1 for legacy 2 for WAL.īytes of unused “reserved” space at the end of each page. 1 for legacy 2 for WAL.įile format read version. Must be a power of two between 58 inclusive, or the value 1 representing a page size of 65536.įile format write version. The following structure can be seen on the SQLite file format website under section 1.3. The first 100 bytes of the SQLite database is the database header and this stores key information about the database.Īll values in SQLite are in Big Endian format and therefore you should ensure any hex editor you are using is displaying values in Big Endian or none of your values are going to make any sense at all! X-tensions – If using X-Ways then you can use the SQLite Record Decoder (v0.3) to make your life easier – available hereĭatabase – The database used throughout this post is called chinook.db and can be downloaded from here, though I’ve created a VHD with the file in which can be accessed here Examining the database Examining the database header X-Ways Forensics/Winhex – but any hex editor will do. Windows Notification database) and user data (e.g. They are used by thousands of phone apps, on both Android and iOS, as well as being used heavily by the Windows/Linux/OS X operating systems for both system data (e.g. SQLite databases are now a massive part of the forensics workload. Where possible, I’ll reference the section of the documentation that the information has come from. The documentation is pretty much good enough that you can teach yourself it just using this information and a test database to check against. I should start by saying that the documentation for the SQLite 3 file format is excellent and can be found here. It should take you from knowing very little about SQLite databases to being able to manually locate records using a hex viewer. This post is going to give a more in-depth overview of the structure of the SQLite 3 file format. My recent post on “Timelining using SQLite Write Ahead Logs” highlighted how much background information is required to deal with SQLite databases.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |