SQLite is extensively used SQL engine in major applications developed by Mozilla, Apple, Google, Adobe, Microsoft etc utilize the SQLite database format. As the name itself suggests, it is a lightweight version of SQL (few hundred kilobytes). It is implemented as ‘C’ library that can be linked to various applications. Everything in SQLite gets stored in the form of files which is its major drawback, especially while writing because the file must be locked. However, the read queries like SELECT are quite fast. But, there occur some situations when users have to use a professional tool such as SQLite Database File Viewer to read queries to make the entire process easy.
Android Forensics Through SQLite Database
The smart-phones running on Android use SQLite database for storing messages, call logs, browser cache/history, emails etc. While working on evidences collected from Android phones, the experts can come across the need study the SQLite database that can prove to be a great source to complete the investigation.
During the investigation process, forensic examiners can come across the need to retrieve text messages that have been sent or received on a specific device. Therefore, it is important to know where its database is saved and how to extract it. In Android Phone Forensics, you may find this information stored in mmssms.db file that is present under /data/data/com.android.providers.telephony/databases.
Extracting Browser History
While executing Android Browser Forensics, investigators can find other browsers used on Android phones other than the default browser. For example Google Chrome, Firefox Mobile etc. The browsing history gets stored in .db format of SQLite. The default Android browser history can be extracted from a browser2.db file that is located at /data/data/com.android.browser.
Analyzing Social Networking/IM Chats
Instant Messaging chat applications and Social Networking sites like Whatsapp, Twitter, Facebook etc. can reveal sensitive information while digital forensics. All you need to do is get the .db file on the forensic workstation and then excavate the crucial information. For example:
Skype: The database of Skype, i.e. contacts, accounts, calls, messages, SMS etc gets stored in Skype data directory that has the same name as configured Skype username. The database gets saved in main.db file that is located at /data/data/<app_package_name>.
Facebook: The Facebook database on Android gets saved in a fb.db file under databases folder that can be extracted from /data/data/com.facebook.katana. The friends_data table comprises of information like name of friends, their phone numbers, email address, and the birthdays. In the same way, other files can be gathered to get related data from Facebook.
Whatsapp: SQLite database can be a great help for investigators to collect Whatsapp artifacts. There are two files that can be of great help. One if the msgstore.db file located at /data/data/com.whatsapp that stores the messages sent/received by the user. Another is wa.db file located at the same location and keeps a track of all Whatsapp contacts.
WeChat: The application data gets saved in encrypted form. The data gets stored in EnMicroMsg.db file that is saved at /data/data/com.tencent.mm directory. The data basically resides in a folder named MicroMsg.
How To Read SQLite Database Files?
Now, the question is how to open and analyze SQLite .db file? For the answer to this query, there are tools with graphical user interface that can help to view .db file and help in the further investigation.
SQLite Database File Viewer tool can help to view the DB file and export it to MS Access or SQL Server database. The tool enables users to open SQLite DB file and also works if the DB file is corrupt.