Applied Database Forensics

40 Hours / 5-Day

Learn to use various applications and utilities to successfully identify, process, understand and exploit numerous database structures found on iOS, Android, Windows and Apple systems.

InquireRegister for an upcoming class

Course Overview

Learn to use various applications and utilities to successfully identify, process, understand and exploit numerous database structures found on iOS, Android, Windows and Apple systems.

Students will gain knowledge in how relational databases function in the storage of records and fields of information to support a front-end application.  SQLite will be covered in great detail where the attendee will learn how to recover deleted information from Free Pages and unallocated space within the primary and journal files using scripting techniques.  Additional databases will then be examined including ESE, MS Compound, UAV Data-files, and Binary Plists.

Students will examine data from a host of systems including: Mac, Windows, Android, iPhone.

Relational Database Fundamentals

  • Discuss relational database principles
  • Learn how to create a simple relational database
    • Build tables
    • Associate field types to table columns
    • Add records to tables
    • Create relationships between tables.

Examination of the SQLite Databases

  • Introduction to SQLite data files
  • Learn the purpose of Journal files
  • Discuss different SQLite page types
  • Explore the main database file header.

SQLite B-tree Pages

  • Examine the internal structures of an SQLite database
  • Learn how B-tree pages work in SQLite
  • Discuss page structures
    • Define Page Header
    • Learning how to interpret Cell Pointer Array
    • Examine unallocated Space
    • Map Cell Content Area
    • Explore Freeblocks
  • Discuss recovering records from page freeblocks
  • Discuss recovering records from page unallocated space.

Overflow Pages, Freelist Pages and Rollback Journals

  • Learn how overflow pages are used by the database
    • Explore page structure
  • Learn how to identify freelist pages in a database
    • Explore freelist truck page structure
  • Exercises in the recovery of deleted pages in the primary database
  • Learn how rollback journaling works
  • Explore the rollback journal file structure
    • Rollback journal header
    • Page structure
  • Discuss Forensic recovery considerations

Write-Ahead Logs (WAL) and Database Schemas

  • Learn how write-ahead logging works
  • Explore the write-ahead log file structure
    • WAL file header
    • WAL file frame structure
  • Exercises in the recovery of deleted pages and records in a WAL file
  • Explore SQLite database schema
    • Tables
    • Indexes
    • Triggers
    • Views
  • Discuss value of the information in the schema when writing SQLite queries

Exercises in using SQLite Query Language

  • Learn SQLite functions to construct queries to interrogate database tables
    • Learn how to join tables in a query
    • Explore process for converting datetime stamps
    • Learn how to extract meaningful data from a variety of SQLite data files
  • Exercises in the analysis of multiple SQLite databases

ESE Database Analysis

  • Discuss the Extensible Storage Engine Data base structure
  • Review typical implementation of the ESE data files
    • Windows Mail
    • Outlook
    • File History
    • Windows Search database
  • Learn how data is added to this database and how data is deleted
  • Discuss data recovery techniques
  • Exercises in the analysis of the Windows Search database
  • Exercises in the analysis of the Windows 10 Mail unistore database

RegEx using PowerShell to Extract Database Records

  • Introduction to Regular Expressions
  • Creating Simple Expressions
  • Exercises in RegEx pattern searching
  • Using RegEx in PowerShell to exploit data
  • Exercises in carve ISS logs using PowerShell and RegEx

Other Data Structures

  • Explorer other databases commonly found on Apple and Microsoft systems
    • Registry structures
    • Binary PLists
    • MS Compound data files
  • Examine data structures pertaining to UAV (Drone) activity
    • Examine Flight Logs
    • Synchronization logs
    • Bespoke cached data files from cloud-based synchronization
  • Exercises in the examination of data files on Windows, Apple and android 

Final Assesment

  • Selfpaced examaintion of various databases


To get the most out of this class, you should:

  • Have 6 months experience of forensic examinations.
  • Be familiar with Windows Operating systems.

Download the Syllabus

Download a printable copy of the course description and key learning points.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?