Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Deleted SQLite Database File Recovery

This script is designed to recover deleted database-files last modified by SQLite version 3.7 or later.

These files will contain two values in the file-header: the database page-size, and the number of pages. These values will allow the script to determine a deleted file's size, extract and validate it.

It's important to note that older versions of SQLite do not write the number of pages into the database-header. This can lead to that value being empty or, where different versions of SQLite have accessed the database, out-of-sync.

The script will attempt to validate the page-size by checking that (a) it's not zero, and (b) that the change counter at offset-24 matches the version-valid-for number at offset-92. This is in accordance with the SQLite file-format specification.

Notwithstanding that script may be able to validate the page-size and thereby calculate the size of the deleted file, it doesn't necessarily follow that the file's data will be intact - the file may be partially overwritten or fragmented.

In order to avoid extracting invalid files, the script will write a copy of each deleted database file into a memory buffer and then try and open it with SQLite.

If this proves successful, the script will issue the SQLite PRAGMA quick_check query in order to check the file's structure.

If the structure is intact, the script will read the list of tables that it contains and display them in the resultant bookmark.

The examiner can choose to extract only those databases that contain one or more specified tables. Alternatively, he/she can opt to extract only those databases that have one or more tables regardless of the names of those tables.

The script will automatically skip extraction of duplicate files although it will still bookmark such files.

It's important to note that the data in a recovered file may not be up-to-date if a write-ahead-log (WAL) file was in use.

Download Now



Version: 1.0
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Utility

758 DOWNLOADS

YOU MAY ALSO LIKE

Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that ship with EnCase.
By Simon Key
441 Downloads
App
Utility

Multiple Date Range Filter - Entries Only (EnFilter)

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon Key
106 Downloads
App
Utility

Export Result-Set to Project VIC

This script is designed to extract a user-specified result-set to a Project VIC data-set.
By Simon Key
101 Downloads
App
Utility

Microsoft Word ASD Document Viewer

This EnScript plugin allows Autosave Document (ASD) files to be extracted and opened with Microsoft Word.
By Simon Key
47 Downloads
App