An Introduction to Digital Forensic Evidence In Sqlite Database
Digital forensics evidence is a subdivision of forensic science, which mainly deals with the digital evidence from electronic devices. Digital investigation ranges over a wide area, including mobile forensics, computer forensics, data analysis, network forensics, etc. Investigators use variety of tools to carve out the digital evidences from the electronic devices. Let’s see, what do we mean digital evidences, how to collect it, issues faced by investigators while collecting evidences, etc.
What is Digital Forensic Evidence?
Digital Forensic evidence can be defined as the probatory information stored on any of the digital devices which can be used for trial in the court cases. As the digital crimes are increasing day by day the relevance of digital evidences also gains its importance. These evidences include emails, message histories, word documents, digital photos, videos, audios, ATM transactions, browsing histories, databases, etc.
Where to get digital evidences?
The digital evidences can be collected from various locations by different means. The main residences of digital evidences range from volatile cache to permanent secondary storage devices. Some are listed below.
- Routing table, process table, etc
- Cache, registers, CPU
- Web history or log files etc
- file systems
- hard disk
- Backups to various programs, including backups to mobile devices, Skype, twitter conversations.
- Audio and voice recordings
- Bookmarks and favorites
- Calendars, Events
- Configuration details
- Browser Cookies
- Databases files
- Email messages plus attachments
- Pictures, images, photos and Videos
- System files and Temporary files
Threats to digital evidence collection
Handling digital evidences is the first and foremost thing in digital forensic investigation. Some of the advanced features may put the investigators in trouble while collecting evidences. They include
- Some web browsers offer the user to delete Log files and history files of user activity while exiting the browser.
- Users can encrypted or hide files and partitions from the hard drives disabling all logging to prevent storing of history.
- Some Malwares are designed to full RAM resident so that no trace of evidences are left on the hard disk
Nowadays Applications can be installed from removable media and are then hidden without leaving a trace on the hard disk
- Brilliant user may customize the default location of the history or log files sometimes rename history files and folders
- Other option available is to hide or protect files using file system access permissions
Suspect can delete or format or corrupt the entire hard disk to destroy evidence
These activities may trouble the investigator and consumes time to analyze the data from the suspects system. However, we can discuss some of the common cases and possible solutions.
Renamed, Hidden, or Inaccessible Files and Folders
Most of the brilliant brains behind the criminal activities may rename or customize the default location of the application files. Some users may hide these files to make inaccessible to normal users by changing the access permissions. Many Forensic tool are available in order to overcome these setting and allows the investigators to access its contents.
Destroyed Digital Forensic Evidences
Some of the common practices followed to destroy the evidences are deleting and formatting. The temporarily deleted files can be restored from the recycle bin in Windows systems. The deleted files that are not appearing in the recycle bin can also be recovered using some third party commercial wares. Even the Full formatted or quick formatted drives can be recovered using different forensic tools.
Data carving is a process of retrieving various artifacts from the hard disk. It is the bit precise sequential examination of the hard drive contents. Carving enables to locate the particular signature or patterns from the disk. Carving is the indispensable locating of destroyed digital evidences. Even the formatted data may sometimes leaves the evidences on the hard disk. Binary or certain languages can be carved out using this method. The problem with this technique is that data carving is not supported by many systems.
Many of the users encrypt their hard disk in order to protect the documents using many applications. Some of the encryption tools which provides strong protection are BitLocker, TrueCrypt, etc. Any Decryptor tool or the brute force attack on the password many help the investigator to overcome the situation.
Many of the applications like browsers or instant messenger allow disabling the history or logging, but there exists key holes to access these details. One such facility is to access the cloud where the log files are kept by the application. Otherwise, Live RAM analysis reveals the recent activities of the culprit.
Live RAM analysis is the technique of extracting digital evidences from systems volatile memory. This is only possible if the suspects system has not been shut down for the time.
Carving out Data from Log and History files
Log files and history files are the greatest sources of digital forensic evidences. Chat communications attached with timestamps, allows the investigator to figuring out exact details of the conversation/ browsing. Determining the location and name of these files first step required to perform a forensic analysis. Some of the places where you can find the interesting details include Windows registry files and application configuration files.
Most of the application like Skype, Mozilla Firefox Browser, etc uses Sqlite and XML files to store the chat or browsing history. It is easy to open an XML using any web browser where as the Sqlite files can only be accessed using Sqlite Database management software. Sqlite viewer software is a useful tool that enables the investigator to view and analyze the Sqlite files quickly and easily. The tool is also capable of recovering contents from inaccessible or corrupted database too.