Sanderson Forensics was recently contacted by a customer at a police force with a question relating to deleted SQLite records that were found in a rollback journal. The requirement was to create a report(s) showing both the live records in the Kik database as well as the deleted records that were found by a filename search in the rollback journal.
The article at the link below goes into a little detail of how the rollback journal works, some thoughts on recovering data from it and then details how the data was recovered from the rollback journal and then how we distinguished and created a report showing the deleted records in the journal vs the live records that were also present in the journal…