SlideShare a Scribd company logo

(120211) #fitalk sq lite record recovery

INSIGHT FORENSIC
INSIGHT FORENSIC

F-INSIGHT TALK

Technology
1 of 22
Download to read offline
FORENSICINSIGHT SEMINAR SQLite Record Recovery zurum heros86@korea.ac.kr DFRC@CIST@KU
forensicinsight.org Page 2 / 22 Contents 1. SQLite 구조 2. 삭제된 영역 3. 레코드(Cell) 구조 4. 복원 기법
forensicinsight.org Page 3 / 50 Structure of SQLite DataBase - File & Page Structure
forensicinsight.org Page 4 / 22 Structure of SQLite DataBase  전체 구조 및 파일 헤더 File Structure
forensicinsight.org Page 5 / 22 Structure of SQLite DataBase  스키마 테이블 File Structure
forensicinsight.org Page 6 / 22 Structure of SQLite DataBase  Table B-tree File Structure - Internal 페이지 - 하위 페이지의 포인터를 가짐. - Leaf 페이지 - 실제 데이터를 담고 있음.
forensicinsight.org Page 7 / 22 Structure of SQLite DataBase Page Structure Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0 • Page Header – Table – b-tree • Offset 0 – 0x05 - Internal Nodeleaf – 0x0D – Leaf Node • Size – 12 Byte – Internal Node pages – 8 Byte - Leaf node pages • Cell Offset – 2byte Big endian integer
forensicinsight.org Page 8 / 22 Structure of SQLite DataBase  Internal Page header  Leaf Page header Page Structure Page flag offset of first block of free space Page number of right most child-page Num of fragmented free bytes Number of record Offset of the first bytes of the record Page flag offset of first block of free space Num of fragmented free bytes Number of record Offset of the first bytes of the record
forensicinsight.org Page 9 / 50 Deleted area in database file - Unallocated Area(Free space & Free block)
forensicinsight.org Page 10 / 22 Deleted area in database file  Free Space(비할당 공간) • 아직 셀(레코드)이 할당되지 않은 영역 • 셀 오프셋과 마지막 셀 사이의 공간 Unallocated Area Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0
forensicinsight.org Page 11 / 22 Deleted area in database file  Free Block • 셀이 할당되었다가 삭제된 영역 • 셀과 셀 사이에 존재 Unallocated Space Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0
forensicinsight.org Page 12 / 22 Deleted area in database file  삭제된 영역 수집 • 비할당 영역(Free Area)의 삭제 데이터  헤더와 오프셋 배열을 건너 뛴 후 페이지의 첫 번째 레코드가 나올 때까지 탐색 • 기본적으로 Free Area는 0으로 세팅되어 있음 • 따라서 0이 아닌 값이 존재하는 경우 삭제된 데이터로 판단 가능. Deleted area Number of record Offset of the first byte of the record
forensicinsight.org Page 13 / 22 Deleted area in database file  삭제된 영역 수집 • 비할당 블록(Free Block)의 삭제 데이터  비할당 블록의 데이터는 무조건 삭제된 데이터로 판단 가능  비할당 블록 체인 (Chain of free block) Deleted area ……
forensicinsight.org Page 14 / 50 Data Recovery - Normal Cell & Deleted Cell - Record Recovery
forensicinsight.org Page 15 / 22 Data Recovery  Variable length integer Cell structure Byte Value range Bit pattern 1 7 bit 0XXXXXXX 2 14 bit 1XXXXXXX 0XXXXXXX 3 21 bit 1XXXXXXX 1XXXXXXX 0XXXXXXX 4 28 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 5 35 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 6 42 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 7 49 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 8 56 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 9 64 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX XXXXXXXX Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte
forensicinsight.org Page 16 / 22 Data Recovery  Data Header Cell structure Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2
forensicinsight.org Page 17 / 22 Data Recovery  Normal Cell  Deleted Cell Cell structure Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
forensicinsight.org Page 18 / 22 Data Recovery Record carving
forensicinsight.org Page 19 / 22 Data Recovery Inspect Free Area  simulation  Schema table  Target data
forensicinsight.org Page 20 / 22 Data Recovery Inspect Free Area  삭제 후 변화 Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
forensicinsight.org Page 21 / 22 Data Recovery Inspect Free Area  Values of Data header  Target data • 스키마의 데이터 헤더와 일치하는 점을 찾은 지점에서 복원 진행 • 스키마가 복잡할 수록 오탐은 적어짐. Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2 추측 길이
forensicinsight.org Page 22 / 22 Thank you for listenig Q&A

Recommended

Singly Linked List
Singly Linked ListSingly Linked List
Singly Linked Listkalpanasatishkumar
 
Linked list
Linked listLinked list
Linked listkalpanasatishkumar
 
Ch 17 disk storage, basic files structure, and hashing
Ch 17 disk storage, basic files structure, and hashingCh 17 disk storage, basic files structure, and hashing
Ch 17 disk storage, basic files structure, and hashingZainab Almugbel
 
Sql introduction
Sql introductionSql introduction
Sql introductionvimal_guru
 
Chapter 11 - File System Implementation
Chapter 11 - File System ImplementationChapter 11 - File System Implementation
Chapter 11 - File System ImplementationWayne Jones Jnr
 
Statsreader
StatsreaderStatsreader
StatsreaderGharib Djamel
 
Chapter13
Chapter13Chapter13
Chapter13gourab87
 
Nach os assignment_2_teorica
Nach os assignment_2_teoricaNach os assignment_2_teorica
Nach os assignment_2_teoricacarmensp
 

Recommended

Singly Linked List
Singly Linked ListSingly Linked List
Singly Linked Listkalpanasatishkumar
 
Linked list
Linked listLinked list
Linked listkalpanasatishkumar
 
Ch 17 disk storage, basic files structure, and hashing
Ch 17 disk storage, basic files structure, and hashingCh 17 disk storage, basic files structure, and hashing
Ch 17 disk storage, basic files structure, and hashingZainab Almugbel
 
Sql introduction
Sql introductionSql introduction
Sql introductionvimal_guru
 
Chapter 11 - File System Implementation
Chapter 11 - File System ImplementationChapter 11 - File System Implementation
Chapter 11 - File System ImplementationWayne Jones Jnr
 
Statsreader
StatsreaderStatsreader
StatsreaderGharib Djamel
 
Chapter13
Chapter13Chapter13
Chapter13gourab87
 
Nach os assignment_2_teorica
Nach os assignment_2_teoricaNach os assignment_2_teorica
Nach os assignment_2_teoricacarmensp
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files pptAbhaysinh Surve
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensicsviaForensics
 
Ext2
Ext2Ext2
Ext2Bindu U
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
Plam15 slides.potx
Plam15 slides.potxPlam15 slides.potx
Plam15 slides.potxVlad Lesin
 
Database Sizing
Database SizingDatabase Sizing
Database SizingAmin Chowdhury
 
Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01Lalit009kumar
 
Floor plan & Power Plan
Floor plan & Power Plan Floor plan & Power Plan
Floor plan & Power Plan Prathyusha Madapalli
 
Managing data and operation distribution in MongoDB
Managing data and operation distribution in MongoDBManaging data and operation distribution in MongoDB
Managing data and operation distribution in MongoDBAntonios Giannopoulos
 
Managing Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDBManaging Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDBJason Terpko
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSUnited International University
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...Spark Summit
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2PoguttuezhiniVP
 
1650607.ppt
1650607.ppt1650607.ppt
1650607.pptKalsoomTahir2
 
OSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliOSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliNETWAYS
 
Unit 4 data storage and querying
Unit 4 data storage and queryingUnit 4 data storage and querying
Unit 4 data storage and queryingRavindran Kannan
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 

More Related Content

Similar to (120211) #fitalk sq lite record recovery

(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files pptAbhaysinh Surve
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensicsviaForensics
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
Plam15 slides.potx
Plam15 slides.potxPlam15 slides.potx
Plam15 slides.potxVlad Lesin
 
Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01Lalit009kumar
 
Managing data and operation distribution in MongoDB
Managing data and operation distribution in MongoDBManaging data and operation distribution in MongoDB
Managing data and operation distribution in MongoDBAntonios Giannopoulos
 
Managing Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDBManaging Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDBJason Terpko
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSUnited International University
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...Spark Summit
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2PoguttuezhiniVP
 
OSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliOSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliNETWAYS
 
Unit 4 data storage and querying
Unit 4 data storage and queryingUnit 4 data storage and querying
Unit 4 data storage and queryingRavindran Kannan
 

Similar to (120211) #fitalk sq lite record recovery (20)

(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files ppt
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
 
Ext2
Ext2Ext2
Ext2
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
Plam15 slides.potx
Plam15 slides.potxPlam15 slides.potx
Plam15 slides.potx
 
Database Sizing
Database SizingDatabase Sizing
Database Sizing
 
Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01Sqlmaterial 120414024230-phpapp01
Sqlmaterial 120414024230-phpapp01
 
Floor plan & Power Plan
Floor plan & Power Plan Floor plan & Power Plan
Floor plan & Power Plan
 
Managing data and operation distribution in MongoDB
Managing data and operation distribution in MongoDBManaging data and operation distribution in MongoDB
Managing data and operation distribution in MongoDB
 
Managing Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDBManaging Data and Operation Distribution In MongoDB
Managing Data and Operation Distribution In MongoDB
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFS
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
Apache Carbondata: An Indexed Columnar File Format for Interactive Query with...
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2
 
1650607.ppt
1650607.ppt1650607.ppt
1650607.ppt
 
OSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliOSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
OSDC 2011 | Enterprise Linux Server Filesystems by Remo Rickli
 
Unit 4 data storage and querying
Unit 4 data storage and queryingUnit 4 data storage and querying
Unit 4 data storage and querying
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysisINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threatINSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in koreaINSIGHT FORENSIC
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memoryINSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

