In the latest episode of 'Digital Forensics Essentials', Principal Analyst, Alex Caithness, explains the lasting importance of the temporary world of SQLite Journals and Write-Ahead-Logs.
Even by conservative estimates, SQLite is likely the most deployed database engine in the world. Its near ubiquity on mainstream consumer computer systems means that in almost every digital forensic investigation, analysts will likely encounter many SQLite databases, either directly or through artefacts processed by your tooling.
In this video, Alex looks at how SQLite creates additional temporary files, alongside the main database file, and how they can hold data crucial to an investigation. In SQLite, depending on the configuration of a database, one of two methods is used: rollback journal or write-ahead log, each of which operates differently and generates different temporary files.
Alex explains how these temporary files are used by the database and how they can contain previous versions of database data, making them a useful source of deleted or alternative versions of database records.
The topics covered in the video are also summarised in our handy cheat sheet which you can download here.
Want to learn more about the fine details of database forensics? The Rollback Journal, Write-Ahead Log and so much more are covered in our File and Data Formats in Depth training course.
If you missed the previous installment in our Digital Forensics Essentials series, catch up here.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch