Writeup SQLite Forensic from Belkasoft

A few months ago, Belkasoft gave an interesting course, SQLite forensics. SQLite is still relevant especially doing mobile app forensics. This course gives so much insight for Digital Forensic investigators on how to treat SQLite for forensic analysis.

What I got from this course :

- Real practical experience in investigating SQLite using belkasoft tools and DBBrowser SQLite.
- Forensic Investigation social media like Whatsapp, Facebook, Viber, and Telegram.
- How to carve SQLite file.
- How to correlate SQLite tables and columns.

Lets go here the write-up for this course. This is not cover final questions but if you following the course you do it easily.

You can buy it with your own, the price (March 2023) is $989

Here is the Overview SQLite Forensic Course :

Question 1

I skipped the how-to installation and here is my way to find the right answer

Answer Question 1

8 Records. (You just follow the instructions)

Question 2

I got so many insight here, we can investigate almost whole data from whatsapp local db like status,chat group,personal chat until picture even though the quality is very far from the original even blurry.

How to view Whatsapp data in the system file

The interesting things is in msgstore.db

Dont forget convert the column to UTC format : right click column > Choose Column type > UTC

Search the Message

Question 3

Change the Column format to UTC

View the timestamp

We dont need to convert one by one manually like open source tools.

Question 4

This is interesting, This picture is like a detective with a little god’s vision because this little evidence can be brought to court.

message_thumbnail

corelate the id with sort_id that is 38.

message

swipe to the left until find ‘status’

The answer is : 4. And what is in the brackets is the default explanation from WA to SQLite writing.

Answer is 4

Question to Correlate using SQLite DB

Here is my answer :

Answer to Correlate using SQLite DB

We can map the contents of the Facebook group. When the group is made, its contents are anything and anyone.

Question how many group participant

Answer how many group participant

Or you can using Count () for the queries. I think the way to do forensics may be a little different but still holds the forensic rules, and the result will remain the same or not be much different.

The last questions about correlate tables

Emoji is the answer

Just sort the columns.

Correlate the table

I found the URL

Thank you. What do you think about this course? Really interesting isn’t?

NICE Course and I give 5 Stars!

References

SQLite INNER JOIN with Examples (sqlitetutorial.net)

SQLite Forensics with Belkasoft (thinkific.com)