January 18, 2022

CCL releases latest RabbitHole version, further raising the bar for forensic data exploration tools

Digital forensic analysts' 'go-to' tool for data exploration just got better, with an updated version of RabbitHole now containing reparsers for Chrome and SQLite enhancements

CCL Solutions Group has released RabbitHole 2.1, an updated and improved version of its ‘go-to’ forensic data exploration software.

RabbitHole - the tool ‘that picks up where other tools leave off’ - allows analysts to drill down into data and switch to the optimal view for the data format they are looking at, saving time and accelerating insights.  

RabbitHole 2.1 boasts some significant additions, most notably new reparsers for Chrome/Chromium artefacts and enhancements to the existing SQLite reparser.

Shining a light on Chrome

Chrome is the number one browser by market share but its reach and significance in digital investigations is larger than that, with many other browsers and apps based on, or making use of the open-source Chromium project.

RabbitHole 2.1 introduces reparsers for three key storage formats for the Chrome browser: IndexedDB, Local Storage and Session Storage. They all include RabbitHole’s innovative ‘Tree Parser’ interface allowing you to build reports from this data quickly with just a few clicks of the mouse; and thanks to the software’s understanding of the underlying LevelDB data store, it will also present recovered deleted records.

Figure 1 The IndexedDB Reparser
More heavylifting for SQLite

SQLite continues to be one of the most enduring database formats in use on desktops and mobile devices, hence the continued work on additional functionality.  

Users now have the ability to perform searches across all the tables in the database without having to write a single line of SQL. The new search functionality allows for both keyword and regular expression/grep searches, including searching within BLOB fields. Search results are returned with information about the table and row in which the hit was found and the ability to quickly jump to the result.

Secondly, the SQLite reparser now features a Blob Export function. SQLite’s internal structure means that large files embedded in the database will be fragmented, so traditional file carving processes may be ineffective when working with this data. This new feature allows users to bulk export BLOB or text fields found in the database to files for processing or review in other tools.

Figure 2 New Features in the SQLite Reparser
Also new in 2.1

• New Bencode reparser for BitTorrent related artefacts

• New Brotli compression reparser – Brotli compression is now found widely across a range of Chrome/Chromium related artefacts where gzip was previous used

• New Mozilla Flavour LZ4 Compression reparser – for decompressing Firefox LZ4 compressed data (e.g “jsonlz4” files)

• New – Automatically infer and decode Protocol Buffer structures

• New – Bulk export blob fields form SQLite databases

• New – Tree Parser interface now allows regex matches for Keys

Figure 3 The Bencode Reparser
Free trial offer

There is no better way to appreciate RabbitHole’s power and performance than to try it for yourself. CCL offers free 30-day trials for evaluation purposes – simply register your interest and download the software from the link supplied.

You can register your interest by emailing Alan McSharry

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch