npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
SQLite is the most widely deployed database engine in the world, used by virtually every mobile application, web browser, and many desktop applications to store user data. In digital forensics, SQLite databases are critical evidence sources containing browser history, messaging records, call logs, GPS locations, application preferences, and cached content. Forensic analysis goes beyond simple SQL queries to examine the internal B-tree page structures, freelist pages containing deleted records, Write-Ahead Log (WAL) files preserving transaction history, and unallocated space within database pages where recoverable data may persist after deletion.
When to Use
- When conducting security assessments that involve performing sqlite database forensics
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- DB Browser for SQLite (sqlitebrowser)
- SQLite command-line tools (sqlite3)
- Python 3.8+ with sqlite3 module
- Belkasoft Evidence Center or Axiom (commercial)
- Hex editor (HxD, 010 Editor) for manual page inspection
- Understanding of B-tree data structures
SQLite Internal Structure
Database Header (First 100 Bytes)
| Offset | Size | Description |
|---|---|---|
| 0 | 16 | Magic string: "SQLite format 3\000" |
| 16 | 2 | Page size (512-65536 bytes) |
| 18 | 1 | File format write version |
| 19 | 1 | File format read version |
| 24 | 4 | File change counter |
| 28 | 4 | Database size in pages |
| 32 | 4 | First freelist trunk page number |
| 36 | 4 | Total freelist pages |
| 52 | 4 | Text encoding (1=UTF-8, 2=UTF-16le, 3=UTF-16be) |
| 96 | 4 | Version-valid-for number |
Page Types
| Type | ID | Description |
|---|---|---|
| B-tree Interior | 0x05 | Internal table node |
| B-tree Leaf | 0x0D | Table leaf page containing actual records |
| Index Interior | 0x02 | Internal index node |
| Index Leaf | 0x0A | Index leaf page |
| Freelist Trunk | - | Tracks freed pages |
| Freelist Leaf | - | Freed page with recoverable data |
| Overflow | - | Continuation of large records |
Deleted Record Recovery
Method 1: Freelist Page Analysis
When records are deleted, SQLite may place their pages on the freelist rather than overwriting them immediately.
import struct
import sqlite3
import os
def analyze_freelist(db_path: str) -> dict:
"""Analyze SQLite freelist to identify pages containing deleted data."""
with open(db_path, "rb") as f:
# Read header
header = f.read(100)
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
first_freelist_page = struct.unpack(">I", header[32:36])[0]
total_freelist_pages = struct.unpack(">I", header[36:40])[0]
freelist_info = {
"page_size": page_size,
"first_freelist_page": first_freelist_page,
"total_freelist_pages": total_freelist_pages,
"trunk_pages": [],
"leaf_pages": []
}
if first_freelist_page == 0:
return freelist_info
# Walk the freelist trunk chain
trunk_page = first_freelist_page
while trunk_page != 0:
offset = (trunk_page - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
next_trunk = struct.unpack(">I", page_data[0:4])[0]
leaf_count = struct.unpack(">I", page_data[4:8])[0]
leaves = []
for i in range(leaf_count):
leaf_page = struct.unpack(">I", page_data[8 + i * 4:12 + i * 4])[0]
leaves.append(leaf_page)
freelist_info["trunk_pages"].append({
"page_number": trunk_page,
"next_trunk": next_trunk,
"leaf_count": leaf_count,
"leaf_pages": leaves
})
freelist_info["leaf_pages"].extend(leaves)
trunk_page = next_trunk
return freelist_info
def extract_freelist_content(db_path: str, output_dir: str):
"""Extract raw content from freelist pages for analysis."""
info = analyze_freelist(db_path)
os.makedirs(output_dir, exist_ok=True)
with open(db_path, "rb") as f:
page_size = info["page_size"]
for page_num in info["leaf_pages"]:
offset = (page_num - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
output_file = os.path.join(output_dir, f"freelist_page_{page_num}.bin")
with open(output_file, "wb") as out:
out.write(page_data)
return len(info["leaf_pages"])Method 2: WAL (Write-Ahead Log) Analysis
The WAL file contains pending transactions that have not yet been checkpointed back to the main database.
