Topic: Forensic Data Analysis and Recovery of Deleted SQLite Records
by Christian Meng
D19/2.03a, November 15, 2018 (Thursday), 12.00 noon
Keywords — Forensic Analysis, SQLite, Deleted Records, Recovery, WAL, Rollback Journal
Since messaging application such as WhatsApp or Skype are often used by criminals to coordinate, SQLite is especially significant from the point of view of IT forensics. In this regard, messages that are deleted in order to cover up digital traces are essential for investigators. In the course of this presentation, the behaviour of SQLite regarding the deletion of records configured with different pragmas is analysed. Based on the results of the analysis, various methods are developed that are able to parse and process deleted
records. In contrast to alternative algorithms, the suggested methods rely on a structural approach.