SlideShare a Scribd company logo

(140625) #fitalk sq lite 삭제된 레코드 복구 기법

INSIGHT FORENSIC
INSIGHT FORENSIC

2014 F-INSIGHT TALK

Technology
1 of 20
Download to read offline
FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA SQLite Recovery Deok9 DDeok9@gmail.com
forensicinsight.org Page 2 Contents of Table 1. Introduction 2. Case 3. How 4. Conclusion
forensicinsight.org Page 3 Introduction
forensicinsight.org Page 4 Introduction  SQLite 파일의 복구 • 데이터 추출을 효과적으로 하는 방법  텍스트 형식으로 저장되어 있으므로, Strings 같은 명령어로 모든 데이터를 볼 수 있음  삭제된 데이터로 범위를 줄인 후 분석하면 조금이나마 더 효율적 • SQLite Viewer로 볼 수 있도록 복원하는 방법  SQLite Viewer가 해석할 수 있도록 구조를 복원하고 Cell을 연결시키는 작업 SQLite Recovery
forensicinsight.org Page 5 Case
forensicinsight.org Page 6 Case  아이폰 문자메시지 백업 파일 Target App Data Type Location(WinXP) Safari Cache %USERPROFILE%Local SettingsApplication DataApple ComputerSafariCache.db I-Phone Mobile Comm %USERPROFILE%Local SettingsApplication dataApple ComputerMobileSyncBackup <Random>.mdata Firefox History Cookie %USERPROFILE%Local SettingsApplication DataMozillaFirefoxProfiles<Random> places.SQLite or cookies.SQLite Chrome Cache History Cookie %USERPROFILE%Local SettingsApplication DataGoogleChromeUserDataDefault Cache or History or Cookies Zero Fill Zero Fill If delete(group_msg): group_msg = unallocated space
forensicinsight.org Page 7 How
forensicinsight.org Page 8 How  Header Page + Page Chain SQLite 구조(간략) Database Header … Schema Table Unallocated Page Root Page … Header Page Page Chain(B-Tree)
forensicinsight.org Page 9 How  Database Header 우선 페이지 크기를 확인하자 SQLite File Signature Page Size(Big endian)
forensicinsight.org Page 10 How  Database Schema Table 다음으로 루트 페이지 번호를 확인하자 Schema Type SQL Query Statement Schema Name Root Page Number
forensicinsight.org Page 11 How  Page Header + Cell offset + Free Space + Cell 페이지 구조(간략) Database Header Cell offset 1…n Free Space Cell n…1
forensicinsight.org Page 12 How  Leaf 페이지 헤더 • 이것만 잘 해석해도 절반 이상은 건짐 실제 데이터가 존재하는 페이지는 Leaf 페이지 Offset Contents 0 Page Flag : 0x0D 1-2 First Unallocated Block Offset 3-4 Cell Count 5-6 First Cell Offset 7 Over 3Byte Unallocated Block Count
forensicinsight.org Page 13 How  Leaf Cell 구조(간략) 그럼 Leaf 페이지 안의 Cell은 어떤 구조? Record Size Row ID Length of Data Header Type1 … TypeN Data1 … DataN Cell Header Data Header Data Area Record Cell Header Next Free Block Free Block Len Deleted
forensicinsight.org Page 14 How 1. Leaf 페이지를 찾는다. 2. Free Space를 찾는다. 1. 페이지 헤더의 오프셋 5~6에 있는 가장 첫 번째 활성 셀을 찾고 2. 셀 오프셋 체인의 오프셋이 0x0000이 될 때까지 확인 3. 그럼 셀 오프셋 n과 셀 n 사이의 공간을 복구하면 끝 일단 Free Space 부터 복구 Page Header Cell offset 1…n Free Space Cell n..1
forensicinsight.org Page 15 How 1. Leaf 페이지를 찾는다. 2. 첫 번째 Free Block을 찾는다. 1. 페이지 헤더의 오프셋 1~2에 있는 가장 첫 번째 비 활성 오프셋을 찾고 2. 삭제된 Leaf Cell 체인을 읽어나가자 다음으로 Free Block 복구 Page Header Cell offset 1…n Free Space Cell n Deleted cell Cell n-2 … 1
forensicinsight.org Page 16 How 복원은 어떻게 함1  복원해야 할 부분 • Legnth of Record • Row ID • Length of Data Header 일부분 Record Size Row ID Length of Data Header Type1 … TypeN Data1 … DataN Data Header Data AreaNext Free Block Free Block Len 복구해야 할 부분
forensicinsight.org Page 17 How 복원은 어떻게 함2  일단 데이터 헤더와 데이터 연결부터 • 데이터 헤더의 값과 데이터 길이의 관계 • 브루트 포싱 ㄱ ㄱ Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2
forensicinsight.org Page 3 Introduction
forensicinsight.org Page 19 How 한눈에 봅시다(어딘가 모르게 익숙한 그림) Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
forensicinsight.org Page 20 Conclusion Recover Iphone Message  복원은 아니고 복구만

Recommended

(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130525) #fitalk ntfs log tracker (korean)
(130525) #fitalk ntfs log tracker (korean)(130525) #fitalk ntfs log tracker (korean)
(130525) #fitalk ntfs log tracker (korean)INSIGHT FORENSIC
 
sqlserver7.0 데이타베이스
sqlserver7.0 데이타베이스sqlserver7.0 데이타베이스
sqlserver7.0 데이타베이스영빈 송
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(120128) #fitalk sql server forensics
(120128) #fitalk sql server forensics(120128) #fitalk sql server forensics
(120128) #fitalk sql server forensicsINSIGHT FORENSIC
 

Recommended

(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130525) #fitalk ntfs log tracker (korean)
(130525) #fitalk ntfs log tracker (korean)(130525) #fitalk ntfs log tracker (korean)
(130525) #fitalk ntfs log tracker (korean)INSIGHT FORENSIC
 
sqlserver7.0 데이타베이스
sqlserver7.0 데이타베이스sqlserver7.0 데이타베이스
sqlserver7.0 데이타베이스영빈 송
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(120128) #fitalk sql server forensics
(120128) #fitalk sql server forensics(120128) #fitalk sql server forensics
(120128) #fitalk sql server forensicsINSIGHT FORENSIC
 
(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensicsINSIGHT FORENSIC
 
(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensicsINSIGHT FORENSIC
 
리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리Seungyong Lee
 
(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacksINSIGHT FORENSIC
 
(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part ii(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part iiINSIGHT FORENSIC
 
오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝철민 권
 
Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개Ted Won
 
엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나종민 김
 
(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-ups(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-upsINSIGHT FORENSIC
 
Apache solr소개 20120629
Apache solr소개 20120629Apache solr소개 20120629
Apache solr소개 20120629Dosang Yoon
 
Hive 입문 발표 자료
Hive 입문 발표 자료Hive 입문 발표 자료
Hive 입문 발표 자료beom kyun choi
 
DEVIEW 2013 Presentation
DEVIEW 2013 PresentationDEVIEW 2013 Presentation
DEVIEW 2013 PresentationWon Gil Kim
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10hungrok
 
Gdz geometriya roganin
Gdz geometriya roganinGdz geometriya roganin
Gdz geometriya roganinLucky Alex
 
Audience Research
Audience ResearchAudience Research
Audience ResearchAbbie Waterson
 
(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensics(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensicsINSIGHT FORENSIC
 
(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protection(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protectionINSIGHT FORENSIC
 
Cryptology Presentation
Cryptology PresentationCryptology Presentation
Cryptology Presentationahmad bassiouny
 
Aliment saludguiafamilias 2007
Aliment saludguiafamilias 2007Aliment saludguiafamilias 2007
Aliment saludguiafamilias 2007Pablo Centella Muñoz
 
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATIONPREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATIONBruce Vincent
 
