2. Page 2 of 8
Table of Contents
List of Illustrative Materials............................................................................................................ 3
Figures......................................................................................................................................... 3
Graded Lab Assessment.................................................................................................................. 4
Observations of Results and Findings......................................................................................... 4
SQLitebrowser ........................................................................................................................ 4
SQLitebrowser vs SQLiteman ................................................................................................ 5
Discussion of Results.................................................................................................................. 6
SQLitebrowser and SQLiteman.............................................................................................. 6
SQLitebrowser vs SQLiteman ................................................................................................ 7
Conclusion ...................................................................................................................................... 8
3. Page 3 of 8
List of Illustrative Materials
Figures
Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file ....................................... 4
Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file ........................................ 5
Figure 3: Output for visit count to websites and words used for Google search ............................ 5
Figure 4: Output for values entered found on the formhistory.sqlite file ....................................... 5
Figure 5: SQLite browser output for formhistory.sqlite ................................................................. 5
Figure 6: SQLiteman output for formhistory.sqlite ........................................................................ 6
Figure 7: SQLite browser time data in epoch time ......................................................................... 6
Figure 8: Converted Epoch output date and time ........................................................................... 7
Figure 9: Converted Epoch date and time and URL visit count ..................................................... 7
Figure 10: Item View tab within the SQLiteman tool .................................................................... 7
Figure 11: BLOB Preview Window within the sqliteman tool....................................................... 8
4. Page 4 of 8
Graded Lab Assessment
Observations of Results and Findings
In order to identify a user's activities an examiner will analyze the cookies, formhistory,
extensions, places, webappsstore, and search .sqlite files for internet artifacts. Artifacts
discovered throughout this investigation shall provide the examiner with information and insight
that will provide the examiner insight about the activities performed by the user.
Throughout the lab the examiner performed various exercises with the SQLiteman and
SQLbrowser tools in order to gain familiarity with the examining capabilities of each of the
tools. Using each of the tools on various sqlite files the examiner was able to examine and
identify various internet artifacts that were created by the user’s previous activities. In the lab
the examiner was provided with “test.zip” and was tasked with performing an analysis on the
provided .zip file. After the test.zip file was unzipped by the examiner, the folder "Firefox
Portable" was created within the examiner's WK6 directory. Prior to performing any analysis on
the provided data the examiner calculated and recorded the MD5 sum
(d0e7388cf7a5b68e9b65dfdd0ba0695a) of the extracted folder. By knowing the MD5 sum prior
to the analysis an examiner can then compare the calculated MD5 sum upon completion and
verify that none of the data was altered throughout the investigation.
SQLitebrowser
Using the SQLite browser tool the examiner examined the sqlite files named, “cookies, places,
formhistory” for specific internet artifacts within the sqlite data. The tool processed the sqlite
data files and displayed the information in a human readable format; allowing the examiner to
view and examine the data. In order to filter through all of the output data displayed by the tool
the examiner would select the “Execute SQL” tab and input SQL string logic that would filter
and alter the outputs of the tool. An example of this was performed when “SELECT host, value,
datetime(lastAccessed/1000000,"unixepoch") FROM moz_cookies” was entered into SQL
window of the tool, in order to modify the dateTime output into human readable format as seen
in figure 1.
Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file
Using these strings to filter through the .sqlite data allows the examiner to quickly search and
identify specific internet artifacts such as: website visits, keyword searches, various URL
information, and inputted values within forms. Various strings were entered into the SQL
window in order to filter specific artifacts. Examples of these modified outputs from the SQLite
browser tool can be seen in figures 2-4.
5. Page 5 of 8
Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file
Figure 3: Output for visit count to websites and words used for Google search
Figure 4: Output for values entered found on the formhistory.sqlite file
SQLitebrowservs SQLiteman
Within the lab the examiner was instructed to use the sqliteman tool to process and analyze the
formhistory.sqlite file that had been previously analyzed using the SQLitebrowser tool. The goal
of using both tools on the same sqlite data was to demonstrate to the examiner the differences
between both of the tools. From initial observations and comparisons of the tools the examiner
saw no variances or differences between the outputs of either of the tools. The biggest
differences seen by the examiner between the tools was how each of the tools presented their
output data for the formhistory.sqlite file. The SQLiteman appeared to be more organized in
how the output data was presented and had additional tabs and features that the SQLitebrowser
did not. As seen in figures 5 and 6 the SQLiteman tool possesses additional features that
SQLitebrowser does not possess for performing additional analysis on sqlite data.