def parse_wal_header(wal_path: str) -> dict:
"""Parse SQLite WAL file header and frame inventory."""
with open(wal_path, "rb") as f:
header = f.read(32)
magic = struct.unpack(">I", header[0:4])[0]
file_format = struct.unpack(">I", header[4:8])[0]
page_size = struct.unpack(">I", header[8:12])[0]
checkpoint_seq = struct.unpack(">I", header[12:16])[0]
salt1 = struct.unpack(">I", header[16:20])[0]
salt2 = struct.unpack(">I", header[20:24])[0]
wal_info = {
"magic": hex(magic),
"format": file_format,
"page_size": page_size,
"checkpoint_sequence": checkpoint_seq,
"frames": []
}
# Parse frames (24-byte header + page_size data each)
frame_offset = 32
frame_num = 0
file_size = os.path.getsize(wal_path)
while frame_offset + 24 + page_size <= file_size:
f.seek(frame_offset)
frame_header = f.read(24)
page_number = struct.unpack(">I", frame_header[0:4])[0]
db_size_after = struct.unpack(">I", frame_header[4:8])[0]
wal_info["frames"].append({
"frame_number": frame_num,
"page_number": page_number,
"db_size_pages": db_size_after,
"offset": frame_offset
})
frame_offset += 24 + page_size
frame_num += 1
return wal_infoMethod 3: Unallocated Space Within Pages
Deleted cells within active B-tree pages leave data in the unallocated region between the cell pointer array and the cell content area.
def analyze_unallocated_space(db_path: str, page_number: int) -> dict:
"""Analyze unallocated space within a specific B-tree page."""
with open(db_path, "rb") as f:
header = f.read(100)
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
offset = (page_number - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
# Parse page header (8 or 12 bytes depending on type)
page_type = page_data[0]
first_freeblock = struct.unpack(">H", page_data[1:3])[0]
cell_count = struct.unpack(">H", page_data[3:5])[0]
cell_content_offset = struct.unpack(">H", page_data[5:7])[0]
if cell_content_offset == 0:
cell_content_offset = 65536
header_size = 12 if page_type in (0x02, 0x05) else 8
cell_pointer_end = header_size + cell_count * 2
unallocated_start = cell_pointer_end
unallocated_end = cell_content_offset
unallocated_size = unallocated_end - unallocated_start
return {
"page_number": page_number,
"page_type": hex(page_type),
"cell_count": cell_count,
"unallocated_start": unallocated_start,
"unallocated_end": unallocated_end,
"unallocated_size": unallocated_size,
"unallocated_data": page_data[unallocated_start:unallocated_end].hex()
}Common Forensic Databases
| Application | Database File | Key Tables |
|---|---|---|
| Chrome | History | urls, visits, downloads, keyword_search_terms |
| Firefox | places.sqlite | moz_places, moz_historyvisits |
| Safari | History.db | history_items, history_visits |
| msgstore.db | messages, chat_list | |
| Signal | signal.sqlite | sms, mms |
| iMessage | sms.db | message, handle, chat |
| Android SMS | mmssms.db | sms, mms, threads |
| Skype | main.db | Messages, Conversations |
Timestamp Decoding
from datetime import datetime, timedelta
def decode_chrome_timestamp(chrome_ts: int) -> datetime:
"""Convert Chrome/WebKit timestamp to datetime (microseconds since 1601-01-01)."""
epoch_delta = 11644473600
return datetime.utcfromtimestamp((chrome_ts / 1000000) - epoch_delta)
def decode_unix_timestamp(unix_ts: int) -> datetime:
"""Convert Unix timestamp to datetime."""
return datetime.utcfromtimestamp(unix_ts)
def decode_mac_absolute_time(mac_ts: float) -> datetime:
"""Convert Mac Absolute Time (seconds since 2001-01-01)."""
mac_epoch = datetime(2001, 1, 1)
return mac_epoch + timedelta(seconds=mac_ts)
def decode_mozilla_timestamp(moz_ts: int) -> datetime:
"""Convert Mozilla PRTime (microseconds since Unix epoch)."""
return datetime.utcfromtimestamp(moz_ts / 1000000)References
- SQLite File Format: https://www.sqlite.org/fileformat2.html
- Belkasoft SQLite Analysis: https://belkasoft.com/sqlite-analysis
- Spyder Forensics SQLite Training: https://www.spyderforensics.com/sqlite-forensic-fundamentals-2025/
- Forensic Analysis of Damaged SQLite Databases: https://www.forensicfocus.com/articles/forensic-analysis-of-damaged-sqlite-databases/
Example Output
$ python3 sqlite_forensics.py --db /evidence/chrome/Default/History \
--wal /evidence/chrome/Default/History-wal \
--journal /evidence/chrome/Default/History-journal \
--output /analysis/sqlite_report
SQLite Database Forensic Analyzer v2.0
========================================
Database: /evidence/chrome/Default/History
Size: 48.2 MB
SQLite Ver: 3.39.5
Page Size: 4096 bytes
Total Pages: 12,345
Encoding: UTF-8
[+] Analyzing WAL (Write-Ahead Log)...
WAL file: History-wal (2.1 MB)
WAL frames: 512
Checkpointed: No (contains uncommitted data)
Recoverable rows from WAL: 234
[+] Analyzing journal file...
Journal file: History-journal (0 bytes - rolled back)
[+] Scanning for deleted records (freelist pages)...
Freelist pages: 456
Deleted records recovered: 1,892
[+] Analyzing table: urls
Active rows: 12,456
Deleted rows: 1,234 (recovered from freelist)
WAL-only rows: 89
--- Recovered Deleted URLs (Last 10) ---
Row ID | URL | Title | Visit Count | Last Visit (UTC)
-------|--------------------------------------------------|--------------------------|-------------|---------------------
89234 | https://mega.nz/folder/xYz123#key=AbCdEf | MEGA | 5 | 2024-01-16 03:20:00
89235 | https://transfer.sh/abc123/data.7z | transfer.sh | 1 | 2024-01-16 03:25:00
89240 | https://temp-mail.org/en/ | Temp Mail | 3 | 2024-01-15 13:00:00
89241 | https://browserleaks.com/ip | IP Leak Test | 1 | 2024-01-15 12:55:00
89245 | https://www.virustotal.com/gui/file/a1b2c3... | VirusTotal | 2 | 2024-01-15 14:30:00
89250 | https://github.com/gentilkiwi/mimikatz/releases | Mimikatz Releases | 1 | 2024-01-15 16:00:00
89260 | https://raw.githubusercontent.com/.../payload.ps1| GitHub Raw | 1 | 2024-01-15 14:34:00
89270 | https://pastebin.com/edit/kL9mN2pQ | Pastebin - Edit | 2 | 2024-01-15 14:42:00
89280 | https://duckduckgo.com/?q=clear+browser+history | DuckDuckGo | 1 | 2024-01-17 22:00:00
89285 | https://duckduckgo.com/?q=anti+forensics+tools | DuckDuckGo | 1 | 2024-01-17 22:05:00
[+] Analyzing table: downloads
Active rows: 234
Deleted rows: 12 (recovered)
--- Recovered Deleted Downloads ---
Row ID | Filename | URL | Size | Start Time (UTC)
-------|------------------------|----------------------------------------|-----------|---------------------
5012 | payload.ps1 | https://raw.githubusercontent.com/... | 4,096 | 2024-01-15 14:34:00
5015 | mimikatz_trunk.zip | https://github.com/.../releases/... | 1,892,352 | 2024-01-15 16:00:00
5018 | netscan_portable.zip | https://www.softperfect.com/... | 5,242,880 | 2024-01-15 15:05:00
[+] Slack space analysis...
