SQLite Forensic Explorer is a highly specialized digital forensics application developed by Sanderson Forensics as part of their comprehensive Forensic Toolkit for SQLite. The core purpose of the software is to provide digital investigators with a deep, file-level view of every single byte inside an SQLite database or its associated Write-Ahead Log (WAL) files.
While traditional database browsers only display active tables and rows, SQLite Forensic Explorer is optimized for data recovery, structure validation, and uncovering hidden or deleted artifacts. Core Features for Investigators
Byte-Level Hex/ASCII Conversion: The software decodes raw data at a byte level by offset, mapping length and values into readable formats. It handles variable-length integers (Varints) automatically.
Database Structure Mapping: It visualizes the B-Tree structure of tables and indexes. Investigators can click through nodes to navigate directly from the database root page down to the interior pages and final leaf nodes.
Ancillary File Support: It fully parses active databases as well as temporary transaction files, including WAL (Write-Ahead Log) files and rollback journals. These files frequently hold evidence that was deleted or never formally committed to the main database.
Unallocated Space & Freelist Inspection: SQLite often retains deleted data in freeblocks, freelist pages, or page slack. The tool uses a clear, color-coded schema to highlight these unused spaces, automatically rebuilding and carving out deleted data into readable records.
Index B-Tree Exploration: Indexes are frequently overlooked in investigations. Unlike tables, SQLite index B-Trees contain data in both interior and leaf nodes. The Explorer lets investigators map these indexes to recover deleted timeline fragments, historic timestamps, and changed data strings. Why Investigators Use It
Most modern mobile operating systems (iOS and Android) and desktop applications (Chrome, WhatsApp, Firefox) store critical artifacts like messages, location logs, and browser history in SQLite databases. When a database is corrupted, or a suspect deletes critical logs, standard SQL queries will fail. Investigators rely on this explorer to manually validate evidence, prove the existence of records, and extract fragmented binary files directly from the hexadecimal structure. SQLite Forensic Explorer by Acquire Forensics
Leave a Reply