2018-11-15 on Digital Forensics

da/sec scientific talk on Digital Forensics

Topic: Forensic Data Analysis and Recovery of Deleted SQLite Records

by Christian Meng
D19/2.03a, November 15, 2018 (Thursday), 12.00 noon

Keywords — Forensic Analysis, SQLite, Deleted Records, Recovery, WAL, Rollback Journal


Since messaging application such as WhatsApp or Skype are often used by criminals to coordinate, SQLite is especially significant from the point of view of IT forensics. In this regard, messages that are deleted in order to cover up digital traces are essential for investigators. In the course of this presentation, the behaviour of SQLite regarding the deletion of records configured with different pragmas is analysed. Based on the results of the analysis, various methods are developed that are able to parse and process deleted
records. In contrast to alternative algorithms, the suggested methods rely on a structural approach.