public agency training council tech chief technical
TRANSCRIPT
![Page 1: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/1.jpg)
Glenn K. BardPublic Agency Training Council tech
Chief Technical OfficerPA State Trooper – Retired
NCMEC – Project ALERT
CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE
![Page 2: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/2.jpg)
PATCtech
Glenn Bard, CTO
Scott Lucas, Instructor and Examiner
Steve Dempsey, Instructor
Kathy Enriquez, Instructor
Brian Sprinkle, Case Manager – examiner
James Alsup, Director PATC
Stefani Lucas, Marketing Director
![Page 3: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/3.jpg)
SQL / DB forensicsPATCtech – CTO Glenn K. BardCISSP, EnCE, ACE, AME, CHFI, A+, Network+, Security+
![Page 4: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/4.jpg)
SQL / DB forensics
• Why is it so important to learn SQL / DB forensics? • Both iOS and Android are heavily using database files to store contents
• Average smartphone will have hundreds of these files
• Each App will have its own set of DB, they are not shared
• And since each App has them, if your forensic tool does not support that App, then you will need to find another way to get the data
• Contain a large amount of data, including deleted information
• Can contain other files, such as jpg, plist, and so on
![Page 5: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/5.jpg)
SQL / DB forensics
• Before we begin, some definitions we need to know:• Tables – These are the different types of data the DB sill store. IE: messages,
Handle, MSG Pieces, etc.
• ROWID (ID) – This is a sequential number for an entry in the DB
• SQLite Sequence – The last assigned ROWID for each table
• BLOB – Binary Large Object
• Unix time – Number of seconds since January 1, 1970 00:00:00
• Mac time – Number of second since January 1, 2001 00:00:00
![Page 6: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/6.jpg)
SQL / DB forensics
• Where will you find these files?• Each App will have its own, or in many cases, several of them.
• Some good hints:
• Android: Data / Data / App name / Databases
• iOS: Private / VAR / Mobile• Applications for third party Apps
• Library for iOS installed Apps
• Let’s take a look:
![Page 7: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/7.jpg)
Android
![Page 8: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/8.jpg)
![Page 9: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/9.jpg)
![Page 10: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/10.jpg)
![Page 11: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/11.jpg)
![Page 12: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/12.jpg)
iOS
![Page 13: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/13.jpg)
![Page 14: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/14.jpg)
![Page 15: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/15.jpg)
![Page 16: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/16.jpg)
![Page 17: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/17.jpg)
![Page 18: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/18.jpg)
Some hints and tips about these databases
• Can have different extensions: DB, SQL, SQLite, SQLiteDB
• Some have odd extensions like the callhistory.storedata
• Some can actually have no extension, and many times the software misses them. One was the threads_db2, which contained the contents of Facebook Messenger.
• In some databases, one column in a table will point to a column in a different table. (For example the Handle ID in SMS messages on an iPhone. Also the ZKIKUSER in the KIK app.)
• In other instances one column can point to a column in a completely different database. (For example the Addressbookimages.sqlitedb and Addressbook.sqlitedb on an iPhone.)
![Page 19: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/19.jpg)
Some hints and tips about these databases
• If you see some that look like this:
![Page 20: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/20.jpg)
Some hints and tips about these databases
• Those are called WebKit’s and are usually very important. In many cases they can contain emails, as well as cached information from websites.
• We will see this in a bit.
![Page 21: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/21.jpg)
SQL / DB forensics
• Now that we know where to locate the files, how do we do it?• First, the tools:
• Mozilla Firefox with SQLite Manager
• SQLite Database Browser Portable
• Dcode from Digital Detective
• Oxygen with SQLite Viewer
![Page 22: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/22.jpg)
Like us on Facebook
• https://www.facebook.com/PATCTech-116471378378526/
![Page 23: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/23.jpg)
Please check out our two new websites:
Patctech.com Patctechns.com
![Page 24: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/24.jpg)
Come back for our future webinars:
• Getting past the iOS passcode:
• http://www.patc.com/online/1099.shtml
• DART / MapLink cell mapping:
• http://www.patc.com/online/1100.shtml
• Getting past the Android passcode:
• http://www.patc.com/online/1101.shtml
![Page 25: Public Agency Training Council tech Chief Technical](https://reader034.vdocuments.mx/reader034/viewer/2022051406/627da5c04aac814d495c0835/html5/thumbnails/25.jpg)
Follow PATCtech!
• Updates & PATCtech Research
• Public Safety News
• Training Opportunities
PATCtech @PATCtech
Forensic Digital Evidence Investigators(LinkedIn Group)