A WAL is a Write Ahead Log (journal) and this means that everything that is written to the database goes into the WAL first. It is only transferred to the DB itself when
a) the WAL reaches 1000 pages
b) the application closes
or
c) the programmer decides it should
The point at which it writes/transfers data to the DB is known as a checkpoint
After a checkpoint writing starts from the beginning of the WAL and the old pages remain as a sort of file slack.
Most phone based DB's/apps don't get shut down so it is not unusual to see WALs > 1000 pages and WALs that are bigger than their parent DB.
There can be loads of data in a WAL particularly there can be multiple copies of the same page (each time a page is updated the new version of the page is appended to the WAL) and particularly if you suspect that a user has deleted data then the WAL is the place to look.
The next release of my Forensic Browser for SQLite software will allow you to "unwind" the DB and WAL and look (and query) the database as it was before a particular update.
http//
Paul
Great….so there is another question D …. when you release next version of Foresinc Browser for SQLite ??
Thanx for your answer. It was very helpful.