I’m happy to announce that MetaDiver 2.5.0 is available for download. This is a big release with some fun new stuff. If you are not familiar with MetaDiver and want to understand what it can do for you, put simply it allows you to review meta-data stored in many files such as pictures, office documents
I’m excited to announce that MetaDiver 2.1 has been released! This is close to a full rewrite with better scalability. The ability to review metadata in MetaDiver has been greatly improved. The back-end has been rewritten to use SQLite. Many new documents are now handled including email archives, Windows Shortcuts including lnk and jumplists, legacy
Today I’m posting some research I did early last year related to querying Chrome Web Browser SQLite databases which is how Chrome stores most of the useful information that makes for a great browsing experience. A byproduct of course is useful information for an examiner. In this post I’m going to talk about two databases
When reviewing activity from a Mac OSX system there are a number of great artifacts to consider in your investigations. In this post I’m going to talk about the Quicklook database that stores metadata for thumbnails of files you view in the Mac Finder. When Finder session renders that thumbnail it tracks the thumbnail information
Recently I had a need to get Address Book information from an imaged Mac without having that computer up and running. Since I didn’t have the ability to do it on the running Mac I decided to try to reverse engineer the SQLite database that stores the AddressBook information. Below is what I put together.
A new beta of SQLiteDiver has been released. The graphical and console versions are now bundled into a single zip file. Version 0.5 of SQLiteDiver is available for download. You can review changelog here. The graphical version can now open SQLite databases from the command line or Windows Explorer using “Open With” and file associations.
I was talking with a buddy this morning and he brought up something I didn’t think to test before in SQLite. I knew from research that you had dynamically typed data columns in SQLite databases. What I didn’t realize was that you can create table columns without a DataType set! Yup, you heard correct, no
Following my talk on SQLite Forensics at the CEIC conference I want to share the scripts I wrote but did not get the opportunity to demo during the talk! I talked about using Python to export data from the Favicon database in the Chrome web browser, any SQLite database using python. In this post I’m going