(120211) #fitalk sq lite record recovery

  • 1. FORENSICINSIGHT SEMINAR SQLite Record Recovery zurum heros86@korea.ac.kr DFRC@CIST@KU
  • 2. forensicinsight.org Page 2 / 22 Contents 1. SQLite 구조 2. 삭제된 영역 3. 레코드(Cell) 구조 4. 복원 기법
  • 3. forensicinsight.org Page 3 / 50 Structure of SQLite DataBase - File & Page Structure
  • 4. forensicinsight.org Page 4 / 22 Structure of SQLite DataBase  전체 구조 및 파일 헤더 File Structure
  • 5. forensicinsight.org Page 5 / 22 Structure of SQLite DataBase  스키마 테이블 File Structure
  • 6. forensicinsight.org Page 6 / 22 Structure of SQLite DataBase  Table B-tree File Structure - Internal 페이지 - 하위 페이지의 포인터를 가짐. - Leaf 페이지 - 실제 데이터를 담고 있음.
  • 7. forensicinsight.org Page 7 / 22 Structure of SQLite DataBase Page Structure Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0 • Page Header – Table – b-tree • Offset 0 – 0x05 - Internal Nodeleaf – 0x0D – Leaf Node • Size – 12 Byte – Internal Node pages – 8 Byte - Leaf node pages • Cell Offset – 2byte Big endian integer
  • 8. forensicinsight.org Page 8 / 22 Structure of SQLite DataBase  Internal Page header  Leaf Page header Page Structure Page flag offset of first block of free space Page number of right most child-page Num of fragmented free bytes Number of record Offset of the first bytes of the record Page flag offset of first block of free space Num of fragmented free bytes Number of record Offset of the first bytes of the record
  • 9. forensicinsight.org Page 9 / 50 Deleted area in database file - Unallocated Area(Free space & Free block)
  • 10. forensicinsight.org Page 10 / 22 Deleted area in database file  Free Space(비할당 공간) • 아직 셀(레코드)이 할당되지 않은 영역 • 셀 오프셋과 마지막 셀 사이의 공간 Unallocated Area Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0
  • 11. forensicinsight.org Page 11 / 22 Deleted area in database file  Free Block • 셀이 할당되었다가 삭제된 영역 • 셀과 셀 사이에 존재 Unallocated Space Page Header Cell offset 0 Cell offset 1 Cell offset 2 Free Space Cell 2 Cell 1 Cell 0
  • 12. forensicinsight.org Page 12 / 22 Deleted area in database file  삭제된 영역 수집 • 비할당 영역(Free Area)의 삭제 데이터  헤더와 오프셋 배열을 건너 뛴 후 페이지의 첫 번째 레코드가 나올 때까지 탐색 • 기본적으로 Free Area는 0으로 세팅되어 있음 • 따라서 0이 아닌 값이 존재하는 경우 삭제된 데이터로 판단 가능. Deleted area Number of record Offset of the first byte of the record
  • 13. forensicinsight.org Page 13 / 22 Deleted area in database file  삭제된 영역 수집 • 비할당 블록(Free Block)의 삭제 데이터  비할당 블록의 데이터는 무조건 삭제된 데이터로 판단 가능  비할당 블록 체인 (Chain of free block) Deleted area ……
  • 14. forensicinsight.org Page 14 / 50 Data Recovery - Normal Cell & Deleted Cell - Record Recovery
  • 15. forensicinsight.org Page 15 / 22 Data Recovery  Variable length integer Cell structure Byte Value range Bit pattern 1 7 bit 0XXXXXXX 2 14 bit 1XXXXXXX 0XXXXXXX 3 21 bit 1XXXXXXX 1XXXXXXX 0XXXXXXX 4 28 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 5 35 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 6 42 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 7 49 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 8 56 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 0XXXXXXX 9 64 bit 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX 1XXXXXXX XXXXXXXX Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte
  • 16. forensicinsight.org Page 16 / 22 Data Recovery  Data Header Cell structure Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2
  • 17. forensicinsight.org Page 17 / 22 Data Recovery  Normal Cell  Deleted Cell Cell structure Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
  • 18. forensicinsight.org Page 18 / 22 Data Recovery Record carving
  • 19. forensicinsight.org Page 19 / 22 Data Recovery Inspect Free Area  simulation  Schema table  Target data
  • 20. forensicinsight.org Page 20 / 22 Data Recovery Inspect Free Area  삭제 후 변화 Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer 2 Byte Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
  • 21. forensicinsight.org Page 21 / 22 Data Recovery Inspect Free Area  Values of Data header  Target data • 스키마의 데이터 헤더와 일치하는 점을 찾은 지점에서 복원 진행 • 스키마가 복잡할 수록 오탐은 적어짐. Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2 추측 길이
  • 22. forensicinsight.org Page 22 / 22 Thank you for listenig Q&A