Notifications
Clear all

SQLite viewer

9 Posts
6 Users
0 Likes
1,458 Views
Ricco
(@ricco)
Posts: 52
Trusted Member
Topic starter
 

Any recommendation guys for a good free SQLite viewer?
Thanx a lot )

 
Posted : 02/04/2015 8:41 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

www.deftlinux.com

DEFT contains two working SQLite viewers, one with a GUI.

Regards,

Larry

 
Posted : 02/04/2015 8:59 am
(@sam305754)
Posts: 44
Eminent Member
 

Hi,

SQLite Expert Personal

http//www.sqliteexpert.com/download.html

Regards

 
Posted : 02/04/2015 11:33 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Not free but my Forensic Browser for SQLite could help.

Just some of the features that you don't get in normal browsers

* display numerical dates in lots of formats and apply timezone conversions
* create SQL queries visually, drag and drop joins etc. - no need to design your own SQL
* create nicely formated custom reports on just the columns you want
* format reports as HTML/PDF/XLS
* automatically parse deleted and partially overwritten records from the DB
* ditto for records in SQLite -journal or -wal files
* maintain a library of queries for reuse/share with colleagues
* display blobs as pictures or hex
* resolve GPS coordinates and display in the grid/report as a map
* import pictures held externally (Kik, whatsapp etc.) and display in grid
* support for browser extensions to deal with scenarios not covered above

* and some other neat developments to be released shortly

and of course lots of help from me with creating custom queries/reports/browser extensions etc.

More information and a link to request a fully functional demo

http//sandersonforensics.com/forum/content.php?198-Forensic-Browser-for-SQLite

More information on deleted record recovery in the article published on Forensic Focus yesterday

http//www.forensicfocus.com/News/article/sid=2369/

Lots of useful articles re the browser/toolkit and SQLite in general here

http//sandersonforensics.com/forum/content.php?137-articles

If you have any questions that I can help with then please do not hesitate to ask/email/call/skype

 
Posted : 02/04/2015 5:05 pm
Ricco
(@ricco)
Posts: 52
Trusted Member
Topic starter
 

Thanx guys for answers. )

Thanx Paul for this description, it is definitely the nice tool but too expensive for my budget.

 
Posted : 02/04/2015 8:01 pm
(@dcs1094)
Posts: 146
Estimable Member
 

SQLite Expert Personal

http//www.sqliteexpert.com/download.html

Expert Personal is a great and does the trick if you are looking for a freebie.

I do however highly recommend Sanderson Forensics, Forensic Browser for SQLite; the software has proved itself in some of our most high level investigations. I am an end use of the toolkit and the support provided by Paul is also second to none.

 
Posted : 02/04/2015 8:28 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Paul,

I just purchased SQLite Forensic Toolkit now.

The bulk of my client cases ESI involve primarily email data (HTML/EML/MSG/PST/OST/NSF/EDB/MBOX), but I am seeing more and more communication applications purely in SQLite database form.

Honestly, due to this undeniable shift, I now see the genius behind a SQLite specialty tool and why $495 (US) is actually very reasonable in my opinion.

I am anxious to use SQLite Forensic Toolkit to validate the results my other forensic tools are showing.

For example, I have multiple mobile phone forensic tools that extract and display Skype chat messages. So, I would like to see how many Skype chat messages the Sanderson technology is able to extract from the main.db file in comparison.

Is it an accurate assessment of mobile phone forensic tools to state that each one will (in the case of Skype for example) identify and open the main.db file, and display the main.db file contents mobile phone forensic tool's GUI and exportable reports (thus making a somewhat turnkey process)?

If my above assessment is correct, then would using SQLite FT on the same Skype main.db file be a good way to validate the results my other forensic tools are showing?

I am guessing that some mobile phone forensic tools just display un-deleted Skype records whereas your tool reveals undeleted in addition to recovered records, or is it known that some or all mobile phone forensic tools also carve and display deleted records?

I had seen some other experts' posts bemoaning the different results mobile phone forensic tool "A" delivers versus mobile phone forensic tool "B", which would lead me at least to want to validate the underlying evidence for those cases using lower level forensic techniques.

Regards,

Larry

 
Posted : 03/04/2015 3:02 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi Larry

You can certainly use the toolkit to verify the results of other forensics tools. Using your example of Skype there are (the last time I looked) 98 columns in the contacts table. Turnkey tools provide a report on a subset of these, obviously the most common/important and naturally on certain cases they may miss something.

This is not to knock these tools, they have their place (and I produce one such - SkypeAlyzer) but you can't produce a generic tool that always provides a court friendly report without user input (i.e. look at the tables decide what columns you want and output your custom report) on a table/database of this complexity

Carving SQLite data is a little bit of a black art due to the sparse manner in which they store records. Up until recently I used SQLite Recovery (part of the toolkit) to parse and carve records, including deleted records. The intention was to carve from an disk image or dump and carve multiple databases and tables in one pass. Although you could "carve" from a discrete database in this way it was a little clumsy (carve using SQLite Recovery and then create reports using the Forensic Browser - although you could view the carved data in SQLite Recovery). So based on user feedback I added the carving functionality to the Forensic Browser so you can now see deleted records alongside the live records.

There is still a place for SQLite Recovery though as this provides more opportunities to tweak the carving process - for instance SQLite allows you to define a column as an integer and then write a string to it (not just an integer in string form, you could write "Paul Sanderson" to an integer field) - all perfectly legal. With the Browser when you are carving you can tell the process to accept a string for an integer, amongst other things. You can also instuct it to only accept a 0 or 1 in a boolean field etc. This reduces the number of false positive records you get when carving

I hope this answers your questions, I can't really comment on other forensic tools (I don't use anything else) but I know that other people use different tools and they are happy with them. I like to think that the toolkit goes a lot further than these tools though - it offers more forensic functionality than off the shelf SQLite browsers and is more targetted than the turnkey solutions - and I am keen to update my software inline with user requests (I have some very neat new functionality about to be added to the Browser - watch this space)

Cheers
Paul

 
Posted : 03/04/2015 4:32 am
(@ashishsingh)
Posts: 29
Eminent Member
 

Any recommendation guys for a good free SQLite viewer?
Thanx a lot )

Hi,
The very similar part of your and mine query is the FREE utility. Well I have tried a number of such tools so far but I guess that the most appropriate one so far is

http//www.systoolsgroup.com/sqlite-viewer.html

There are certain other tools too that I would be suggesting you after I test them in depth.
Please share your experience with the tool that has been best at your part.

Regards

 
Posted : 06/04/2015 10:04 am
Share: