cid:image006.jpg@01D3DCD3.7EE2A870

SQLite Forensics Book

Paul Sanderson

Available on Amazon now

 

Universities using SQLite Forensics as recommended/required reading

University

Level

Course

Requirements

University of York, UK

MSc

Cyber Security

Recommended

Canterbury Christ Church University, UK

BSc

Computer Forensics and Security

Recommended

University of Central Oklahoma

BSc

Digital Forensics Tools and Analysis

Recommended

Teesside University, UK

BSc

Computer and Digital Forensics

Essential

Norwich University, USA

BSc

Computer Forensic Investigations

Recommended

Capitol Technology University, USA

BSc

Mobile Device Forensics

Recommended

Personal reviews/blogs

Scar de Courier has done a great review on Forensic Focus

Scar finishes with "SQLite Forensics is a brilliant resource and a necessary addition to the library of any investigator who might come across SQL databases - which, as we learn in the book's introduction, is everyone!"

Alexis Brignoni wrote a fantastic review on his blog Initialization Vectors

Alexis says "There is a real need for reference material on this topic and it is great for practitioners to now have a book that pools all this knowledge in one place. It feels to me like the SQLite version of Brian Carrier's File System Forensics Analysis book. In depth and accessible all at the same time."

Amazon Reviews

SQLite Forensics currently has a total of 11 reviews on Amazon, all of them 5 stars! Here are some of them:

For beginner and expert alike. I am pretty experienced in SQLite forensics, but this book filled some gaps in my skills, increased understanding in some areas, and even answered a question I have had for years when working with SQLite. Got this book around noon, and finished it by that evening. Justin Tolman.

So what makes this book amazing? It has been quite a bit of time since we've seen a digital forensics book come along that I have felt should be a "must read." That has changed as of reading this… These are the things this field has so desperately needed, and it isn't going to take a $3K+ USD course to learn it. You'll learn it right here! Randy Randerson.

It is pretty much the SQLite version of Brian Carrier's File System Forensics Analysis book.
If you do mobile device forensics this book is must. Validate the results of your tools, find the data those tools might be missing, understand the why as well as the how. Alexis Xela.

A must have book! This is a must have book for forensic examiners, especially those involved in mobile forensics!. Paul Torguson.

Not a more relevant DFIR book out there right now. A much-needed book for the DFIR field, and a must-read for any digital forensicator--current or aspiring. Justin Bartshe.

Mandatory read for anyone working in DFIR. SQLite Forensics is written clearly and concisely, yet encompasses more than I have ever seen in regards to SQLite databases and forensic analysis. Brett Shavers.

Every examiner should have this book! I have examined hundreds of databases and learned a lot from this book. This book really dives into concepts and methods that will enhance your examination skills. Heather Mahalik.

Great intro to SQLite as well as handbook for day-to-day use. If going down the rabbit hole of mobile forensics, this book is must have. The book I wished I had before taking a class in mobile forensics. S. Jepsen.

Read the all reviews on Amazon.com here and .co.uk here

Content

SQLite is a self-contained SQL database engine that is used on every smartphone (including all iOS and Android devices) and most computers (including all Macs and Windows 10 machines). Each computer or phone using SQLite often has hundreds of Sqlite databases and it is estimated that there are over one trillion Sqlite databases in active use. Given the above, the importance of examining all of the data held in these databases in an investigation is paramount, and of course this includes examining deleted data whenever possible.

In this book we cover the format of the SQLite database, and associated journal and Write-Ahead Logs (WAL) in great detail. We show how records are encoded, how to decode them manually and how to decode records that are partially overwritten. We also describe how the workings of SQLite, and in particular the journal and WAL, can be used to ascertain what has happened in a manner that cannot be determined from the data alone. We cover basic SQL queries and how they can be used to create a custom report that includes data from different tables, and we show how we can use SQL queries to test hypothesises about the relationships of data in different tables.

This book is aimed mainly at forensic practitioners, and it is assumed that the reader has some basic knowledge of computer forensics; it will also be of interest to computer professionals in general particularly those who have an interest in the SQLite file format.

You do not need to own a copy of the Forensic Toolkit for SQLite to make full use of this book, and indeed most of the material covered will stand alone. However, there are some features of the toolkit that are unique (at the time of writing) and, therefore, some of the techniques in this book can only be explained with the toolkit.

Chapter 1 - Introduction

Chapter 2 - SQLite database file format

Chapter 3 - SQLite record recovery

Chapter 4 - SQLite rollback journals

Chapter 5 - Write-Ahead Logs

Chapter 6 - The schema

Chapter 7 - SQL

Chapter 8 - Odds and Ends

Chapter 9 - Case study IOS sms.db