Recovering Destroyed SQLite Evidence, iPhone/Android Messages, Cleared Skype Logs

© Belkasoft Research

Belkasoft Evidence Center 2013 offers an important feature: the ability to recover destroyed evidence stored in existing and deleted SQLite databases. This feature is made possible by newly developed fully native SQLite processing. But is SQLite processing all that important? Read along to find out!

Evidence Stored in SQLite Databases

The SQLite format is extremely popular with developers. It's an open format, so there are no legal or technical restrictions to prevent developers from using it on PCs and mobile devices. Android and Apple iOS are using SQLite extensively throughout the system, storing call logs, calendars, appointments, search history, messages, system logs and other essential information. Desktop and mobile versions of third-party apps such as Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer and hundreds of other tools are also using SQLite. Major Web browsers such as Mozilla Firefox, Chrome and Safari are using SQLite to store cache, downloads, history logs, form data and other information. With all those operating systems and applications relying heavily on SQLite, this database becomes one of the most important formats for digital investigations.

Native SQLite Processing

Previous versions of Evidence Center were just like any other forensic tool on the market, using third-party components to process SQLite databases. With many open-source components available on the market, this is a quick and easy solution for many developers of forensic software. However, as SQLite gained popularity, we decided to develop our own dedicated set of components for processing SQLite evidence.

Native SQLite processing adds quite a bit of power to a digital investigation. Native SQLite support allows investigators to analyze destroyed SQLite databases – such as those that were deleted by the suspect and then recovered with file carving. In addition, freelist support allows accessing records that were deleted from SQLite databases. This includes logs and history files produced by Skype, as well as many iOS applications such as call log, messages including iMessage, and so on. Multiple Windows, Mac OS X, iOS and Android applications are using SQLite format to keep their communication history logs. Therefore, the ability to recover deleted records from cleared SQLite databases becomes essential for any investigation involving the analysis of suspects’ online communications.

Please register to access full versions of Belkasoft articles

© Belkasoft Research