As one of the most widely spread database systems in the world, SQLite is used on an immense number of computer systems. A vast number of software programs like browsers or smartphone apps are using SQLite3 databases to store application data. In many cases, such data is of high value during a forensic investigation. Therefore, various tools have been developed that claim to support rigorous forensic analysis of SQLite database files. Such claims are not supported by appropriate evidence, as standardized collections of databases were long missing. These can be leveraged by the forensic community for purposes like testing, validating, comparing and improving such tools.
We present a standardized corpus of SQLite files that can be used to evaluate and benchmark analysis methods and tools. The corpus contains databases which use special features of the SQLite file format or contain potential pitfalls to detect errors in (not only forensic) software. The corpus has also been enhanced by anti-forensic aspects within specifically crafted databases. These do not necessarily conform to the SQLite file format specification and can thus be used to additionally challenge the extraction and recovery routines of (forensic) tools. We call the database collection “SQLite Forensic Corpus” and donate it into the public domain.
A link to the corpus can be found here
The Articles linked to the corpus:
Sebastian Nemetz, Sven Schmitt and Felix Freiling, “A standardized
corpus for SQLite database forensics”, Digital Forensics Research
Workshop Europe, 2018
Sven Schmitt, “Introducing Anti-Forensics to SQLite Corpora and Tool
Testing”, IMF 2018, 11th International Conference on IT Security
Incident Management & IT Forensics