I then show you how the deleted records and partial deleted records look when you open the database in The Forensic Browser for SQLite. At that point, I can give a basic overview of the algorithm used to recover the non-live records which will give you, as the investigator, a handle on how much confidence you can ascribe to one of these records. I will also show how the first few bytes of records are regularly overwritten by SQLite structures and how these partial records can be recovered.īefore I can discuss how we do this, it’s quite straight forward with SQLite Forensic Recovery, I need to take you briefly through a slightly simplified structure of a database explaining how the database fits together and how records are stored within the ‘pages’ of the database.
In this article, I want to discuss how we can recover deleted records from an SQLite database, or rather how we can recover all records and distinguish between those that are live in the DB and those that are found in unused areas and do not match a live record.
0 kommentar(er)