Coronel Souza Aguiar
Coronel Souza AguiarCoronel Souza Aguiar
Coronel Souza AguiarPartitura de Banda
 
Jute fiber
Jute fiberJute fiber
Jute fiberFarhan ullah baig
 

More Related Content

What's hot

(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensicsINSIGHT FORENSIC
 
(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensicsINSIGHT FORENSIC
 
리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리Seungyong Lee
 
(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacksINSIGHT FORENSIC
 
(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part ii(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part iiINSIGHT FORENSIC
 
오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝철민 권
 
Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개Ted Won
 
엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나종민 김
 
(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-ups(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-upsINSIGHT FORENSIC
 
Apache solr소개 20120629
Apache solr소개 20120629Apache solr소개 20120629
Apache solr소개 20120629Dosang Yoon
 
Hive 입문 발표 자료
Hive 입문 발표 자료Hive 입문 발표 자료
Hive 입문 발표 자료beom kyun choi
 
DEVIEW 2013 Presentation
DEVIEW 2013 PresentationDEVIEW 2013 Presentation
DEVIEW 2013 PresentationWon Gil Kim
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10hungrok
 

What's hot (13)

(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics
 
(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics
 
리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리리눅스 커널 기초 태스크관리
리눅스 커널 기초 태스크관리
 
(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks
 
(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part ii(120325) #fitalk web browser forensics - part ii
(120325) #fitalk web browser forensics - part ii
 
오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝오라클 DB 아키텍처와 튜닝
오라클 DB 아키텍처와 튜닝
 
Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개Undertow RequestBufferingHandler 소개
Undertow RequestBufferingHandler 소개
 
엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나엘라스틱서치, 로그스태시, 키바나
엘라스틱서치, 로그스태시, 키바나
 
(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-ups(130330) #fitalk codegate 2013 write-ups
(130330) #fitalk codegate 2013 write-ups
 
Apache solr소개 20120629
Apache solr소개 20120629Apache solr소개 20120629
Apache solr소개 20120629
 
Hive 입문 발표 자료
Hive 입문 발표 자료Hive 입문 발표 자료
Hive 입문 발표 자료
 
DEVIEW 2013 Presentation
DEVIEW 2013 PresentationDEVIEW 2013 Presentation
DEVIEW 2013 Presentation
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10
 

Viewers also liked

Gdz geometriya roganin
Gdz geometriya roganinGdz geometriya roganin
Gdz geometriya roganinLucky Alex
 
(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensics(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensicsINSIGHT FORENSIC
 
(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protection(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protectionINSIGHT FORENSIC
 
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATIONPREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATIONBruce Vincent
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Rbt tahun 5 2015
Rbt tahun 5 2015 Rbt tahun 5 2015
Rbt tahun 5 2015 shah1979
 
Soalan RBT Tahun 6 Penggal 1
Soalan RBT Tahun 6 Penggal 1 Soalan RBT Tahun 6 Penggal 1
Soalan RBT Tahun 6 Penggal 1 syidatul izzati
 

Viewers also liked (15)

Gdz geometriya roganin
Gdz geometriya roganinGdz geometriya roganin
Gdz geometriya roganin
 
Audience Research
Audience ResearchAudience Research
Audience Research
 
(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensics(130413) #fitalk discussion, network security forensics
(130413) #fitalk discussion, network security forensics
 
(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protection(120128) #fitalk android forensics lock protection
(120128) #fitalk android forensics lock protection
 
Cryptology Presentation
Cryptology PresentationCryptology Presentation
Cryptology Presentation
 
Aliment saludguiafamilias 2007
Aliment saludguiafamilias 2007Aliment saludguiafamilias 2007
Aliment saludguiafamilias 2007
 
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATIONPREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
PREVIEW OF EMT/EMR SCENE SIZE UP POWERPOINT TRAININGPRESEENTATION
 
Coronel Souza Aguiar
Coronel Souza AguiarCoronel Souza Aguiar
Coronel Souza Aguiar
 
