Forensic analysis and evidence collection for web browser activity is a recurring problem in digital investigation. It is not unusual for a suspect to cover his traces. Accordingly, the recovery of previously deleted data such as web cookies and browser history are important. Fortunately, many browsers and thousands of apps used the same database system to store their data: SQLite. Reason enough to take a closer look at this product. In this article, we follow the question of how deleted content can be made visible again in an SQLite-database. For this purpose, the technical background of the problem will be examined first. Techniques are presented with which it is possible to carve and recover deleted data records from a database on a binary level. A novel software solution called FQLite is presented that implements the proposed algorithms. The search quality, as well as the performance of the program, is tested using the standard forensic corpus. The results of a performance study are discussed, as well. The article ends with a summary and identifies further research questions.

Digital Forensics; Database Investigations; SQLite; FQLite; Data Recovery; Digital Traces; Free-Page List

Aouad, L.M., Kechadi, T.M., Russ, R.D.: Ants road (2012). A new tool for SQLite data recovery on android devices. In: M. Rogers, K. Seigfried-Spellar (Eds.), ICDF2C 2012, Vol. 114 of LNICST, Springer, pages 253-263. https://doi.org/10.1007/978-3-642-39891-9_16

Bagley, R., Ferguson, R. I., Leimich, P. (2012). On the digital forensic analysis of the Firefox browser via recovery of SQLite artifacts from unallocated space. 6th International Conference on Cybercrime Forensics Education & Training (CFET).

Chopade, R., Pachghare, V.K. (2019). Ten years of critical review on database forensics research. In: Digital Investigation Volume 29, pages 180-197. https://doi.org/10.1016/j.diin.2019.04.001

Comer, D.(1979). Ubiquitous b-tree. ACM Comput Surv,11 pp. 121-137. https://doi.org/10.1145/356770.356776

Daniels,PL (2020). Undark - a SQLite deleted and corrupted data recovery tool. project homepage. VIEW ITEM

DeGrazia, M. (2013). Python Parser to Recover Deleted SQLite Database Data. URL: VIEW ITEM

Haldar, S. (2015). SQLite Database System Design and Implementation (Second Edition). pages 256 (2015).

Jeon, S., Bang, J., Byun, K., Sangjjn, L. (2012). A recovery method of deleted record for SQLite database. Pers Ubiquit Comput 16, 707-715. https://doi.org/10.1007/s00779-011-0428-7

Liu, Y., Xu, M., Xu, J., Zheng, N., Lin, X. (2016). SQLite Forensic Analysis Based on WAL. In: Security and Privacy in Communication Networks 12th International Conference, SecureComm 2016, Guang-zhou, China, 2016, Proceedings.

Meng, C., Baier, H. (2019). bring2lite: A Structural Concept and Tool for Forensic Data Analysis and Recovery of Deleted SQLite Records. Digital Investigation: Volume 29, Supplement, July 2019, pages 31-41, (2019). https://doi.org/10.1016/j.diin.2019.04.017

Nemetz, S., Schmitt, S., Freiling, F. (2018). A standardized corpus for SQLite database forensics. In: Digital Investigation, vol. 24, Supplement, 2018, pages 121-130. https://doi.org/10.1016/j.diin.2018.01.015

Pawlaszczyk, D. (2017). Digitaler Tatort, Sicherung und Verfolgung digitaler Spuren. In: Labudde D., Spranger M. (eds) Forensik in der digitalen Welt. Spring. https://doi.org/10.1007/978-3-662-53801-2_5

Ramisch, F., Rieger, R. (2015). Recovery of SQLite Data Using Expired Indexes. IMF '15: Proceedings of the 2015 Ninth International Conference on IT Security Incident Management & IT Forensics 2015 pages 19-25. https://doi.org/10.1109/IMF.2015.11

Sanderson, P. (2018). SQLite Forensics. Independently published, ISBN 978-1980293071, 315 pages (2018).

Schmitt, S.:(2018). Introducing anti-forensics to SQLite corpora and tool testing. 11th International Conference on IT Security Incident Management IT Forensics (IMF), pages 89-106, (2018). https://doi.org/10.1109/IMF.2018.00014

ShuN., W., Zheng, M. Xu (2014). A history records recovering method based on WAL file of firefox, In: Journal of Computational Information Systems 10(20):8973-8982, 2014.

Skulkin, O., Mikhaylov, V.K. (2018). Forensic Analysis of Damaged SQLite Databases, forensic focus.com, March 2018.

sqlite.org: Database File Format (2020). Official Webpage VIEW ITEM

Tamma, R., Skulkin, O., Mahalik, H., Bommisetty, S. (2018). Recovering deleted SQLite records. In: Practical Mobile Forensics - Third Edition, pages 176-189 (2018).

Wagner, J., Rasina, A., Grier, J. (2015). Database forensic analysis through internal structure carving. Digital Investigation. Volume 14, Supplement 1, August 2015, pages 106-S115 (2015). https://doi.org/10.1016/j.diin.2015.05.013