Knowledgebase:
Adding SQLite Database Evidence
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:21 AM
SQLite is a database format that is used by many applications for storing data. Applications that use SQLite include mobile applications, some instant messengers (like Skype), and others.

Electronic Evidence Examiner supports SQLite 3.0 and higher.

Generally, SQLite database file extensions are .db, .Sqlite, .Sqlite3, .sqlitedb, and .db3.

SQLite database evidence can be viewed, searched, sorted, and generated into a report. It is also possible to investigate SQLite databases as embedded evidence (for example, if an SQLite base is detected on the disk images).

To add new SQLite database evidence to the case:

1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).

2. The Add New Evidence window opens.
3. Select Other as the evidence category and SQLite Database as the source type. Click OK.



4. Navigate to the Evidence Source and select it.
5. Enter the Evidence name (by default, the name of the file to be added) and click OK.
6. The SQLite database evidence is added to the case.

7. The tables containing data are displayed in the Case Content pane (to the left). Grids with parsed information from the tables are displayed in the Data View pane (to the right).

The investigation of SQLite database evidence is possible with the following packages:

  • E3: Universal
  • E3: P2C

 





Attachments 
 
 Adding SQLite Database Evidence.png (23.72 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)