SQLite Blob Extractor
This script is designed to extract BLOB-data from SQLite database files.
The script will work with both records and entries albeit the option to process selected items in the current view will not work with records; tags must be used instead.
A condition can be used to extract only those BLOBs that match the criteria specified by the user.
Regardless of the size set in the condition, empty BLOBs will never be extracted.
The script provides the option to specify the offset and maximum length of data to be extracted from each BLOB.
A BLOB won't be extracted if its length is smaller than the offset specified.
Processing SQLite write-ahead-log (WAL) files will cause the main database file and the WAL file to be extracted to the current case's temporary folder. A GUID will be used to identify the files for each database.
The WAL file will be deleted automatically when the database is closed (this is unavoidable). The main database file will be left behind so the examiner can wipe-delete it should they so wish.
Taking the option to use a flattened output path will cause the script to include only the source file's GUID and name in the output LEF. This may make it easier to perform additional analysis, e.g., property-list parsing.
Settings will be saved for re-use.
Progress can be monitored via the console.
YOU MAY ALSO LIKE