SQLite might be the most important source of forensic relevant data we have access to right now. Many of our tools do a great job showing us the chats, the calls, the browser history, and even Windows Operating System information… but how does SQLite work below the data? In this presentation we will take a look at that low level area of the database including, the SQLite header, pages, and even what a VARINT is and how to work with them.
Justin Tolman has been working in digital forensics for 12 years. He has a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. After graduating he worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation.
He joined AccessData in 2015 as a senior instructor where he trained digital forensic professionals worldwide in forensic tools, concepts, and workflows. He was later promoted to Director of Training over North America. Justin has written training manuals on computer and mobile device forensics, as well as (his personal favorite) SQLite database analysis.
Justin currently works as the Forensic Subject Matter Expert and Evangelistat Exterro following the purchase of AccessData by Exterro. He is frequently presenting at conferences, on webinars, and hosts a podcast and produces YouTube content related to digital forensics and Forensic Toolkit.
Forensic Subject Matter Expert and Evangelist, Exterro