Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Deleted SQLite Database File Recovery

This script is designed to recover deleted database-files last modified by SQLite version 3.7 or later.

These files will contain two values in the file-header: the database page-size, and the number of pages. These values will allow the script to determine a deleted file's size, extract and validate it.

It's important to note that older versions of SQLite do not write the number of pages into the database-header. This can lead to that value being empty or, where different versions of SQLite have accessed the database, out-of-sync.

The script will attempt to validate the page-size by checking that (a) it's not zero, and (b) that the change counter at offset-24 matches the version-valid-for number at offset-92. This is in accordance with the SQLite file-format specification.

Notwithstanding that script may be able to validate the page-size and thereby calculate the size of the deleted file, it doesn't necessarily follow that the file's data will be intact - the file may be partially overwritten or fragmented.

In order to avoid extracting invalid files, the script will write a copy of each deleted database file into a memory buffer and then try and open it with SQLite.

If this proves successful, the script will issue the SQLite PRAGMA quick_check query in order to check the file's structure.

If the structure is intact, the script will read the list of tables that it contains and display them in the resultant bookmark.

The examiner can choose to extract only those databases that contain one or more specified tables. Alternatively, he/she can opt to extract only those databases that have one or more tables regardless of the names of those tables.

The script will automatically skip extraction of duplicate files although it will still bookmark such files.

It's important to note that the data in a recovered file may not be up-to-date if a write-ahead-log (WAL) file was in use.

Download Now



Version: 1.0
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Utility

130 DOWNLOADS

YOU MAY ALSO LIKE

Utility

SQLite Blob Extractor

This script is designed to extract BLOB-data from SQLite database files.
By Simon Key
347 Downloads
App
Utility

Volatility Plugin

This EnScript is designed to facilitate easier use of Volatility in EnCase. It can be configured for any number of Volatility plugins and supports multithreading.
By Simon Key
176 Downloads
App
Utility

Registry Viewer Plugin

This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon Key
153 Downloads
App
Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that ship with EnCase.
By Simon Key
88 Downloads
App