SQLite Forensics Fundamentals

16 Hours / 2-Day

This course will give participants an understanding of SQLite, how data is stored and the skills necessary to create queries to extract, interpret and present information in a meaningful manner. This includes translating dates and times and querying information stored in multiple tables to create a more robust report.

InquireRegister for an upcoming class


  • This module will introduce you to the SQLite Database and how it has been implemented by the applications that we use on a daily basis.

SQLite Database Structures

  • This module will give you a basic understanding of the main database file. We will decode the database using information from the file header and explore b-tree page structures at a hex level.


SQLite Querying Language

  • This module will provide you with the knowledge to construct queries to extract, interpret and create more robust reports from multiple database tables.

Exercises on SQLite Databases

  • Using the skills learnt in previous modules we will decode and interrogate the Microsoft Edge Chromium and Mozilla Thunderbird SQLite

SQLite Journal Files

  • This module is an introduction to Rollback Journals and Write-ahead logs. We will discuss how journaling works, journal file structures and some forensic considerations when dealing with these type of files.

SQLite Database Schema

  • This module provides an understanding of the database schema. We will explore the sqlite_master table to look at tables and the data types they can hold. We will also discuss indexes, triggers and views and how they can be useful during an examination.


To get the most out of this class, you should:

  • Have 6 months of experience in forensic examinations.

Download the Syllabus

Download a printable copy of the course description and key learning points.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?