Generic SQLite Database Parser
This script is designed as a generic parser for SQLite database files.
The SQLite files to be parsed should be added as folders in the left-hand side of the script's linked-list dialog-control.
Target SQLite files may be in the form of entries or records. If they are records then a current restriction in EnCase will require all items in the current case to be parsed: parsing selected-items will not work.
For each SQLite file that is represented as a folder, the examiner can add one or more child objects each representing a SQL query that should be applied to to that file. It matters not if two applications use SQLite files with the same name but different schemas - the script will retrieve the correct data from each file provided that the queries are entered correctly.
In some cases only one query may be necessary to obtain the desired information. In other cases two or more queries may be needed. Note that a query will only be applied if it's blue-checked.
The output of each query will be written as a tab-delimited spreadsheet-file with a CSV extension. Note-bookmarks can be created as well. Note that the script will not extract binary (blob) data.
The option is provided to have the script write each item of data in the form of '="<data>"'. This will force Excel to treat the data as text and should prevent any automatic formatting.
The manner in which the script operates requires unique SQLite file and query names. If the examiner inadvertently enters duplicate names then the script will refuse to run until the offending items are removed. Note that the query-name is used as part of the output file-name: the examiner should not use characters in the query-name that can't be used in Windows file or folder names otherwise errors will occur.
The script saves its settings for later use. The examiner can also use the right-click 'Import folder' and 'Export folder' context-menu options to import and export SQLite file and query configuration-data at a folder level.
Some common files and associated queries are included as examples. Note that the queries used are not meant to be definitive - the examiner should verify that they're suitable before using them as part of an investigation.
Write-ahead-logging (WAL) was introduced in SQLite version 3.7. A SQLite database file that uses this functionality may have associated '-wal' and '-shm' files containing additional data. This data can only be read if writable copies of all the database files are available. To accommodate this the script provides the option to extract temporary copies of these files automatically. These copies will be written to the current case's temporary folder and can be deleted automatically if required.
YOU MAY ALSO LIKE