https://github.com/dutchcoders/forensics-sqlite

Dumps frames of the -wal (write ahead log) file of sqlite databases.
https://github.com/dutchcoders/forensics-sqlite

Last synced: 3 months ago
JSON representation

Dumps frames of the -wal (write ahead log) file of sqlite databases.

• Host: GitHub
• URL: https://github.com/dutchcoders/forensics-sqlite
• Owner: dutchcoders
• License: apache-2.0
• Created: 2014-05-24T13:54:07.000Z (about 11 years ago)
• Default Branch: master
• Last Pushed: 2014-05-24T14:23:41.000Z (about 11 years ago)
• Last Synced: 2023-08-03T21:05:33.056Z (almost 2 years ago)
• Language: Python
• Size: 140 KB
• Stars: 19
• Watchers: 7
• Forks: 8
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
forensics-sqlite

================

Dumps frames of the -wal (write ahead log) file of sqlite databases. The write ahead log is being written every once in a while to the real database. Using the write ahead log it will be possible to do forensics analyses on the history of the database (eg. modified records, added records etc.

SQLite databases are often used mobile applications. 

## usage

python ./test.py db.sqlite

## references

* http://sqlite.org/fileformat2.html

* http://www.cclgroupltd.com/the-forensic-implications-of-sqlites-write-ahead-log/

## sample

```python

import struct

import sys

from forensics_sqlite import DB, WAL

if __name__ == '__main__':

	with open("{0}-wal".format(sys.argv[1]), 'r') as f:

		wal = WAL(f)

		print ("Version {:02x}".format(wal.version))

		print ("Page size {:02x}".format(wal.page_size))

		print ("Sequence {:02x}".format(wal.sequence))

		print ("Salt1 {:02x}".format(wal.salt1))

		print ("Salt2 {:02x}".format(wal.salt2))

		print ("Checksum1 {:02x}".format(wal.checksum1))

		print ("Checksum2 {:02x}".format(wal.checksum2))

		for (page_number, size_in_pages, salt1, salt2, checksum1, checksum2, page) in wal.frames():

			print ("Current position {0}".format(f.tell()))

			print ("Page number {:02x}".format(page_number))

			if size_in_pages>0:

				print ("Commit: Size in pages {:02x}".format(size_in_pages))

			print ("Salt1 {:02x}".format(salt1))

			print ("Salt2 {:02x}".format(salt2))

			print ("Checksum1 {:02x}".format(checksum1))

			print ("Checksum2 {:02x}".format(checksum2))

			print (page)

	with open(sys.argv[1], 'r') as f:

		db = DB(f)

		version = { 1: "Legacy", 2: "WAL" }

		print ("{0} {1} {2} {3}".format(db.signature, db.page_size, version[db.write_version], version[db.read_version]))

		pass #main (f)

```