Applied Database Forensics

40 Hours / 5-Day

Delve into the intricate world of database forensics across multiple platforms with our comprehensive course. Learn to harness various applications and utilities to adeptly identify, process, understand, and exploit diverse database structures.


Gain invaluable insights into the functioning of relational databases, unravelling the intricate storage of records and fields of information essential for supporting front-end applications. Delve deep into SQLite, mastering techniques to recover deleted information from Freeblocks, Free Pages and page unallocated space within primary and journal files using sophisticated scripting techniques.


Explore a myriad of additional databases including SNSS Files, LevelDB’s, ESE databases and Binary Plists, equipping yourself with a versatile skill set crucial for forensic investigations across various platforms.


Throughout the course, students will examine data that can be found on a range of systems including Mac, Windows, Android, and iOS, providing a holistic understanding of database forensics across diverse environments.


Hands-on labs and student exercises provide practical application of acquired knowledge, utilizing a blend of open-source and leading forensic applications. By engaging in multiple hands-on activities, participants refine their skills, gaining proficiency in examining key artifacts crucial for successful forensic investigations.

InquireRegister for an upcoming class

Course Overview

Delve into the world of database forensics with Spyder Forensics. Learn to identify, process, and exploit diverse database structures. Gain insights into relational databases like SQLite and explore additional databases to equip yourself for forensic investigations. Examine data across various systems and refine your skills through hands-on labs and exercises. Gain proficiency in examining key artifacts crucial for successful forensic investigations.

Relational Database Fundamentals

  • Discuss relational database principles
  • Learn about relationships between different database tables
  • Gain an understanding of database terminology
  • Creating and Populating an SQLite database

Introduction to SQLite Databases

  • Introduction to SQLite data files
  • Learn the purpose of Journal files
  • Discuss different SQLite page types
  • Explore the main database file header

Navigating SQLite B-Trees

  • Introduction to SQLite B-Trees
  • Explore SQLite B-Tree Page Structures
  •  Define Page Header
  •  Learn How to Interpret the Cell Pointer Array
  •  Understand Page Unallocated Space
  • Navigating SQLite B-Trees
  •  Table Interior Page Cell Structures
  •  Introduction to Decoding Varints

Examining SQLite B-tree Leaf Pages

  • Exploring the structure of SQLite B-Tree Table Leaf Pages
  •  Define Page Header
  •  Learn How to Interpret the Cell Pointer Array
  •  Examine Page Unallocated Space
  •  Mapping the Cell Content Area
  •    Introduction to Decoding Cells
  •  Explore Freeblocks
  • Understand the concept of Secure_Delete

SQLite Overflow pages & Freelist pages

  • Learn how overflow pages are Used
  •  Explore page structure
  • Learn how to identify freelist pages in a database
  •  Explore the freelist trunk page structure
  •  Discuss the important of Freelist Pages

Examining SQLite Journal Files

  • Learn how Rollback Journals Work
  • Examining Rollback Journals
  •  File Structure
  •  Understanding Page Records
  • Learn how write-ahead logging works
  • Examining Write-Ahead Logs
  •  File Structure
  •  Understanding WAL Frames
  • Understand the Forensic Relevance of SQLite Journal Files

SQLite Database Schema and Querying

  • Explore SQLite database schema
  •   Tables
  •   Indexes
  •   Triggers
  •   Views
  • Discuss value of the information found in the schema when writing SQLite queries
  • Introduction the SQLite query language
  • Learn how to construct queries to interrogate database tables
  •   Learn how to extract meaningful data
  •   Learn how to join tables in a query
  •   Explore process for converting datetime stamps

Chromium SNSS Files

  • Introduction the Chromium SNSS Files
  • Understand the structure of the Session and Tab files
  • Extracting records from SNSS Files

LevelDB Analysis

  • Introduction to LevelDB’s
  • Understand how LevelDB’s Work
  • Extracting Key Value pairs from LevelDB’s

ESE Database analysis

  • Discuss the Extensible Storage Engine Database structure
  • Review typical implementation of the ESE data files
  •   Windows Mail
  •   Windows Search database

Apple Plist Files

  • Introduction to Plist Files
  • Review of HTML/JSON Plist Files
  • Decoding Binary Plists
  • Understand how to recognize obfuscated data inside a Binary Plist


To get the most out of this class, you should:

  • Be familiar with the basics of digital forensics examinations and investigations
  • Understand basic data structures and methodologies beyond simple tool extractions
  • Attended a Spyder Forensics Intermediate or Advanced level training or similar program in the last 18 months

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?