SANS Digital Forensics and Incident Response Blog: Tag - sqlite

Digital Forensics Case Leads: SQLite changes may impact your processes

I don't know if it's the time of year, the heat or what, but there's been so much going on over the last couple weeks that this post almost didn't make it out. Gasp! Thanks to the efforts of Ira Victor and Mark McKinnon (yay crowd-sourcing), we pulled it off. Speaking of crowd-sourcing, this post is meant to be a weekly round-up of things we've found that may be of interest to digital forensics and incident response practitioners, as such, please drop us a line at if you have an item that you feel should be included in the weekly post. We appreciate it.


  • Paraben's P2 Explorer is a great little free tool that mounts a variety of popular disk image formats, allowing the investigator to easily run a variety of tools against the mounted file system (e.g. anti-virus/malware scans).
  • Digital


Safari Browser Forensics

Since Apple started installing Safari for Windows by default when you update iTunes, I imagine there's going to be considerably more interest in performing forensic analysis of Safari browser artifacts than there has been previously.

Safari for Windows

Safari Forensics

In searching for some tools to help with analysis of Safari artifacts on a case I recently worked, I came across SFT 1.1.1. SFT was first released about a year and a half ago, and was updated several times over the following six months. There are no recent updates. Except for one issue noted below, it seems to work OK. SFT 1.1.1 contains the


Indirect iPhone Forensics

In a case I recently worked, I came across relevant SMS messages which had been sent and received using an iPhone. Interestingly, I wasn't actually examining the iPhone, but only the subject's MacBook Pro. What I discovered and subsequently researched, is that virtually all of the iPhone's current data contents, as well as quite a bit of archival data, appear to be extractable from the .mdbackup files that are stored on the PC or Mac to which the iPhone is synched.

On Windows, .mdbackup files are stored in their user's profile folder, under ''Application Data\\Apple Computer\\MobileSync\\Backup'. On the Mac, they're stored in the user's home directory, under ''Library/Application Support/MobileSync/Backup'. While I've only worked with the one instance on a Mac, I believe that the file format is identical between both platforms. The .mdbackup file contains, presumably among other things, one or more sqlite database files. These can be

... Continue reading Indirect iPhone Forensics