Abstract
SQLite database is an important source of evidence in forensic investigations. Write-Ahead Logging (WAL) was introduced to ensure data integrity and improve performance in SQLite databases. However, few attentions have been paid to utilizing it for forensic purposes, particularly in deleted record recovery. Without using WAL, prior recovery methods have been ineffective. This paper addresses techniques for SQLite forensic analysis based on WAL. Specifically, based on the storage mechanisms of SQLite and the structure of the WAL, both the original SQLite database and WAL are first constructed by extracting and analyzing all valid pages. SQLite history versions are then produced by using two reconstructed files above. Deleted records can then be recovered and tampered behaviors can be detected by comparing different versions of the reconstructed history file. Experimental results show that the proposed method can reconstruct history versions, recover deleted records and detect tampered behaviors effectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Most widely deployed SQL Database. http://www.sqlite.org/mostdeployed.html
Rollback Journals. https://www.sqlite.org/tempfiles.html#rollb-ackjrnl
Write-Ahead Logging. https://www.sqlite.org/wal.html
The SQLite Database File Format. https://www.sqlite.org/filefo-rmat2.html
SQLite Source Code. https://www.sqlite.org/download.html
Xu, M., Yao, Y., Ren, Y.Z., Xu, J., Zhang, H.P., Zheng, N., Ling, S.: A reconstructing android user behavior approach based on YAFFS2 and SQLite. J. Comput. 9(10), 2294–2302 (2014)
Master Table Structure. https://github.com/android/platform_packages_providers_telephonyprovider
Short Message Service. https://en.wikipedia.org/wiki/Short_Message_Service
Hoog, A.: Android Forensics: Investigation, Analysis and Mobile Security for Google Android, 1st edn. Syngress Publishing, Waltham (2011)
Breeuwsma, M.I.: Forensic imaging of embedded systems using JTAG (boundary-scan). Digit. Invest. 3(1), 32–42 (2006)
Martini, B., Do, Q., Choo, R.K.-K.: Conceptual evidence collection and analysis methodology for Android devices. ArXiv e-prints, June 2015
Netcat(windows). http://www.securityfocus.com/tools/139
BusyBox. https://play.google.com/store/apps/details?id=stericson.busybox
DFRWS Challenge Report. http://sandbox.dfrws.org/2006/garfinkel/part1.txt
Proposed Methodology for victim android forensics. https://viaforensics.com/viaforensics-articles/viaforensicsaflgical-tool-android-forensic-investigations.html
ViaForensics. https://viaforensics.com/products/viaextract
Theo, H., Andreas, R.: Principles of transaction-oriented database recovery. ACM Comput. Surv. 15(4), 287–317 (1983)
Jeon, S., Bang, J., Byun, K., et al.: A recovery method of deleted record for SQLite database. Pers. Ubiquit. Comput. 16(6), 707–715 (2011)
Aouad, L.M., Kechadi, T.M., Russo, R.: ANTS ROAD: a new tool for SQLite data recovery on android devices. In: Rogers, M., Seigfried-Spellar, K.C. (eds.) ICDF2C 2012. LNICST, vol. 114, pp. 253–263. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39891-9_16
Pereira, T.M.: Forensic analysis of the firefox 3 internet history and recovery of deleted SQLite records. Digit. Invest. 5(3–4), 93–103 (2009)
Xu, M., Shu, W.X., Zheng, N.: A history records recovering method based on WAL file of firefox. J. Comput. Inf. Syst. 10(20), 8973–8982 (2014)
Xu, M., Yang, X., Wu, B.B., Yao, Y., Zhang, H.P., Xu, J., Zheng, N.: A metadata-based method for recovering files and file traces from YAFFS2. Digit. Invest. 10(1), 62–72 (2013)
Wu, B., Xu, M., Zhang, H., Xu, J., Ren, Y., Zheng, N.: A recovery approach for SQLite history recorders from YAFFS2. In: Mustofa, K., Neuhold, E.J., Tjoa, A.M., Weippl, E., You, I. (eds.) ICT-EurAsia 2013. LNCS, vol. 7804, pp. 295–299. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36818-9_30
Acknowledgment
This work is support by Natural Science Foundation of China under Grant Nos. 61070212 and 61572165, the State Key Program of Zhejiang Province Natural Science Foundation of China under Grant No. LZ15F020003.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, Y., Xu, M., Xu, J., Zheng, N., Lin, X. (2017). SQLite Forensic Analysis Based on WAL. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-59608-2_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59607-5
Online ISBN: 978-3-319-59608-2
eBook Packages: Computer ScienceComputer Science (R0)