Pages with slack space data: 234
Partial strings recovered: 67 fragments
Summary:
Total records analyzed: 14,578 (active) + 3,126 (deleted/WAL)
Evidence-relevant URLs: 23 (flagged)
Deleted downloads: 12 (3 tool-related)
Anti-forensics evidence: Browser history deletion detected
Report: /analysis/sqlite_report/sqlite_forensics.json
Recovered DB: /analysis/sqlite_report/History_recovered.dbReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.9 KB
API Reference: SQLite Database Forensics
SQLite File Header (First 100 Bytes)
| Offset | Size | Description |
|---|---|---|
| 0 | 16 | Magic: SQLite format 3\000 |
| 16 | 2 | Page size (512-65536; 1 means 65536) |
| 24 | 4 | File change counter |
| 28 | 4 | Database size in pages |
| 32 | 4 | First freelist trunk page |
| 36 | 4 | Total freelist pages |
| 52 | 4 | Text encoding (1=UTF-8, 2=UTF-16le, 3=UTF-16be) |
Page Types
| Type Byte | Description |
|---|---|
0x02 |
Index interior (B-tree) |
0x05 |
Table interior (B-tree) |
0x0A |
Index leaf (B-tree) |
0x0D |
Table leaf (B-tree) |
Timestamp Decoders
| Format | Epoch | Conversion |
|---|---|---|
| Unix | 1970-01-01 | datetime.utcfromtimestamp(val) |
| Chrome/WebKit | 1601-01-01 | (val / 1e6) - 11644473600 seconds since Unix epoch |
| Mac Absolute | 2001-01-01 | datetime(2001,1,1) + timedelta(seconds=val) |
| Mozilla PRTime | 1970-01-01 | val / 1e6 seconds since Unix epoch |
Common Forensic Databases
| Application | File | Key Tables |
|---|---|---|
| Chrome | History |
urls, visits, downloads |
| Firefox | places.sqlite |
moz_places, moz_historyvisits |
msgstore.db |
messages, chat_list |
|
| iMessage | sms.db |
message, handle, chat |
| Android SMS | mmssms.db |
sms, threads |
Python Libraries
| Library | Version | Purpose |
|---|---|---|
sqlite3 |
stdlib | Query database tables |
struct |
stdlib | Parse binary header and page structures |
os / pathlib |
stdlib | File size and path operations |
References
- SQLite File Format: https://www.sqlite.org/fileformat2.html
- SQLite WAL Format: https://www.sqlite.org/wal.html
- Belkasoft SQLite Analysis: https://belkasoft.com/sqlite-analysis
- Sanderson Forensics SQLite: https://sqliteforensictoolkit.com/
standards.md0.9 KB
Standards and References - SQLite Database Forensics
Standards
- NIST SP 800-86: Guide to Integrating Forensic Techniques
- SQLite File Format Specification: https://www.sqlite.org/fileformat2.html
- SWGDE Best Practices for Mobile Device Forensics
Tools
- DB Browser for SQLite: Open-source GUI editor
- sqlcipher: Encrypted SQLite database handling
- Belkasoft Evidence Center: Commercial SQLite forensic analysis
- Exponent SQLite Explorer: Forensic SQLite viewer with timestamp auto-detection
- FORC (Forensic Operations for Recognizing SQLite Content): Automated Android extraction
Key Database Locations
- Chrome History: %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
- Firefox places.sqlite: %APPDATA%\Mozilla\Firefox\Profiles*.default\places.sqlite
- Android SMS: /data/data/com.android.providers.telephony/databases/mmssms.db
- iOS SMS: /private/var/mobile/Library/SMS/sms.db
- WhatsApp: /data/data/com.whatsapp/databases/msgstore.db
workflows.md0.9 KB
Workflows - SQLite Database Forensics
Workflow 1: Complete Database Analysis
Identify SQLite databases in evidence
|
Create forensic copies (preserve WAL and journal files)
|
Analyze database header (page size, encoding, freelist)
|
Query active tables for evidence
|
Analyze freelist pages for deleted records
|
Parse WAL file for transaction history
|
Examine unallocated space within pages
|
Decode timestamps (Chrome, Unix, Mac Absolute, Mozilla)
|
Document and export findingsWorkflow 2: Deleted Record Recovery
Open database in hex editor
|
Identify freelist trunk/leaf pages from header
|
Extract raw page data from freelist
|
Parse B-tree cell format to decode records
|
Check WAL for pre-deletion snapshots
|
Examine unallocated space between cell pointers and content area
|
Carve recoverable recordsScripts 2
agent.py7.7 KB
#!/usr/bin/env python3
"""Agent for SQLite database forensics.
Parses SQLite file headers, analyzes freelist pages for deleted records,
examines WAL files, decodes browser/app timestamps, and extracts
evidence from common forensic databases.
