This script is designed to extract BLOB-data from SQLite database files.

The script will work with both records and entries albeit the option to process selected items in the current view will not work with records: tags must be used instead.

A condition can be used to extract only those BLOBs that match the criteria specified by the user. These include GZIP-compressed BLOBs, which can be decompressed automatically.

Regardless of the size set in the condition, empty BLOBs will never be extracted.

The script provides the option to specify the offset and maximum length of data to be extracted from each BLOB.

A BLOB won't be extracted if its length is smaller than the offset specified.

Processing SQLite write-ahead-log (*.WAL) files will cause the main database file and the WAL file to be extracted to the current case's temporary folder. A GUID will be used to identify the files for each database.

The WAL file will be deleted automatically when the database is closed. The main database file will be left behind so the examiner can wipe-delete it should they so wish.

Taking the option to use a flattened output path will cause the script to include only the source file's GUID and name in the output LEF. This may make it easier to perform additional analysis, e.g., property-list parsing.

The script can automatically decode/bookmark property-list and JSON data written to the LEF, in which case each bookmark will link to the BLOB data in the LEF, not the original database.

Settings will be saved for re-use.

Progress can be monitored via the console.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training