Scribd Logo
Upload

Welcome to Scribd!

  • 81 views

    SQlite PocketReference Final

    Uploaded by

    nosopiv
    The document discusses various topics related to working with SQLite databases including: 1) How to join data from multiple tables, convert timestamp formats, and use common SQLite commands like SELECT through the sqlite3 CLI. 2) Details on identifying if a database uses journaling or WAL, how to interpret timestamp values stored in different formats, and tips for renaming columns and sorting/filtering query results. 3) Pointers to documentation and tutorials for learning more about SQLite and tools for examining deleted database artifacts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    SQlite PocketReference Final

    Uploaded by

    nosopiv
    81 views1 page
    The document discusses various topics related to working with SQLite databases including: 1) How to join data from multiple tables, convert timestamp formats, and use common SQLite commands like SELECT through the sqlite3 CLI. 2) Details on identifying if a database uses journaling or WAL, how to interpret timestamp values stored in different formats, and tips for renaming columns and sorting/filtering query results. 3) Pointers to documentation and tutorials for learning more about SQLite and tools for examining deleted database artifacts.

    Original Description:

    sql

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses various topics related to working with SQLite databases including: 1) How to join data from multiple tables, convert timestamp formats, and use common SQLite commands like SELECT through the sqlite3 CLI. 2) Details on identifying if a database uses journaling or WAL, how to interpret timestamp values stored in different formats, and tips for renaming columns and sorting/filtering query results. 3) Pointers to documentation and tutorials for learning more about SQLite and tools for examining deleted database artifacts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    81 views1 page

    SQlite PocketReference Final

    Uploaded by

    nosopiv
    The document discusses various topics related to working with SQLite databases including: 1) How to join data from multiple tables, convert timestamp formats, and use common SQLite commands like SELECT through the sqlite3 CLI. 2) Details on identifying if a database uses journaling or WAL, how to interpret timestamp values stored in different formats, and tips for renaming columns and sorting/filtering query results. 3) Pointers to documentation and tutorials for learning more about SQLite and tools for examining deleted database artifacts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 1

    Table Joins Timestamp Conversion sqlite3 CLI Options

    Taking data from two (or more!) tables that have a column in Timestamps are stored in the databases as one of several numerical Use the command line version of the sqlite3 program
    common and joining them into one table. Identify tables of interest representations. (Timestamps are assumed to be stored in UTC, you (sqlite.org/cli.html) either in a SQLite shell, or just query via CLI:
    that contain unique values. may need to verify this.) $ sqlite3 <db_file>
    $ sqlite3 <db_file> ‘select * from a_table’
    LEFT JOIN – Resulting rows are returned from the LEFT table even UNIX Epoch (10 digit number - number of seconds since
    if there are no matches in the right. Using the LEFT JOIN produced 01/01/1970 00:00:00): • .help – Provides a list of these ‘dot-commands’
    all the text messages including those with and without .tables – Show the table names in the database
    • SELECT datetime(TS_COLUMN,'unixepoch') •
    attachments.
    Or in local time as suggested by the device settings (this can be • .headers on – Show the column names in the output

    SELECT
    done for all the following timestamps): • .mode column - Show left-aligned columns
    ZVIBERMESSAGE.ZTEXT AS "Message Text", • SELECT datetime(TS_COLUMN,'unixepoch', • .mode tabs – Show tab separated columns
    ZATTACHMENT.ZNAME AS “Attachment Filename", 'localtime') • .output <filename> - Send output to file
    datetime(ZVIBERMESSAGE.ZDATE+978307200,'unixepoch' • .dump – Dump database contents (use with .output)
    ,'localtime') AS "Message Date", UNIX Epoch MILLISECONDS (13 digit number - number of
    ZVIBERMESSAGE.ZSTATE AS "Message Direction/State" • .quit – Quit sqlite3 shell
    milliseconds since 01/01/1970 00:00:00):
    FROM
    ZVIBERMESSAGE • SELECT
    datetime(TS_COLUMN/1000,'unixepoch');
    LEFT JOIN ZATTACHMENT on
    Is the Database Using WAL or Journaling
    ZATTACHMENT.Z_PK=ZVIBERMESSAGE.ZATTACHMENT
    Mac Absolute time, number of seconds since 01/01/2001
    INNER JOIN - Resulting rows are returned when both items are a 00:00:00. In order to correctly convert this timestamp, first, add The SQLite header for every database will contain offsets enabling
    match. Using the INNER JOIN (also achieved by typing “JOIN” in the number of seconds since UNIXEPOCH time to Mac Absolute you to differentiate if a journal or WAL is being used to support the
    the query) returned just the messages that included attachments. Time (978307200), then convert. database.
    • SELECT datetime(TS_COLUMN + 978307200, • File Offset 18 (1 byte) = x01 = Journaling
    'unixepoch'); • File Offset 19 (1 byte) = x01 = Journaling
    Useful Stuff OR
    Chrome time accounts for time accurate to the MICROSECOND, • File Offset 18 (1 byte) = x02 = WAL
    Column Renaming: which requires dividing the number by 1,000,000:
    A_TABLE.ZAWKWARDCOLUMNNAME AS “Chat Messages” • File Offset 19 (1 byte) = x02 = WAL
    • SELECT datetime(TS_COLUMN/1000000 +
    (strftime('%s','1601-01-
    Counting: 01')),'UNIXEPOCH'); SQLite Deletion
    SELECT COUNT(*) FROM A_TABLE;
    Examine the table to determine if data is moved to the free pages
    Aggregating with GROUP BY and COUNT (Count chat messages per or a Boolean value is entered to mark the data deleted.
    SQLite References & Tutorials
    contact):
    Use a SQLite Editor to examine the free pages in a Hex view to carve
    SELECT MESSAGES,COUNT(*) FROM CHAT GROUP BY
    CONTACT; • Official SQLite Documentation: https://sqlite.org for deleted artifacts.
    • Great Tutorials:
    Use scripts and tools available to conduct a cursory scan of the free
    Sorting with ORDER BY: o https://www.tutorialspoint.com/sqlite/
    pages for deleted SQLite entries
    SELECT * FROM CHAT ORDER BY A_TIMESTAMP ASC o http://www.sqlitetutorial.net/
    ASC = Ascending o http://zetcode.com/db/sqlite/
    DESC = Descending o http://sandersonforensics.com/forum/content.php?2
    75-How-NOT-to-examine-SQLite-WAL-files
    Searching with WHERE and LIKE: • FOR518 – Mac Forensic Analysis – FOR518.com
    SELECT CONTACT, MESSAGE FROM CHAT WHERE • FOR585 – Advanced Smartphone Forensics – FOR585.com
    CONTACT LIKE ‘%Hank%’ v.090517

    You might also like