Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Glenn K. BardPublic Agency Training Council tech
Chief Technical OfficerPA State Trooper – Retired
NCMEC – Project ALERT
CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE
PATCtech
Glenn Bard, CTO
Scott Lucas, Instructor and Examiner
Steve Dempsey, Instructor
Kathy Enriquez, Instructor
Brian Sprinkle, Case Manager – examiner
James Alsup, Director PATC
Stefani Lucas, Marketing Director
SQL / DB forensicsPATCtech – CTO Glenn K. BardCISSP, EnCE, ACE, AME, CHFI, A+, Network+, Security+
SQL / DB forensics
• Why is it so important to learn SQL / DB forensics? • Both iOS and Android are heavily using database files to store contents
• Average smartphone will have hundreds of these files
• Each App will have its own set of DB, they are not shared
• And since each App has them, if your forensic tool does not support that App, then you will need to find another way to get the data
• Contain a large amount of data, including deleted information
• Can contain other files, such as jpg, plist, and so on
SQL / DB forensics
• Before we begin, some definitions we need to know:• Tables – These are the different types of data the DB sill store. IE: messages,
Handle, MSG Pieces, etc.
• ROWID (ID) – This is a sequential number for an entry in the DB
• SQLite Sequence – The last assigned ROWID for each table
• BLOB – Binary Large Object
• Unix time – Number of seconds since January 1, 1970 00:00:00
• Mac time – Number of second since January 1, 2001 00:00:00
SQL / DB forensics
• Where will you find these files?• Each App will have its own, or in many cases, several of them.
• Some good hints:
• Android: Data / Data / App name / Databases
• iOS: Private / VAR / Mobile• Applications for third party Apps
• Library for iOS installed Apps
• Let’s take a look:
Android
iOS
Some hints and tips about these databases
• Can have different extensions: DB, SQL, SQLite, SQLiteDB
• Some have odd extensions like the callhistory.storedata
• Some can actually have no extension, and many times the software misses them. One was the threads_db2, which contained the contents of Facebook Messenger.
• In some databases, one column in a table will point to a column in a different table. (For example the Handle ID in SMS messages on an iPhone. Also the ZKIKUSER in the KIK app.)
• In other instances one column can point to a column in a completely different database. (For example the Addressbookimages.sqlitedb and Addressbook.sqlitedb on an iPhone.)
Some hints and tips about these databases
• If you see some that look like this:
Some hints and tips about these databases
• Those are called WebKit’s and are usually very important. In many cases they can contain emails, as well as cached information from websites.
• We will see this in a bit.
SQL / DB forensics
• Now that we know where to locate the files, how do we do it?• First, the tools:
• Mozilla Firefox with SQLite Manager
• SQLite Database Browser Portable
• Dcode from Digital Detective
• Oxygen with SQLite Viewer
Like us on Facebook
• https://www.facebook.com/PATCTech-116471378378526/
Please check out our two new websites:
Patctech.com Patctechns.com
Come back for our future webinars:
• Getting past the iOS passcode:
• http://www.patc.com/online/1099.shtml
• DART / MapLink cell mapping:
• http://www.patc.com/online/1100.shtml
• Getting past the Android passcode:
• http://www.patc.com/online/1101.shtml
Follow PATCtech!
• Updates & PATCtech Research
• Public Safety News
• Training Opportunities
PATCtech @PATCtech
Forensic Digital Evidence Investigators(LinkedIn Group)