This script is designed to recover deleted database-files last modified by SQLite version 3.7 or later.

These files will contain two values in the file-header: the database page-size, and the number of pages. These values will allow the script to determine a deleted file's size, extract and validate it.

It's important to note that older versions of SQLite do not write the number of pages into the database-header. This can lead to that value being empty or, where different versions of SQLite have accessed the database, out-of-sync.

The script will attempt to validate the page-size by checking that (a) it's not zero, and (b) that the change counter at offset-24 matches the version-valid-for number at offset-92. This is in accordance with the SQLite file-format specification.

Notwithstanding that script may be able to validate the page-size and thereby calculate the size of the deleted file, it doesn't necessarily follow that the file's data will be intact - the file may be partially overwritten or fragmented.

In order to avoid extracting invalid files, the script will write a copy of each deleted database file into a memory buffer and then try and open it with SQLite.

If this proves successful, the script will issue the SQLite PRAGMA quick_check query in order to check the file's structure.

If the structure is intact, the script will read the list of tables that it contains and display them in the resultant bookmark.

The examiner can choose to extract only those databases that contain one or more specified tables. Alternatively, he/she can opt to extract only those databases that have one or more tables regardless of the names of those tables.

The script will automatically skip extraction of duplicate files although it will still bookmark such files.

It's important to note that the data in a recovered file may not be up-to-date if a write-ahead-log (WAL) file was in use.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training