When performing forensics on SQLite database files, it’s simple enough to browse through the database directly using a tool like sqlitebrowser, which provides a nice visual interface for exploring the data. However, I’d like to create a tool that goes one step further: Â a tool that shows the contents of unallocated or freed blocks within the database, so that it’s possible to see data from rows that once existed, but were later deleted (this can be used, for example, in recovering deleted text messages from an Android device, which usually stores SMS messages in a .sqlite file).
This utility, which I’ll tentatively call SqliteCarve, represents the minimum solution for accomplishing this task: it loads a SQLite file, and parses its pages and B-tree structure. While doing this, it detects the portions of the structure that contain unallocated bytes. It then reads these bytes and parses any strings from them.
The tool presents all the strings found in the unallocated space visually, with a quick way to search for keywords within the strings:
A couple of TODOs for this utility:
- Support strings encoded with UTF-16 and UTF-16BE, in addition to the default UTF-8.
- Make better inferences about the type of content present in the unallocated areas, to be able to extract strings more precisely.