Exponent SQLite ExplorerTM
API ForensicsTM is proud to announce the release of Exponent SQLite ExplorerTM, the next product in a series of offerings belonging to the ExponentTM library of DFIR add-on X-Tensions for X-Ways Forensics (XWF).
Exponent SQLite ExplorerTM introduces a native database viewer to help examiners analyze and report on SQLite database content. When you consider that most mobile device applications implement SQLite as their primary data store for storage and management of application data, having the ability to accurately and quickly examine databased evidence is invaluable.
We asked hundreds of forensic practitioners what tool they needed the most in their toolbox when it comes to mobile device evidence and their resounding response was support for SQLite databases.
What was even more important was the ability to have this functionality built-into X-Ways Forensics to make their investigations more seamless.
Exponent SQLite ExplorerTM at a Glance
With the cleverly designed user interface, examiners have multiple ways to view and query the contents of an SQLite database. Clicking on a specific table in the Database pane will load the table contents into the Data pane.
Custom queries start with selecting individual columns in the Table table under the Database pane. Navigating large recordsets is easy with customizable pagination and group-by-column functionality. Details can be previewed for each individual record as well.
Database properties and column definitions provide insight about record deletion and data types used to store records.
Switching to the SQL tab under the Data pane, examiners have full control over the creation of custom SQL query statements. Results are displayed in real-time which can also be saved to disk as a new SQLite database for external viewing.
For those who want to get under the hood, SQLite Explorer features a Forensic tab that exposes the database in hexadecimal view. With the initial product release, common file header elements are exposed using an intuitive navigational map.
In planned upcoming updates to this X-Tension, examiners will be able to step through all forensic artifacts using the Map. The ability to identify and recover unallocated B-Tree Pages and deleted records will be included.
Using the Designer tab, forensic practitioners will be able to join tables from flat databases and visual create complex queries and run them in real-time. Copying the SQL statement to the clipboard and then running it in the SQL tab will provide the ability to save the results as a new SQLite database for further analysis or distribution.
Time Column Conversion is a cool feature that can detect Google Chrome and Unix timestamps in a given table and automatically convert the numeric values to proper readable dates. New columns are created and appended to the table and will persist even after the database is closed. Please keep in mind that changes like this are only done against the COPY of the database, which is always created when you open a database for analysis. Once the new columns are created, you can access them in new queries and sort on the new time values.
Get started today and realize the full potential of Exponent SQLite ExplorerTM in your X-Ways Forensics investigations. Simply fill out the download request form and we’ll send you an ExponentTM 30-day trial license by email.
