Skip to main content
SpringerLink
Log in

SQLite Forensic Analysis Based on WAL

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2016)

Abstract

SQLite database is an important source of evidence in forensic investigations. Write-Ahead Logging (WAL) was introduced to ensure data integrity and improve performance in SQLite databases. However, few attentions have been paid to utilizing it for forensic purposes, particularly in deleted record recovery. Without using WAL, prior recovery methods have been ineffective. This paper addresses techniques for SQLite forensic analysis based on WAL. Specifically, based on the storage mechanisms of SQLite and the structure of the WAL, both the original SQLite database and WAL are first constructed by extracting and analyzing all valid pages. SQLite history versions are then produced by using two reconstructed files above. Deleted records can then be recovered and tampered behaviors can be detected by comparing different versions of the reconstructed history file. Experimental results show that the proposed method can reconstruct history versions, recover deleted records and detect tampered behaviors effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Most widely deployed SQL Database. http://www.sqlite.org/mostdeployed.html

  2. Rollback Journals. https://www.sqlite.org/tempfiles.html#rollb-ackjrnl

  3. Write-Ahead Logging. https://www.sqlite.org/wal.html

  4. The SQLite Database File Format. https://www.sqlite.org/filefo-rmat2.html

  5. SQLite Source Code. https://www.sqlite.org/download.html

  6. Xu, M., Yao, Y., Ren, Y.Z., Xu, J., Zhang, H.P., Zheng, N., Ling, S.: A reconstructing android user behavior approach based on YAFFS2 and SQLite. J. Comput. 9(10), 2294–2302 (2014)

    Article  Google Scholar 

  7. Master Table Structure. https://github.com/android/platform_packages_providers_telephonyprovider

  8. Short Message Service. https://en.wikipedia.org/wiki/Short_Message_Service

  9. Hoog, A.: Android Forensics: Investigation, Analysis and Mobile Security for Google Android, 1st edn. Syngress Publishing, Waltham (2011)

    Google Scholar 

  10. Breeuwsma, M.I.: Forensic imaging of embedded systems using JTAG (boundary-scan). Digit. Invest. 3(1), 32–42 (2006)

    Article  Google Scholar 

  11. Martini, B., Do, Q., Choo, R.K.-K.: Conceptual evidence collection and analysis methodology for Android devices. ArXiv e-prints, June 2015

    Google Scholar 

  12. Netcat(windows). http://www.securityfocus.com/tools/139

  13. BusyBox. https://play.google.com/store/apps/details?id=stericson.busybox

  14. DFRWS Challenge Report. http://sandbox.dfrws.org/2006/garfinkel/part1.txt

  15. Proposed Methodology for victim android forensics. https://viaforensics.com/viaforensics-articles/viaforensicsaflgical-tool-android-forensic-investigations.html

  16. ViaForensics. https://viaforensics.com/products/viaextract

  17. Theo, H., Andreas, R.: Principles of transaction-oriented database recovery. ACM Comput. Surv. 15(4), 287–317 (1983)

    Article  MathSciNet  Google Scholar 

  18. Jeon, S., Bang, J., Byun, K., et al.: A recovery method of deleted record for SQLite database. Pers. Ubiquit. Comput. 16(6), 707–715 (2011)

    Article  Google Scholar 

  19. Aouad, L.M., Kechadi, T.M., Russo, R.: ANTS ROAD: a new tool for SQLite data recovery on android devices. In: Rogers, M., Seigfried-Spellar, K.C. (eds.) ICDF2C 2012. LNICST, vol. 114, pp. 253–263. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39891-9_16

    Chapter  Google Scholar 

  20. Pereira, T.M.: Forensic analysis of the firefox 3 internet history and recovery of deleted SQLite records. Digit. Invest. 5(3–4), 93–103 (2009)

    Article  Google Scholar 

  21. Xu, M., Shu, W.X., Zheng, N.: A history records recovering method based on WAL file of firefox. J. Comput. Inf. Syst. 10(20), 8973–8982 (2014)

    Google Scholar 

  22. Xu, M., Yang, X., Wu, B.B., Yao, Y., Zhang, H.P., Xu, J., Zheng, N.: A metadata-based method for recovering files and file traces from YAFFS2. Digit. Invest. 10(1), 62–72 (2013)

    Article  Google Scholar 

  23. Wu, B., Xu, M., Zhang, H., Xu, J., Ren, Y., Zheng, N.: A recovery approach for SQLite history recorders from YAFFS2. In: Mustofa, K., Neuhold, E.J., Tjoa, A.M., Weippl, E., You, I. (eds.) ICT-EurAsia 2013. LNCS, vol. 7804, pp. 295–299. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36818-9_30

    Google Scholar 

Download references

Acknowledgment

This work is support by Natural Science Foundation of China under Grant Nos. 61070212 and 61572165, the State Key Program of Zhejiang Province Natural Science Foundation of China under Grant No. LZ15F020003.

Author information

Authors and Affiliations

  1. Internet and Network Security Laboratory, School of Computer Science and Technology, Hangzhou Dianzi University, Hangzhou, China

    Yao Liu, Ming Xu, Jian Xu & Ning Zheng

  2. Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Canada

    Xiaodong Lin

Authors
  1. Yao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ming Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jian Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ning Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaodong Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ming Xu .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert Deng

  2. Jinan University, Guangzhou, Guangdong, China

    Jian Weng

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Liu, Y., Xu, M., Xu, J., Zheng, N., Lin, X. (2017). SQLite Forensic Analysis Based on WAL. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59608-2_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59607-5

  • Online ISBN: 978-3-319-59608-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation