SQLite Forensic Fundamentals
2 Days – 16Hrs
Cost: $1,195
Participants will receive
2-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
SQLite Forensics Fundamentals 2024
Damien Attoe
Lead Developer
Before joining Spyder Forensics, Damien was a Managing Consultant at AccessData where he managed eDiscovery and digital forensics projects and provided services to companies in various industries including the Health Care, Energy, and Financial industries. Prior to that, Damien was a Computer Crime Specialist at the National White Collar Crime Center where he conducted digital forensic research and performed software validation studies on digital forensic software
Course Objectives
Students will gain knowledge of how relational databases function in the storage of records and fields of information to support a front-end application. SQLite data structures will be covered in detail, whereby the attendee will learn how SQLite databases store data and the potential for recovering data from Freelist pages and page unallocated space within the main database file and journal files.
Students will examine SQLite databases commonly found on Mac, Windows, Android, and iOS devices.
We will use a variety of open-source tools to examine key artifacts through multiple hands-on labs and student exercises.
Primary Learning Objectives
SQLite Forensic Fundamentals - Day 1
Day 1 of the Spyder Forensics SQLite Forensic Fundamentals course begins with an overview of the course along with an introduction to the Instructor.
Following on from this we will look at SQLite Database files and discuss the different SQLite page types, such as B-tree pages, Overlow pages and Freelist pages.
During this module we will introduce the SQLite Database files and discuss the main database file header.
At the conclusion of this module, you will be familiar with the different files associated with an SQLite Database, the different SQLite page types, and understand the structure of the main database file header.
- Introduction to SQLite data files
- Main Database File
- Discuss different SQLite page types
- Explore the main database file header
Instructor Led Lab
- Introduction to SQLite data files
- Main Database File
- Discuss different SQLite page types
- Explore the main database file header
Instructor Led Lab
- Introduction to SQLite B-tree pages
- Explore the different SQLite B-tree page structures
- Define Page Header
- Learn how to interpret the Cell Pointer Array
- Examine Page Unallocated Space
- Map Cell Content Area
- Explore Freeblocks
During this module we will deep dive into the structure of SQLite B-Tree Pages.
At the conclusion of this module you will understand the general structure of an SQLite B-tree page, and the possibilities when it comes to recovering deleted records.
- Introduction to SQLite B-tree pages
- Explore the different SQLite B-tree page structures
- Define Page Header
- Learn how to interpret the Cell Pointer Array
- Examine Page Unallocated Space
- Map Cell Content Area
- Explore Freeblocks
This module will focus on SQLite Overflow pages and Freelist Pages.
At the conclusion of this module students will understand how Overflow Pages and Freelist Pages are used in SQLite databases and the possibilities for recovering deleted records.
- Learn how overflow pages are used
- Explore page structure
- Learn how to identify freelist pages in a database
- Explore the freelist truck page structure
- Discuss the importance of Freelist Pages in an Investigation
Instructor Led lab
- Learn how overflow pages are used
- Explore page structure
- Learn how to identify freelist pages in a database
- Explore the freelist truck page structure
- Discuss the importance of Freelist Pages in an Investigation
SQLite Forensic Fundamentals - Day 2
Day 2 of the course will see us learning about how SQLite Rollback Journals work and how they are used in SQLite databases along with their relevance in a investigation. We will follow this with a look at SQLite Write-Ahaead Logs and their forensic relevance.
Concluding the days instruction is a discussion on SQLite Secure_Delete and again as with previous elements of the course, its implications in a forensic examination.
During this module we will be learning about how the SQLite Rollback Journals work.
At the conclusion of this module students will understand how Rollback Journals are used in SQLite databases and their forensic relevance of them during an investigation.
- Learn how SQLite Rollback Journals Work
- Examine the File Structure
- Understand the Forensic Relevance of Rollback Journals
Instructor Led lab
- Learn how SQLite Rollback Journals Work
- Examine the File Structure
- Understand the Forensic Relevance of Rollback Journals
Instructor Led Lab
- Learn how Write-Ahead Logs (WAL) Work
- Examine the File Structure
- Understand the Forensic Relevance of WAL Files
During this module we will be learning about how SQLite Write-Ahead Logs work.
At the conclusion of this module students will understand how Write-Ahead logs are used in SQLite databases and their forensic relevance during an investigation.
- Learn how Write-Ahead Logs (WAL) Work
- Examine the File Structure
- Understand the Forensic Relevance of WAL Files
During this module, we will discuss SQLite Secure_Delete and its implications in a forensic examination.
At the conclusion of this module students will understand how SQLite secure_delete works and how to use the journal files to potentially recover secure_delete information.
- Understand the concept of secure_delete
- Discuss the Forensic implications
- Using the journal files to recover secure-deleted records
Instructor Led lab
- Understand the concept of secure_delete
- Discuss the Forensic implications
- Using the journal files to recover secure-deleted records