What makes SQLite database seem like a hard drive? presented at ISSA 2015

by Yuri Gubanov,

Summary : Forensic investigation of SQLite databases has become extremely important. SQLite is everywhere: on desktops and laptops and on mobile and embedded devices. The SQLite database engine is lightweight, does not require cumbersome installation, like the MS SQL Server does, and is pretty quick and easy to program. That's why most of modern application would use SQLite to store their data.
From a forensic perspective, SQLite is a tricky thing. It behaves like...a good old hard drive! When you delete data from SQLite, it does not go away immediately. This feature is called "freelist." This is something like unallocated space. Finally, journal and WAL files can hide a fair amount of data, which was not stored inside the main database file.
Ignoring these questions leads to losing potentially huge amounts of evidence. Thus every forensic investigator should know about the above mentioned peculiarities and have a proper toolset to investigate SQLite databases.
During this session the following related issues will be addressed and explained: freelists, unallocated space, journal files, write-ahead log (WAL) files and carving deleted SQLite databases.