image sharing with the Forensic Browser for SQLite
Skype recently introduced cloud based operation and started moving away from peer-to-peer messaging with a view, to paraphrase Skype, of improving the service that we receive. Without going into the pros and cons of this, from a forensic point of view it is irrelevant...
Obtaining and displaying Skype IP addresses (with maps) from ChatSync files
I had reason recently to look at Skype ChatSync files to recover the IP addresses held within and I needed to get these into a report. For those of you that aren’t aware when Skype is syncing data between two different accounts, it uses ChatSync files to transfer this...