Information Technology Reference
In-Depth Information
Recovering deleted SQLite records
In addition to the recovering techniques covered in
Chapter 3
,
Data Acquisition from iOS
Devices
, you can also recover the deleted records from a SQLite database. SQLite data-
bases store the deleted records within the database itself. So, it is possible to recover the de-
leted data such as contacts, SMS, calendar, notes, e-mails and voicemails, and more by
parsing the corresponding SQLite database. If a SQLite database is vacuumed or defrag-
mented, the likelihood of recovering the deleted data is minimal. The amount of cleanup
these databases require heavily relies on the iOS version, the device, and the user's settings
on the device.
A SQLite database file comprises one or more fixed size pages, which are used just once.
SQLite uses a
b-tree
layout of pages to store indices and table content. Detailed informa-
tion on the b-tree layout is explained at
http://sandbox.dfrws.org/2011/fox-it/
To carve a SQLite database, you can examine the data in raw hex or use
sqlite-
parse.py
, a Python script developed by Mari DeGrazia. The Python script can be down-
loaded from
http://www.arizona4n6.com/download/SQLite-Parser.zip
.
The following example recovers the deleted records from the
notes.sqlitedb
file and
dumps the output to the
output.txt
file. To validate your findings from running the
script, simply examine the database in a hex viewer to ensure nothing is overlooked:
$python sqliteparse.py -f notes.sqlitedb -r -o output.txt
In addition to it, performing a
strings
dump of the database file can also reveal deleted
records that may have been missed, as shown in the following command:
$strings notes.sqlitedb
