In the current arena, no database system is as widely used as is SQLite. In fact, it is the most democratic choice in contrast to other database management systems. It is widely deployed as the embedded database software in different application software for local and client storage. Several browsers, operating system, search engines and web application frameworks totally make up the domain where SQLite is deployed. But the strange fact about this database manager is that it is not immune to corruption, but this fact is no more a crucial issue because there are many such SQLite File Repair Utility available which will recovery the database as well as the data completely from corruption. With the increase in the popularity of SQLite a curious need to peek into the database has also been introduced be it for the forensic investigation purpose or for general purpose. In order to carve out artifacts from the application deploying SQLite, the first step is to deeply study the database structure of SQLite.
Quick Look At SQLite Architecture
In this section we will describe the basic architecture of SQLite database. The database is divided into three major sections which are further sub-divided into eight modules. The first section deals with the compilation of user query, the middle section deals with the execution and the last handles the task of storing the data and also works as an interface with the operating system.
Quick Look At SQLite Architecture
In this section we will describe the basic architecture of SQLite database. The database is divided into three major sections which are further sub-divided into eight modules. The first section deals with the compilation of user query, the middle section deals with the execution and the last handles the task of storing the data and also works as an interface with the operating system.
Interface: Interface forms the top most section of the SQLite structure. It is the medium with the help of which libraries, commands and scripting languages communicate with SQLite.
Compiler: This section is basically responsible for compiling the SQL statements by converting them in a simple hierarchical structure that the other layers can easily understand.
Virtual Machine: the virtual machine is basically responsible for data processing. The instructions virtual machine carries out a specific task or controls the database in order to perform a process.
Back-End: Back-end performs the function of transferring the output information in the form of pages in a maintained order to and from the disk.
Database Of SQLite
The main or the primary file used to store the SQLite database is designated as .db file. The .db files generally consist of one or more pages. Other files which are used and deployed by SQLite database are shared memory file (.sqlite-shm); rollback journal file (.db-journal) and write-ahead log file (.sqlite-wal). When the forensic investigators carry out analysis of the SQLite database, these are the files which are of utmost importance in carving out the evidences.
Where Do SQLite Files Reside?
There are many applications that deploy SQLite as their core database. Therefore depending upon the type of application, the default location of SQLite data also varies. During an investigation process, investigators browse for the database files and then extract these files. Post extraction of the SQLite file, data is carved out from it that helps further in investigating the details. For instance if the crime has been carried out via messaging app like WhatsApp, the two .db file that stores the entire data are msgstore.db.crypt8 and wa.db. Once these files are accessed, data is extracted from them and can help in proving a culprit guilty or innocent. Below is the list of some of the applications that deploy SQLite files as their default database files and also the location where these files can be found.
Application SQLite File Location
1. Skype main.db /data/data/<app_package_name>
2. WhatsApp msgstore.db.crypt8 & wa.db data/data/com.whatsapp/files/key"& /data/data/com.whatsapp/databases/wa.db
3. Facebook fb.db data/data/com.facebook.katana
4. Mozilla Firefox places.sqlite -----------
key3.db
formhistory.db
Accessing SQLite Database
Accessing and analyzing SQLite database is not as easy as it seems. No matter how hard you try forensic investigation can only be done at its optimum level with the help of forensic tools. Same is the case with exploring and investigating SQLite database. SQLite forensics is one such tool that gives the investigation process a new direction. It recovers the data within the files that were deleted and helps a great deal in the investigation.
Compiler: This section is basically responsible for compiling the SQL statements by converting them in a simple hierarchical structure that the other layers can easily understand.
Virtual Machine: the virtual machine is basically responsible for data processing. The instructions virtual machine carries out a specific task or controls the database in order to perform a process.
Back-End: Back-end performs the function of transferring the output information in the form of pages in a maintained order to and from the disk.
Database Of SQLite
The main or the primary file used to store the SQLite database is designated as .db file. The .db files generally consist of one or more pages. Other files which are used and deployed by SQLite database are shared memory file (.sqlite-shm); rollback journal file (.db-journal) and write-ahead log file (.sqlite-wal). When the forensic investigators carry out analysis of the SQLite database, these are the files which are of utmost importance in carving out the evidences.
Where Do SQLite Files Reside?
There are many applications that deploy SQLite as their core database. Therefore depending upon the type of application, the default location of SQLite data also varies. During an investigation process, investigators browse for the database files and then extract these files. Post extraction of the SQLite file, data is carved out from it that helps further in investigating the details. For instance if the crime has been carried out via messaging app like WhatsApp, the two .db file that stores the entire data are msgstore.db.crypt8 and wa.db. Once these files are accessed, data is extracted from them and can help in proving a culprit guilty or innocent. Below is the list of some of the applications that deploy SQLite files as their default database files and also the location where these files can be found.
Application SQLite File Location
1. Skype main.db /data/data/<app_package_name>
2. WhatsApp msgstore.db.crypt8 & wa.db data/data/com.whatsapp/files/key"& /data/data/com.whatsapp/databases/wa.db
3. Facebook fb.db data/data/com.facebook.katana
4. Mozilla Firefox places.sqlite -----------
key3.db
formhistory.db
Accessing SQLite Database
Accessing and analyzing SQLite database is not as easy as it seems. No matter how hard you try forensic investigation can only be done at its optimum level with the help of forensic tools. Same is the case with exploring and investigating SQLite database. SQLite forensics is one such tool that gives the investigation process a new direction. It recovers the data within the files that were deleted and helps a great deal in the investigation.