Support Articles

for Sanderson Forensics SQLite Software Suite

Speech Bubbles

This short video shows how to use the speech bubbles report functionality for the Forensic Browser for SQLite. This new report option will be available in version 3.3.0 which will be released shortly. https://youtu.be/qrLk6U-XSpk

How NOT to examine SQLite WAL files

At a recent conference while talking about SQLite forensics I found out that some people still use non-forensic tools to investigate databases with WAL files and were quite happy that they would not miss anything of importance. This is something I disagree with very,...

Q. When is secure delete not secure?

A. When a journal is in use (potentially). The raison d'etre for a journal, be it a traditional rollback journal or the newer SQLite Write Ahead Log (WAL) file is to maintain database integrity. Simply put if an operation fails for whatever reason then the changes to...

Identifying deleted records in DB and WAL

I have been working with a user who is processing an Android mmssms.db with its associated WAL journal and it became clear that another forensic tool that he was using was not identifying deleted records. My colleague wanted to create a report showing just the deleted...

Validating a timestamp

The Forensic Browser for SQLite incorporates features such that you can right click on a numeric date column and have the Browser convert a number to one of the supported date formats, applying a timezone offset as required. The process is simply - right-click the...

ESE/EDB/Jetblue – Edge, WebCache & Cortana

Along with SQLite, the Microsoft Extensible Storage Engine (ESE) is becoming increasingly common on Windows mobile phones and desktop operating systems. ESE, also known as Jetblue or EDB DBs, is the technology that underpins these databases such as Windows search and...

SQLite Forensics Book by Paul Sanderson