Articles

Recovering Destroyed SQLite Evidence, iPhone/Android Messages, Cleared Skype Logs

© Belkasoft Research

Belkasoft Evidence Center 2013 offers an important feature: the ability to recover destroyed evidence stored in existing and deleted SQLite databases. This feature is made possible by newly developed fully native SQLite processing. But is SQLite processing all that important? Read along to find out!

Evidence Stored in SQLite Databases

The SQLite format is extremely popular with developers. It's an open format, so there are no legal or technical restrictions to prevent developers from using it on PCs and mobile devices. Android and Apple iOS are using SQLite extensively throughout the system, storing call logs, calendars, appointments, search history, messages, system logs and other essential information. Desktop and mobile versions of third-party apps such as Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer and hundreds of other tools are also using SQLite. Major Web browsers such as Mozilla Firefox, Chrome and Safari are using SQLite to store cache, downloads, history logs, form data and other information. With all those operating systems and applications relying heavily on SQLite, this database becomes one of the most important formats for digital investigations.

Native SQLite Processing

Previous versions of Evidence Center were just like any other forensic tool on the market, using third-party components to process SQLite databases. With many open-source components available on the market, this is a quick and easy solution for many developers of forensic software. However, as SQLite gained popularity, we decided to develop our own dedicated set of components for processing SQLite evidence.

Native SQLite processing adds quite a bit of power to a digital investigation. Native SQLite support allows investigators to analyze destroyed SQLite databases – such as those that were deleted by the suspect and then recovered with file carving. In addition, freelist support allows accessing records that were deleted from SQLite databases. This includes logs and history files produced by Skype, as well as many iOS applications such as call log, messages including iMessage, and so on. Multiple Windows, Mac OS X, iOS and Android applications are using SQLite format to keep their communication history logs. Therefore, the ability to recover deleted records from cleared SQLite databases becomes essential for any investigation involving the analysis of suspects’ online communications.

SQLite in Android

Android smartphones use SQLite throughout the system. Call logs, messages, Google search history, emails, browser cache and lots of other data is stored in the SQLite format. When analyzing evidence obtained from Android phones, investigators often encounter databases containing deleted records (e.g. as a result of the user's attempt to destroy evidence). These records may contain information that is vital for an investigation.

As you already know, SQLite does not immediately erase records deleted from the database. Instead, these records are kept temporarily in so-called "freelists". Thanks to native SQLite processing, Belkasoft Evidence Center is able to access freelist data, retrieving and analyzing evidence contained in deleted SQLite records.

Recovering Deleted Skype Logs

As you may already know, all versions of Skype going several years back keep their data in a database in SQLite format. Skype history logs contain everything about the user’s communications. Skype logs contain information on date and time of each conversation, record message content, as well as nicknames and IP addresses of remote parties. When investigating online crime, results of Skype log analysis may become important evidence.

Suspects routinely delete their conversation histories by clearing Skype logs. However, for performance reasons, SQLite does not wipe or erase records immediately. Deleted records end up in a special area, the so-called ‘freelist’. Freelists may contain records that were deleted a long time ago. Analyzing freelists gives investigators another chance to recover essential evidence.

With newly added native SQLite processing with freelist support, Belkasoft Evidence Center 2013 is able to retrieve deleted records from the freelist area, restoring evidence from cleared log files.

Restoring Destroyed iPhone Call Logs, Messages and Address Books

In Apple iOS architecture, many things are kept in SQLite databases. This includes call logs, address books, and message archives, which in turn contain all text messages (SMS) and iMessages sent and received with the device. If the suspect clears one or more of these logs, recovering evidence from these SQLite databases becomes extremely difficult. Only a few (expensive) tools can access deleted records stored in the ‘freelist’ area.

Belkasoft Evidence Center can successfully read freelist areas, extracting information about calls, messages, appointments, organizer items and contacts that was deleted by the suspect.

Accessing Deleted Database Records

Belkasoft Evidence Center 2013 now uses fully native code to parse the content of SQLite databases.

The components were developed from the scratch specifically for digital forensic purposes. Commonly available SQLite libraries are optimized for high performance under heavy load. In comparison, Belkasoft native components are optimized for in-depth comprehensive analysis of SQLite databases, specifically targeting databases that the suspect attempted to destroy. Targeting corrupted, badly damaged or incomplete SQLite databases, Belkasoft Evidence Center 2013 allows investigators extracting more valuable evidence out of log and history files produced by many popular applications.

Get Free Trial

Interested in trying the new feature? Get the free trial version of Belkasoft Evidence Center at https://belkasoft.com/trial

© Belkasoft Research