Introducing SQLiteWalker

Posted by

In my continued research of mobile devices, I always wanted to find a way to quickly hunt for files to research. Because mobile devices (both Android and iOS) rely heavily on SQLite databases I figured why not make a script to pull these databases out from the filesystem for further analysis. 

The premise behind my script was to spurred on by Eric Zimmerman's SQLECmd which has a -hunt switch that allows for finding database files from a folder structure. Using the -verbose option spit out a large log of what was found but it wasn't formatted exactly how I wanted it and it ran slower than I anticipated. And so in a galaxy far far away, SQLiteWalker was born!

Download link: https://github.com/stark4n6/SQLiteWalker

Simply put, it looks for magic header details for SQLite databases and extracts the files. Currently, SQLiteWalker can handle folder or .zip input formats. The only other required field is an output path for the exported files and reports. The only optional switch is quiet mode which will not output file paths to the console (it will still write them to the report file).

Figure 1: Command line switch options

Here is what the script looks like after it finishes. As you can see below you will get final runtimes, count of databases found, as well as error counts (if applicable).

Figure 2: Finish line of SQLiteWalker

At the output path we get a folder named "SQLiteWalker_Out" appended by the date/time the script was kicked off. Inside the folder we get at least two, but sometimes three items:
  1. Exported/Recreated folder structure with original database files
  2. File list report containing:
    • File name
    • File path
    • Table structure
  3. Error list report (if applicable) containing:
    • File name
    • File path
    • Error
Figure 3: Sample output folder

Here is a look at the db_list.tsv file in TimelineExplorer:

Figure 4: Sample db_list.tsv output

Here is a sample of the error_list.tsv:

Figure 5: Sample error_list.tsv output

Because I wrote this whole thing in about 2 days time, I'm sure more updates will come in the near future. Some things on my to-do list include .TAR format support as well as working on a GUI.

As always feedback is more than welcomed, feel free to reach out to me on Twitter or Mastodon or open an issue on the Github page and hopefully I can address it. May the [forensic] force be with you!