Automate the extraction of SQLite database BLOB data

Reviewing BLOB data using standard SQLite database viewing tools can be a very laborious exercise more so when producing the information into a suitable report format. SQLite Forensic Reporter allows an analyst or investigator to extract BLOB data en-masse from all database files in a case automatically. The extracted data can be subsequently reviewed manually or by using automated means, processing in third party forensic applications for de-duplication, filtering and review.

SQLite Forensic Reporter is template driven which allows, during the automated processing stage, to identify specific databases based on unique characteristics set by the user. If specific columns within a database are identified as containing BLOB data then this information can be extracted automatically and presented into a suitable report. The extraction process is transparent once a template is created. During the extraction process SQLite Forensic Reporter can identify a file based on the file header/signature and append the correct file extension to the extracted data to facilitate end-user review with common third party tools.

SQLite Database File Signatures

File Signatures within SQLite Forensic Reporter are user configurable and new signatures can be added if a new file type is encountered. Once a template is created that particular type of database will be processed in the manner specified by the user prior to processing. It is worth noting that multiple templates can be created for a specific database depending on the user requirements.

Templates can be shared amongst colleagues allowing a team of analysts to collectively deal with the growing number of SQLite database files encountered in the wild.

Reference: The total number of recorded SQLite databases in the wild last published on SQLite database catalog was 691 SQLite Database Catalog