Exponent CSV To SQLite^TM

API Forensics^TM is proud to announce the release of Exponent CSV To SQLite^TM, the next product in a series of offerings belonging to the Exponent^TM library of DFIR add-on X-Tensions for X-Ways Forensics (XWF).

Exponent CSV To SQLite^TM introduces the capability to import character separated value (CSV) files into a new or existing SQLite database for robust timeline and artifact analysis. This new X-Tension is designed to compliment Exponent’s SQLite Explorer X-Tension, and vice versa.

Forensic practitioners have been wanting an easier and powerful way to examine records and logs provided in CSV, TSV and XLSX/XLS file formats.Many 3rd party forensic tools can export evidence such as SMS/MMS messages, Internet history, phone call logs, financial transactions, and other information into CSV file format. Unfortunately, it’s hard to work with this type of evidence, especially when the content is not similar and when they are plentiful.

Being able to bring all of these disparate types of evidence under one roof is what has long been needed!

Exponent CSV To SQLite^TM at a Glance

Whether you are conducting a forensic investigation into a computer, email, mobile devices or cloud activity, it doesn’t matter when it comes to character (comma) separated value (CSV) files. So long as the source application (e.g., 3rd party forensic tools, Excel, network logs) can export evidence into a CSV file format, CSV To SQLite will seamlessly import the data into a new or existing SQLite database. One container for all your evidence.

Leverage the power of structured queries in SQLite to surgically filter, examine and report on large volumes of data. Create a single container to house all of the pertinent evidence (e.g., mobile device data stores) for preservation and disclosure.

For each CSV file imported into the designated target database (new or existing), a new table is created in the target database. By default, the file name of the file being imported is what is used to name the new table as it is created inside the SQLite database. During the import process, examiners can choose to rename the intended table name to something more intuitive. CSV To SQLite uses this customization option to also prevent collisions in case files being imported from different directories happen to have the same file name.

Once the data is imported, examiners can then modify the actual data type of select columns in the various tables created. Since all records imported default to a SQLite TEXT data type, it might be preferable to convert some columns to a more appropriate data type (e.g., from TEXT to INTEGER). This is achieved through an update to Exponent’s SQLite Explorer X-Tension where a new Edit Mode toggle switch has been created on the Columns tab.

Exporting Tables from Existing SQLite Database

Consider a scenario where an investigator has a Google Chrome history file from each of the many devices seized during an investigation and desires to examine them all at the same time? With CST To SQLite, it is easy to merge the records from any tables from each of the database files. The end result? An SQLite database containing ALL the Internet history activity in single place.

Image 2 – Using Edit Mode in SQLite Explorer to update column data types

Converting Google Chrome and Unix Timestamps

Once the data types have been updates to INTEGERs, Exponent SQLite Explorer can then convert those timestamp columns into new columns containing properly formatted dates and times. This makes it so much easier to then query date-based evidence.

Get started today and realize the full potential of Exponent CSV To SQLite^TM in your X-Ways Forensics investigations. Simply fill out the download request form and we’ll send you an Exponent^TM 30-day trial license by email.