Blog

When performing forensics on SQLite database files, it’s simple enough to browse through the database directly using a tool like sqlitebrowser, which provides a nice visual interface for exploring the data. However, I’d like to create a tool that goes one step further:   a tool that shows the contents of unallocated or freed blocks within the database, so that it’s possible to see data from rows that once existed, but were later deleted (this can be used, for example, in recovering deleted text messages from an Android device, which usually stores SMS messages in a .sqlite file).

This utility, which I’ll tentatively call SqliteCarve, represents the minimum solution for accomplishing this task: it loads a SQLite file, and parses its pages and B-tree structure. While doing this, it detects the portions of the structure that contain unallocated bytes. It then reads these bytes and parses any strings from them.

The tool presents all the strings found in the unallocated space visually, with a quick way to search for keywords within the strings:

A couple of TODOs for this utility:

• Support strings encoded with UTF-16 and UTF-16BE, in addition to the default UTF-8.
• Make better inferences about the type of content present in the unallocated areas, to be able to extract strings more precisely.

I’ve been slowly working towards a utility to analyze .PST files from Microsoft Outlook and Exchange, and examine their contents. A .PST file is the database in which Outlook stores your email locally on your PC. When recovering data from your own PC, or when performing forensic analysis of another PC, it’s often useful to view the contents of .PST files, thereby viewing sent, received, and deleted emails.

OutlookMailViewer  (download it!) allows you to open a .PST file (without requiring Outlook to be installed) and examine its contents in an intuitive way, very similarly to the way Outlook itself displays your email. This tool is entirely read-only, meaning that you can be sure that the .PST file won’t be modified in any way.

This software is very much experimental/alpha, and needs a bit more work to be as powerful as possible, but it can still be quite useful as it is:

• Supports .PST files from nearly all previous versions of Outlook, as well as the latest Outlook 2016 (supports ANSI and Unicode .PST files).
• Displays plain-text, HTML, and RTF versions of email messages.
• Displays absolutely all properties associated with each email message (more properties than Outlook itself shows).
• Allows saving of attachments from messages.

Some to-do items for a future version:

• Scan the .PST file for orphan messages (i.e. messages that still exist after being emptied from Deleted Items, but before the database is compacted).
• Filtering and searching of messages.
• Exporting messages in different formats.

Try it out! If you’re using the current Outlook 2016, you can usually find your .PST file in [My Documents]\Outlook Files\[your account].pst.

I’m happy to release a simple little app for Android devices for viewing 3D model files, particularly STL models (widely used in 3D printing), and limited support for OBJ and PLY models. Find it on the Google Play Store now!

You can open model files from within the app, and the app also registers itself as a handler for opening .STL files, so that it will be launched automatically when you select an STL file from another app, such as your browser or file manager.

Best of all, the app has a VR button that will instantly switch to VR mode, allowing you to place your device into your VR headset, so you can view the model in true 3D.   It supports motion tracking, allowing you to examine the model from all angles by moving your head.

I  actually developed the app during the 2017 Wikimedia Hackathon in Vienna, but I’ve only recently gotten around to cleaning it up and releasing it. Enjoy, and browse the source code if you like.

Here’s  what you get when you combine a trip to the scrap metal store, a pair of tin snips, and a few minutes fiddling with Inkscape! (Credit goes to my wife, as it does for most home decoration ideas.)