Generic SQLite Database Parser
This script is designed as a generic parser for SQLite database files.
The SQLite files to be parsed should be added as folders in the left-hand side of the script's linked-list dialog-control.
Target SQLite files may be in the form of entries or records. If they are records, a current restriction in EnCase will require all items in the current case to be parsed: parsing selected-items will not work.
For each SQLite file that is represented as a folder, the examiner can add one or more child objects each representing a SQL query that should be applied to to that file. It matters not if two applications use SQLite files with the same name but different schemas - the script will retrieve the correct data from each file provided that the queries are entered correctly.
In some cases, only one query may be necessary to obtain the desired information. In other cases, two or more queries may be needed. Note that a query will only be applied if it's blue-checked and binary (BLOB) data will not be extracted.
The output of each query will be written as a tab-delimited spreadsheet-file with a CSV extension. Note bookmarks can be created as well.
The option is provided to have the script write each item of data in the form of '="<data>"'. This will force Excel to treat the data as text and should prevent any automatic formatting.
Each query's output file will incorporate its name, so the latter must only include characters that are compatible with Windows file/folder names. Furthermore, all output files will be written to the same folder, so the queries must have unique names.
The script saves its settings in an INI file in the EnCase %PROGRAMDATA% folder for the current version. One exception is the collection of queries used by the script. These are now saved in a separate SQLite database file in order to overcome an issue encountered previously when saving large queries. The option to load/save queries at a folder level has been removed for the same reason albeit the database has a simple schema allowing it to be manipulated using a suitable editor (e.g., SQLite Expert) should the need arise.
Some common files and associated queries are included as examples. These are not meant to be definitive - the examiner should verify that they're suitable before using them as part of an investigation.
Write-ahead-logging (WAL) was introduced in SQLite version 3.7. A SQLite database file that uses this functionality may have associated '-wal' and '-shm' files containing additional data. This data can only be read if writable copies of all the database files are available. To accommodate this the script provides the option to extract temporary copies of these files automatically. These copies will be written to the current case's temporary folder and can be deleted automatically if required.
Additional SQL queries provided by Carl Purser.
This script was developed for use in EnCase training. For more details, please click the following link:Download Now