• SQLite Recovery

    Modern operating systems typically contain many sqlite databases (often in excess of 100), SQLite Recovery can be used to display all of them alongside each other allowing the investigator to gain an overview of the type and content of all of the databases on the suspects computer. These databases can contain anything from SMS messages to lists of passwords and are an invaluable source of evidence.

    SQLite Recovery is a forensic tool to aid in the recovery of SQLite databases, tables and records. SQLite Recovery can search a disk, volume, image or file for deleted SQLite databases.

    The output of SQLite Recovery is individual sqlite databases that can be investigated with other forensic software such as SkypeAlyzer.

    UPDATE SQlite Recovery can now keyword search on multiple keywords across ALL carved sqlite tables simultaneously irrespective of the table schema.


    SQLite Recovery is only available as part of the SQLite Forensic Toolkit.

    Features

    • Simple to use
    • Template based
    • Carves deleted journal and WAL files
    • Carves unknown databases (including those in unallocated space)
    • Search all tables for multiple keywords at one
    • Template constraints can override column affinity
    • Extracts to sqlite databases to investigate with 'other' forensic software
    • Extract every bob from every database to view in another forensic tool
    • Export a recovered table to XLS
    • Parse time filtering to improve quality of recovered data
    • Optionally display numeric columns as formatted date
    • Advanced filters to clean up data post parse
    • Automatically identify and delete duplicate rows
    • Supports parsing from individual files (DD/Unallocated), logical and physical devices, EWF images.


    A demo version can be downloaded here.

    A short video showing the basic operation of SQLite Recovery is available below:




    A video showing SQLite Recoveries facilities to search multiple carved databases irrespective of the table schemas is at this link:





    SQLite Recovery is template based and can recover databases from templates created by the user (which can also be shared amongst users). The process of creating templates is very straight forward and in a lot of cases is just point and click.



    However SQLite Recovery can also optionally identify deleted database schemas and create & extract records from databases that the investigator has not specified via a template. These databases are grouped together and displayed for the investigator to determine relevance to their investigation.



    The recovered SQLite tables are displayed to the user in a multiple grids and advanced filters are provided that will allow the user to manually "clean up" any corrupt or non-valid records in the recovered databases by deleting records, including all duplicate records.

    Advanced filtering functions are provided to allow the investigator to identify valid or invalid records



    As a forensic tool SQLite records the location of each recovered database row.