Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Generic SQLite Database Parser

This script is designed as a generic parser for SQLite database files.

The SQLite files to be parsed should be added as folders in the left-hand side of the script's linked-list dialog-control.

Target SQLite files may be in the form of entries or records. If they are records then a current restriction in EnCase will require all items in the current case to be parsed: parsing selected-items will not work.

For each SQLite file that is represented as a folder, the examiner can add one or more child objects each representing a SQL query that should be applied to to that file. It matters not if two applications use SQLite files with the same name but different schemas - the script will retrieve the correct data from each file provided that the queries are entered correctly.

In some cases only one query may be necessary to obtain the desired information. In other cases two or more queries may be needed. Note that a query will only be applied if it's blue-checked.

The output of each query will be written as a tab-delimited spreadsheet-file with a CSV extension. Note-bookmarks can be created as well. Note that the script will not extract binary (blob) data.

The option is provided to have the script write each item of data in the form of '="<data>"'. This will force Excel to treat the data as text and should prevent any automatic formatting.

The manner in which the script operates requires unique SQLite file and query names. If the examiner inadvertently enters duplicate names then the script will refuse to run until the offending items are removed. Note that the query-name is used as part of the output file-name: the examiner should not use characters in the query-name that can't be used in Windows file or folder names otherwise errors will occur.

The script saves its settings for later use. The examiner can also use the right-click 'Import folder' and 'Export folder' context-menu options to import and export SQLite file and query configuration-data at a folder level.

Some common files and associated queries are included as examples. Note that the queries used are not meant to be definitive - the examiner should verify that they're suitable before using them as part of an investigation.

Write-ahead-logging (WAL) was introduced in SQLite version 3.7. A SQLite database file that uses this functionality may have associated '-wal' and '-shm' files containing additional data. This data can only be read if writable copies of all the database files are available. To accommodate this the script provides the option to extract temporary copies of these files automatically. These copies will be written to the current case's temporary folder and can be deleted automatically if required.

Download Now



Version: 4.3
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Utility

686 DOWNLOADS

YOU MAY ALSO LIKE

Utility

Registry Viewer Plugin

This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon Key
785 Downloads
App
Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that ship with EnCase.
By Simon Key
350 Downloads
App
Utility

Export Result-Set to Project VIC

This script is designed to extract a user-specified result-set to a Project VIC data-set.
By Simon Key
32 Downloads
App
Utility

Multiple Date Range Filter - Entries Only (EnFilter)

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon Key
27 Downloads
App