Querying this database can allow the examiner to quickly and easily identify photographs that have been: Take for example the Photos.sqlite database used by the Photos app on both iOS and macOS. The EnScript can be configured with the name of the SQLite database as a parent folder for one or more child objects custom SQLite queries that can be executed against said database. The basic premise of the EnScript is to utilize built-in EnCase SQLite parsing functionality to automate the running of one or more SQLite queries against one or more SQLite databases. Using the Generic SQLite Database Parser, EnScript can improve workflow, following some initial configuration. Could this process be made more efficient in a time when work-loads and quantities of data in the forensic examination are increasing? The relevant query for a given database can be copied and pasted from the text file into a SQLite viewer and executed. This is great and admit as a forensic examiner myself I have followed a similar practice. These might have been created over a period of time and stored in a text file with other SQLite queries grouped by a common theme, such as: Whilst the specific databases mentioned will relate to Apple iOS or macOS, the subject matter explored is directly transferable for any SQLite database.Īs a digital forensic examiner, you might have a collection of SQLite queries that can be used in any or all of your DFIR examinations. This blog will focus on the configuration and use of the Generic SQLite Database Parser, illustrating how custom SQLite queries can be added for one or many SQLite databases, how one or many custom queries can be executed from within the EnScript, and how the exposed data is presented within OpenText™ EnCase™ and as TSV (Tab-separated values).įor review of a single SQLite database that may use a Write Ahead Log (WAL), or for development of relevant SQLite queries, the View SQLite with WAL EnScript plugin will be introduced. I hope you find this useful, if I can be any help with this please feel free to reach out and contact me through one of the channels listed above.In my previous blog, the use of EnScript was introduced as a benefit to extend the artifact reach and add custom parsing for the yet supported. You can download the full script from my Github. The last line is only for if you want to open the workflow application after the code has run. The gist of the code I use is import dropbox from dropboxlogin import get_client import webbrowser dropbox_client = get_client() download=dropbox_client.get_file_and_metadata('/Databases/jarvis.db') out=open('Jarvis/jarvis.db','wb') download,metadata=dropbox_client.get_file_and_metadata('/Databases/jarvis.db') out.write(download.read()) out.close() webbrowser.open("workflow://") There are a couple of pre-reqs, you need, one is you need to create an Dropbox application to make API requests, you also need the piece of code dropboxlogin. I have a Workflow created that runs this Pythonista Script and then gives me a nice notification after to say it's done, don't need to load any applications just click the one icon on my device. Also now I can do this I can finish my migration from Bento to SQLite on my mac, its a shame I like Bento but as they no longer develop it for the Mac, I know if I upgrade I will always have my databases. Now I can combine jobs from Pythonista and Workflow with my database, I am freed up more, and not so tied to a desktop machine. I can now download and upload files to dropbox, and run some of the scripts that helps my pick out information for my current "proper" job wherever I am or if they are needed when offsite in meetings etc. Once I managed to connect to my dropbox account, it has opened up a new world of productivity. I have always wanted to get into this more as I have read and heard many good things about the application. I thought I would have a look again at Pythonista. Now there are apps I can use if I want to run select statements etc, but I have many python scripts that do selects and formats data and does other things one it has the data, so I wanted more than just selecting, and not be tied to my desktop machine. This will enable me to run some tasks and kick off some automation tasks, pull information out etc like I do on my desktop machines. Recently I have been looking for the best way to get my main SQLite database I use, onto my iOS devices.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |