Glenn K. BardPublic Agency Training Council tech

Chief Technical OfficerPA State Trooper – Retired

NCMEC – Project ALERT

CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE

gbard@patctech.com

PATCtech

Glenn Bard, CTO

Scott Lucas, Instructor and Examiner

Steve Dempsey, Instructor

Kathy Enriquez, Instructor

Brian Sprinkle, Case Manager – examiner

James Alsup, Director PATC

Stefani Lucas, Marketing Director

SQL / DB forensicsPATCtech – CTO Glenn K. BardCISSP, EnCE, ACE, AME, CHFI, A+, Network+, Security+

SQL / DB forensics

• Why is it so important to learn SQL / DB forensics? • Both iOS and Android are heavily using database files to store contents

• Average smartphone will have hundreds of these files

• Each App will have its own set of DB, they are not shared

• And since each App has them, if your forensic tool does not support that App, then you will need to find another way to get the data

• Contain a large amount of data, including deleted information

• Can contain other files, such as jpg, plist, and so on

SQL / DB forensics

• Before we begin, some definitions we need to know:• Tables – These are the different types of data the DB sill store. IE: messages,

Handle, MSG Pieces, etc.

• ROWID (ID) – This is a sequential number for an entry in the DB

• SQLite Sequence – The last assigned ROWID for each table

• BLOB – Binary Large Object

• Unix time – Number of seconds since January 1, 1970 00:00:00

• Mac time – Number of second since January 1, 2001 00:00:00

SQL / DB forensics

• Where will you find these files?• Each App will have its own, or in many cases, several of them.

• Some good hints:

• Android: Data / Data / App name / Databases

• iOS: Private / VAR / Mobile• Applications for third party Apps

• Library for iOS installed Apps

• Let’s take a look:

Android

iOS

Some hints and tips about these databases

• Can have different extensions: DB, SQL, SQLite, SQLiteDB

• Some have odd extensions like the callhistory.storedata

• Some can actually have no extension, and many times the software misses them. One was the threads_db2, which contained the contents of Facebook Messenger.

• In some databases, one column in a table will point to a column in a different table. (For example the Handle ID in SMS messages on an iPhone. Also the ZKIKUSER in the KIK app.)

• In other instances one column can point to a column in a completely different database. (For example the Addressbookimages.sqlitedb and Addressbook.sqlitedb on an iPhone.)

Some hints and tips about these databases

• If you see some that look like this:

Some hints and tips about these databases

• Those are called WebKit’s and are usually very important. In many cases they can contain emails, as well as cached information from websites.

• We will see this in a bit.

SQL / DB forensics

• Now that we know where to locate the files, how do we do it?• First, the tools:

• Mozilla Firefox with SQLite Manager

• SQLite Database Browser Portable

• Dcode from Digital Detective

• Oxygen with SQLite Viewer

Like us on Facebook

• https://www.facebook.com/PATCTech-116471378378526/

Please check out our two new websites:

Patctech.com Patctechns.com

Come back for our future webinars:

• Getting past the iOS passcode:

• http://www.patc.com/online/1099.shtml

• DART / MapLink cell mapping:

• http://www.patc.com/online/1100.shtml

• Getting past the Android passcode:

• http://www.patc.com/online/1101.shtml

Follow PATCtech!

• Updates & PATCtech Research

• Public Safety News

• Training Opportunities

PATCtech @PATCtech

Forensic Digital Evidence Investigators(LinkedIn Group)