Loading a single Da...
 
Notifications
Clear all

Loading a single Database file for decoding  

  RSS
4Rensics
(@4rensics)
Active Member

Hi All,

 

Does anybody know how or if it is possible to decode a single, stand alone SQLite Database via a tool?

I've tried Cellebrite, XRY, Oxygen and AXIOM and nothing will decode the messaging app (which I know is supported)  

When I load a file in to Cellebrite for example, it just loads "a file" and will not recognise it and decode it.  

Am  missing a hidden function or will I have to manually figure out the database structure and spend 10 years of my life trying to understand it 😭 

 

Any help much appreciated.  

4R

Quote
Posted : 12/10/2020 4:11 pm
jaclaz
(@jaclaz)
Community Legend

I am not sure to understand the question, maybe something like:

https://sqlitebrowser.org/

https://sqlitestudio.pl/

would do?

jaclaz

ReplyQuote
Posted : 12/10/2020 5:39 pm
athulin
(@athulin)
Community Legend
Posted by: @4rensics

 

Does anybody know how or if it is possible to decode a single, stand alone SQLite Database via a tool?

Well, SQLite is SQLite. If you've installed it, you typically have a command-line interpreter.  After that, it's basically SQL using that CLI.  (or are you asking about SQL as well?)

If you feel more at home with ODBC, and have tools for that API, there are drivers for that as well.

If have nothing, Jaclaz' suggestions are probably the second best way to go. But you do need some SQL know-how for that, too.

This post was modified 2 weeks ago 2 times by athulin
ReplyQuote
Posted : 12/10/2020 6:58 pm
4Rensics
(@4rensics)
Active Member

@jaclaz 

I have them tools, but I'm basically trying not to have to figure out all the tables and links between them all, since the phone tools do this for me already.  I know it's a lazy way, but why try and figure out how a message dB is working with hundreds of tables when I know PA or Hancom can decode it for me.  But I can't get it to see the dB on its own, but if it was in a full phone extraction it would have done it for me.

Do that make sense?  Apologies the first message was a little vague.  

I'm basically trying to utilise the tools I have but can't and it's frustrating! 

ReplyQuote
Posted : 12/10/2020 7:07 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @athulin

If have nothing, Jaclaz' suggestions are probably the second best way to go. But you do need some SQL know-how for that, too.

Very little, I believe:

https://sqlitebrowser.org/

What it is

DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite.

DB4S is for users and developers who want to create, search, and edit databases. DB4S uses a familiar spreadsheet-like interface, and complicated SQL commands do not have to be learned.

 

What it is not

This program is not a visual shell for the sqlite command line tool, and does not require familiarity with SQL commands. It is a tool to be used by both developers and end users, and must remain as simple to use as possible in order to achieve these goals.

jaclaz

ReplyQuote
Posted : 12/10/2020 7:09 pm
jaclaz
(@jaclaz)
Community Legend

@4Rensics

I am afraid I still don't understand, this (these) .db files, if they come from a messaging app, they also come from a device "dump".

So get the original device dump and run the forensic tool on it or create a "dummy" device dump with the .db files in it, and run the forensic tools on this latter "container".

jaclaz

ReplyQuote
Posted : 12/10/2020 7:15 pm
passcodeunlock
(@passcodeunlock)
Senior Member

@4Rensics: why don't you name the app you need to be decoded ?!

ReplyQuote
Posted : 12/10/2020 8:34 pm
4Rensics
(@4rensics)
Active Member

@passcodeunlock

Its Wickr.

 

ReplyQuote
Posted : 13/10/2020 11:18 am
passcodeunlock
(@passcodeunlock)
Senior Member

When you do the acquisition, UFED asks for the Wickr password, so it decrypts the data. If you don't know it, I think you can also provide a dictionary with passwords for brute force attack. If none of those works, the db content is encrypted, badluck.

Other vendor products also support Wickr, try other ways for acquisitions.

ReplyQuote
Posted : 13/10/2020 1:22 pm
Share: