SQLite file carving
I am Apurva. I am trying to recover the SQLite Databases from the raw android image.
Since there is no footer we have to apply some special techniques. I just got to know that Android uses Auto-Vacuum enabled databases (by checking non zero value at offset 52). Hence the no of records in the pointer map pages should ideally give us the size of the SQLite file.
Hence I made a C program to calculate the file size based on the no of records in the pointer map pages. However when I try this program on the DB files, I am not getting the size as being reported.
eg the C program reports 50 records in the pointer map and hence should ideally be around 50KB. But the actual size is just 8 KB.
Am i missing something here?? Your help will be greatly appreciated on this.
I replied to your PM, but I'll post the reply here in case it sparks any other thoughts
My understanding of the Pointer map is that it'll be a page filled with 5-byte entries. Each entry is a type byte followed by a 32-bit number which is a parent page. The first pointer map will always be on page 2.
The type bytes run from 0x01 through to 0x05, anything else detected at the page type byte (especially 0x00) should indicate the end of the records. That's the first thing i would check in your code - are you checking for the end of the pointer map?
I don't know what the page size of your test database is, but if it's android it should be 1024 i think, which means (if my understanding is correct) you should see 6 valid entries in the pointer-map (page 1 and any pointer-maps don't appear in the pointer-map). I'd check that in a hex editor and make sure that your program is getting it right.
Thanks BinaryBod for the blog. My primary source for the code was this blog. I have also contacted Mr. Drinkwater in regards with the same.
I have taken care of all the things noted by you. It will be great help if you can have a look into following set of files
The archive contains the source code, executable and sample of DB files.
The DB files for which I got correct and wrong results are placed in respective folders.
Thanks a lot.
I'll try to take a look over the weekend. I'm not fluent in C but having a skim read I should be ok.
I have only started looking at the files you sent this afternoon (other half had other ideas over the bank holiday weekend ) ).
With regards to the file downloads.db you supplied please can I ascertain
1) which application created it?
2) if it came from a raw image how did you ascertain it should be 8KB in size?
3) is there an associated journal file?
4) how do you run your program, I can't seem to get the syntax right
In the file downloads.db you supplied the first 240 bytes of page 2 of the database contain records - 48 records which indicates that the database should be 50 x page size in size, in other words 50KB.
The four bytes at offset 52 indicate that the highest numbered root page should be page 5. As far as I can see page 5 is not a root page. This again suggests to me that there may be an associated journal file.
These files are retrieved from Android 2.2 powered phone. I had used Nexus One for my testing and hence believe that this Vanilla Android. The files were retrieved quite some time back and hence I do not know if there was a journal file associated with it.
However what I have read about roll back journals is that before every transaction, a roll back journal is made for backup purposes. I read about the roll back journal file format on sqlite.org.
I believe it is easy to carve them since we have the size and signature in the header itself.
What I was wondering is two questions
Since I am carving everything from raw data, how will I be able to associate a particular DB file with a journal file
Some more insight on working of journal files.
About the program, I would recommend to keep the db files and exe in the same folder and at the same level. (The idea is to omit any spaces in the file path)
Run the program. When it asks the name of the file just give downloads.db