"""
import struct
import sqlite3
import json
import sys
import os
import re
from datetime import datetime, timedelta
from pathlib import Path
_SAFE_TABLE_RE = re.compile(r'^[a-zA-Z_][a-zA-Z0-9_]*$')
class SQLiteForensicsAgent:
"""Performs forensic analysis on SQLite database files."""
def __init__(self, db_path, output_dir="./sqlite_forensics"):
self.db_path = db_path
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.findings = []
def parse_header(self):
"""Parse the 100-byte SQLite database header."""
with open(self.db_path, "rb") as f:
header = f.read(100)
magic = header[0:16]
if magic != b"SQLite format 3\x00":
return {"error": "Not a valid SQLite database"}
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
return {
"magic": magic[:15].decode("ascii"),
"page_size": page_size,
"write_format": header[18],
"read_format": header[19],
"change_counter": struct.unpack(">I", header[24:28])[0],
"db_size_pages": struct.unpack(">I", header[28:32])[0],
"first_freelist_page": struct.unpack(">I", header[32:36])[0],
"total_freelist_pages": struct.unpack(">I", header[36:40])[0],
"schema_cookie": struct.unpack(">I", header[40:44])[0],
"text_encoding": {1: "UTF-8", 2: "UTF-16le", 3: "UTF-16be"}.get(
struct.unpack(">I", header[52:56])[0], "unknown"),
"db_size_bytes": os.path.getsize(self.db_path),
}
def analyze_freelist(self):
"""Walk freelist trunk chain to identify pages with deleted data."""
with open(self.db_path, "rb") as f:
header = f.read(100)
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
first_trunk = struct.unpack(">I", header[32:36])[0]
total_free = struct.unpack(">I", header[36:40])[0]
if first_trunk == 0:
return {"freelist_pages": 0, "trunk_pages": [], "leaf_pages": []}
trunk_pages, leaf_pages = [], []
trunk = first_trunk
while trunk != 0:
offset = (trunk - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
next_trunk = struct.unpack(">I", page_data[0:4])[0]
leaf_count = struct.unpack(">I", page_data[4:8])[0]
leaves = []
for i in range(leaf_count):
lp = struct.unpack(">I", page_data[8 + i * 4:12 + i * 4])[0]
leaves.append(lp)
trunk_pages.append({"page": trunk, "leaf_count": leaf_count})
leaf_pages.extend(leaves)
trunk = next_trunk
if leaf_pages:
self.findings.append({"type": "freelist_data",
"pages": len(leaf_pages),
"note": "Deleted records may be recoverable"})
return {"freelist_pages": total_free,
"trunk_pages": trunk_pages, "leaf_pages": leaf_pages}
def extract_freelist_pages(self):
"""Dump raw freelist leaf pages for hex analysis."""
info = self.analyze_freelist()
with open(self.db_path, "rb") as f:
hdr = f.read(100)
page_size = struct.unpack(">H", hdr[16:18])[0]
if page_size == 1:
page_size = 65536
out_dir = self.output_dir / "freelist_pages"
out_dir.mkdir(exist_ok=True)
for pn in info["leaf_pages"]:
f.seek((pn - 1) * page_size)
data = f.read(page_size)
(out_dir / f"page_{pn}.bin").write_bytes(data)
return len(info["leaf_pages"])
def parse_wal(self):
"""Parse WAL file frames for transaction history."""
wal_path = self.db_path + "-wal"
if not os.path.exists(wal_path):
return {"wal_exists": False}
with open(wal_path, "rb") as f:
header = f.read(32)
magic = struct.unpack(">I", header[0:4])[0]
page_size = struct.unpack(">I", header[8:12])[0]
checkpoint_seq = struct.unpack(">I", header[12:16])[0]
file_size = os.path.getsize(wal_path)
frames = []
offset = 32
frame_num = 0
while offset + 24 + page_size <= file_size:
f.seek(offset)
fh = f.read(24)
page_number = struct.unpack(">I", fh[0:4])[0]
frames.append({"frame": frame_num, "page": page_number,
"offset": offset})
offset += 24 + page_size
frame_num += 1
return {"wal_exists": True, "magic": hex(magic),
"page_size": page_size, "checkpoint_seq": checkpoint_seq,
"total_frames": len(frames), "frames": frames[:50]}
def query_tables(self):
"""List all tables and row counts in the database."""
conn = sqlite3.connect(f"file:{self.db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
tables = []
for (name,) in cursor.fetchall():
try:
if not _SAFE_TABLE_RE.match(name):
continue
cursor.execute(f"SELECT COUNT(*) FROM [{name}]")
count = cursor.fetchone()[0]
except sqlite3.OperationalError:
count = -1
tables.append({"table": name, "row_count": count})
conn.close()
return tables
@staticmethod
def decode_timestamp(value, fmt="unix"):
"""Decode timestamps from common database formats."""
try:
if fmt == "unix":
return datetime.utcfromtimestamp(value).isoformat()
elif fmt == "chrome":
epoch_delta = 11644473600
return datetime.utcfromtimestamp(
(value / 1_000_000) - epoch_delta).isoformat()
elif fmt == "mac_absolute":
mac_epoch = datetime(2001, 1, 1)
return (mac_epoch + timedelta(seconds=value)).isoformat()
elif fmt == "mozilla":
return datetime.utcfromtimestamp(value / 1_000_000).isoformat()
except (OSError, ValueError, OverflowError):
return None
def generate_report(self):
"""Generate comprehensive forensic analysis report."""
report = {
"database": self.db_path,
"analysis_date": datetime.utcnow().isoformat(),
"header": self.parse_header(),
"tables": self.query_tables(),
"freelist": self.analyze_freelist(),
"wal": self.parse_wal(),
"findings": self.findings,
}
report_path = self.output_dir / "sqlite_forensics_report.json"
with open(report_path, "w") as f:
json.dump(report, f, indent=2, default=str)
print(json.dumps(report, indent=2, default=str))
return report
def main():
if len(sys.argv) < 2:
print("Usage: agent.py <database.db> [output_dir]")
sys.exit(1)
db_path = sys.argv[1]
output_dir = sys.argv[2] if len(sys.argv) > 2 else "./sqlite_forensics"
agent = SQLiteForensicsAgent(db_path, output_dir)
agent.generate_report()
if __name__ == "__main__":
main()
process.py7.1 KB
#!/usr/bin/env python3
"""
SQLite Database Forensic Analyzer
Performs forensic analysis of SQLite databases including freelist analysis,
WAL parsing, deleted record recovery, and timestamp decoding.
"""
import sqlite3
import struct
import os
import sys
import json
from datetime import datetime, timedelta
from pathlib import Path
class SQLiteForensicAnalyzer:
"""Comprehensive SQLite database forensic analysis."""
def __init__(self, db_path: str, output_dir: str):
self.db_path = db_path
self.output_dir = output_dir
os.makedirs(output_dir, exist_ok=True)
def parse_header(self) -> dict:
"""Parse the 100-byte SQLite database header."""
with open(self.db_path, "rb") as f:
header = f.read(100)
if header[:16] != b"SQLite format 3\x00":
return {"error": "Not a valid SQLite database"}
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
return {
"magic": header[:16].decode("ascii", errors="replace").strip("\x00"),
"page_size": page_size,
"write_version": header[18],
"read_version": header[19],
"reserved_space": header[20],
"file_change_counter": struct.unpack(">I", header[24:28])[0],
"database_size_pages": struct.unpack(">I", header[28:32])[0],
"first_freelist_page": struct.unpack(">I", header[32:36])[0],
"total_freelist_pages": struct.unpack(">I", header[36:40])[0],
"schema_cookie": struct.unpack(">I", header[40:44])[0],
"schema_format": struct.unpack(">I", header[44:48])[0],
"text_encoding": {1: "UTF-8", 2: "UTF-16le", 3: "UTF-16be"}.get(
struct.unpack(">I", header[52:56])[0], "Unknown"
),
"user_version": struct.unpack(">I", header[60:64])[0],
"application_id": struct.unpack(">I", header[68:72])[0],
}
def get_schema(self) -> list:
"""Extract complete database schema."""
conn = sqlite3.connect(f"file:{self.db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT type, name, tbl_name, sql FROM sqlite_master ORDER BY type, name")
schema = [
{"type": row[0], "name": row[1], "table_name": row[2], "sql": row[3]}
for row in cursor.fetchall()
]
conn.close()
return schema
def get_table_stats(self) -> dict:
"""Get row counts and basic stats for all tables."""
conn = sqlite3.connect(f"file:{self.db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
tables = [row[0] for row in cursor.fetchall()]
stats = {}
for table in tables:
try:
cursor.execute(f'SELECT COUNT(*) FROM "{table}"')
count = cursor.fetchone()[0]
cursor.execute(f'PRAGMA table_info("{table}")')
columns = [
{"name": col[1], "type": col[2], "notnull": bool(col[3]), "pk": bool(col[5])}
for col in cursor.fetchall()
]
stats[table] = {"row_count": count, "columns": columns}
except sqlite3.OperationalError:
stats[table] = {"error": "Could not read table"}
conn.close()
return stats
def analyze_freelist(self) -> dict:
"""Analyze freelist for deleted data."""
header = self.parse_header()
page_size = header.get("page_size", 4096)
first_freelist = header.get("first_freelist_page", 0)
total_freelist = header.get("total_freelist_pages", 0)
if first_freelist == 0:
return {"freelist_pages": 0, "recoverable": False}
freelist_pages = []
with open(self.db_path, "rb") as f:
trunk = first_freelist
while trunk != 0:
offset = (trunk - 1) * page_size
f.seek(offset)
data = f.read(page_size)
next_trunk = struct.unpack(">I", data[0:4])[0]
leaf_count = struct.unpack(">I", data[4:8])[0]
leaves = []
for i in range(min(leaf_count, (page_size - 8) // 4)):
leaf = struct.unpack(">I", data[8 + i * 4:12 + i * 4])[0]
leaves.append(leaf)
freelist_pages.append({
"trunk_page": trunk,
"leaf_count": leaf_count,
"leaves": leaves
})
trunk = next_trunk
return {
"total_freelist_pages": total_freelist,
"trunk_pages": len(freelist_pages),
"details": freelist_pages,
"recoverable": total_freelist > 0
}
def check_wal(self) -> dict:
"""Check for WAL file and analyze its contents."""
wal_path = self.db_path + "-wal"
if not os.path.exists(wal_path):
return {"exists": False}
wal_size = os.path.getsize(wal_path)
with open(wal_path, "rb") as f:
header = f.read(32)
if len(header) < 32:
return {"exists": True, "valid": False}
magic = struct.unpack(">I", header[0:4])[0]
page_size = struct.unpack(">I", header[8:12])[0]
checkpoint = struct.unpack(">I", header[12:16])[0]
frame_count = (wal_size - 32) // (24 + page_size) if page_size > 0 else 0
return {
"exists": True,
"valid": magic in (0x377f0682, 0x377f0683),
"size_bytes": wal_size,
"page_size": page_size,
"checkpoint_sequence": checkpoint,
"estimated_frames": frame_count
}
def generate_report(self) -> str:
"""Generate comprehensive forensic analysis report."""
report = {
"analysis_timestamp": datetime.now().isoformat(),
"database_path": self.db_path,
"file_size": os.path.getsize(self.db_path),
"header": self.parse_header(),
"schema": self.get_schema(),
"table_stats": self.get_table_stats(),
"freelist": self.analyze_freelist(),
"wal": self.check_wal(),
}
report_path = os.path.join(self.output_dir, "sqlite_forensic_report.json")
with open(report_path, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[*] Database: {self.db_path}")
print(f"[*] Page size: {report['header'].get('page_size', 'N/A')}")
print(f"[*] Tables: {len(report['table_stats'])}")
print(f"[*] Freelist pages: {report['freelist'].get('total_freelist_pages', 0)}")
print(f"[*] WAL present: {report['wal'].get('exists', False)}")
print(f"[*] Report: {report_path}")
return report_path
def main():
if len(sys.argv) < 3:
print("Usage: python process.py <sqlite_db_path> <output_dir>")
sys.exit(1)
analyzer = SQLiteForensicAnalyzer(sys.argv[1], sys.argv[2])
analyzer.generate_report()
if __name__ == "__main__":
main()