Figure 5: SQLite browser output for formhistory.sqlite
6. Page 6 of 8
Figure 6: SQLiteman output for formhistory.sqlite
Discussion of Results
SQLitebrowserand SQLiteman
During the lab the examiner used the tools SQLitebrowser and SQLiteman to examine the
provided sqlite files for specific internet artifacts. Using the capability to input SQL strings into
both of the tools the examiner was able to examine and identify all of the specific internet
artifacts within the lab. The examiner was tasked with identifying: words and phrases inputted
into Google searches, specific keywords, URLs visited, the visit count of the URLs, and form
data inputted within the cookies, places, and formhistory sqlite files provided. This was done by
inputting specific SQL strings into both of the tools in order to filter out any unnecessary data
within the sqlite files. Being able to control and alter the output display for either of the tools
helps the examiner analyze and process the data in a timely manner. An example of how the
SQL strings can assist the examiner with their analysis process can be seen in figure 7.
Figure 7: SQLite browser time data in epoch time
Prior to any SQL strings being inputted into the tools to convert the time, the output times for the
tools will be displayed in epoch time. Reading the times in epoch is not an efficient way to view
and analyze the time information for internet artifacts during an investigation. By using the SQL
7. Page 7 of 8
string, “--- datetime(xxxx/1000000,”unixepoch”) on any field of time (lastUsed, firstUsed, etc)
the epoch time output will be converted into a human readable format as seen in figure 8.
Figure 8: Converted Epoch output date and time
Throughout, the analysis of the provided sqlite files there were several occasions when multiple
SQL strings were used in order to help display the output data in a desired format. When
performing analysis on the “places.sqlite” file the examiner was tasked with discovering what the
amount of times specific URLs were visited by the user. By inputting the SQL string, “SELECT
url, datetime(last_visit_date/1000000,”unixepoch”), visit_count FROM moz_places” into the
SQL string window, the output window displayed the times in a human readable format and
displayed the amount of visits for each URL as seen in figure 9.
Figure 9: Converted Epoch date and time and URL visit count
Viewing the data in this organized manner allows the examiner to sort through all of the data in
an organized way which can help the examiner identify other various artifacts that may be
relevant to the investigation.
SQLitebrowservs SQLiteman
When analyzing and comparing the tools SQLitebrowser and SQLiteman the examiner identified
several differences between the tools. Outside of visual differences the examiner identified that
the SQLiteman tool had additional capabilities to easily isolate and view the outputted data via
the “Item View” tab as seen in figure 10.
Figure 10: Item View tab within the SQLiteman tool
8. Page 8 of 8
An additional feature that the SQLiteman tool has that the SQLitebrowser tool does not is the
BLOB viewer feature as seen in figure 11.
Figure 11: BLOB Preview Window within the sqliteman tool
BLOB is short for Binary Large OBject. A BLOB is a large amount of binary data that is stored
and collected as a single object in a database management system. (Common BLOB artifacts
can be images and multi-media objects) The BLOB viewer allows the examiner to view a visual
preview of the BLOB data that can be identified by the examiner.
Conclusion
After completing the analysis of the sqlite files with the various tools, the examiner was able to
gain insight and understanding about the full capabilities of each of the tools. Throughout, the
lab the examiner exercised the capabilities of each of the tools on the sqlite files in order to
discover various internet artifacts within each of the sqlite data files. Using the capability to
enter various strings within each of the tools the examiner was able to examine and identify:
inputted words and phrases for Google searches, identify URLs associated with keywords,
identify which URL had more than one visit, suspicious browsing behavior, data inputted into
forms, and convert Unix epoch time into human readable time. Being able to use the strings
when performing analysis on sqlite files allows the examiner the ability to accurately expedite
their analysis on specific internet artifacts of interest during an investigation. By comparing and
understanding the capabilities of each of the SQLiteman and SQLbrowser tools the examiner can
decide on the best way to implement each of the tools when performing analysis on various sqlite
data files. With all of the findings discovered from internet artifact analysis, the examiner can
create a detailed timeline report about the events and actions that were performed by a specific
user.