Jute fiber
Jute fiberJute fiber
Jute fiber
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Peta alir kosong
Peta alir kosongPeta alir kosong
Peta alir kosong
 
form 1 Pantun
form 1 Pantunform 1 Pantun
form 1 Pantun
 
Caesar cipher
Caesar cipherCaesar cipher
Caesar cipher
 
Rbt tahun 5 2015
Rbt tahun 5 2015 Rbt tahun 5 2015
Rbt tahun 5 2015
 
Soalan RBT Tahun 6 Penggal 1
Soalan RBT Tahun 6 Penggal 1 Soalan RBT Tahun 6 Penggal 1
Soalan RBT Tahun 6 Penggal 1
 

Similar to (140625) #fitalk sq lite 삭제된 레코드 복구 기법

(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensicsINSIGHT FORENSIC
 
Elastic Search Performance Optimization - Deview 2014
Elastic Search Performance Optimization - Deview 2014Elastic Search Performance Optimization - Deview 2014
Elastic Search Performance Optimization - Deview 2014Gruter
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log fileINSIGHT FORENSIC
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log fileINSIGHT FORENSIC
 
Ssscon forensic pt
Ssscon forensic ptSsscon forensic pt
Ssscon forensic pt윤아 황
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용I Goo Lee
 
오픈스택! 이틀이면할수있다! 시즌2
오픈스택! 이틀이면할수있다! 시즌2오픈스택! 이틀이면할수있다! 시즌2
오픈스택! 이틀이면할수있다! 시즌2Nalee Jang
 
Elastic Stack & Data pipeline
Elastic Stack & Data pipelineElastic Stack & Data pipeline
Elastic Stack & Data pipelineJongho Woo
 
텍스톰을 이용한 SNA 분석 -전채남
텍스톰을 이용한 SNA 분석 -전채남텍스톰을 이용한 SNA 분석 -전채남
텍스톰을 이용한 SNA 분석 -전채남datasciencekorea
 
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & RankingIan Choi
 
[Solr 스터디] Solr 설정 및 색인 (2017)
[Solr 스터디] Solr 설정 및 색인 (2017)[Solr 스터디] Solr 설정 및 색인 (2017)
[Solr 스터디] Solr 설정 및 색인 (2017)용호 최
 
파이썬 파일처리 이해하기
파이썬 파일처리 이해하기파이썬 파일처리 이해하기
파이썬 파일처리 이해하기Yong Joon Moon
 
그림으로 공부하는 오라클 구조
그림으로 공부하는 오라클 구조그림으로 공부하는 오라클 구조
그림으로 공부하는 오라클 구조Choonghyun Yang
 
(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropboxINSIGHT FORENSIC
 

Similar to (140625) #fitalk sq lite 삭제된 레코드 복구 기법 (17)

(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics(121013) #fitalk ie 10 forensics
(121013) #fitalk ie 10 forensics
 
Elastic Search Performance Optimization - Deview 2014
Elastic Search Performance Optimization - Deview 2014Elastic Search Performance Optimization - Deview 2014
Elastic Search Performance Optimization - Deview 2014
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file
 
Ssscon forensic pt
Ssscon forensic ptSsscon forensic pt
Ssscon forensic pt
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용
 
오픈스택! 이틀이면할수있다! 시즌2
오픈스택! 이틀이면할수있다! 시즌2오픈스택! 이틀이면할수있다! 시즌2
오픈스택! 이틀이면할수있다! 시즌2
 
Elastic Stack & Data pipeline
Elastic Stack & Data pipelineElastic Stack & Data pipeline
Elastic Stack & Data pipeline
 
텍스톰을 이용한 SNA 분석 -전채남
텍스톰을 이용한 SNA 분석 -전채남텍스톰을 이용한 SNA 분석 -전채남
텍스톰을 이용한 SNA 분석 -전채남
 
Infiniflux introduction
Infiniflux introductionInfiniflux introduction
Infiniflux introduction
 
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking
집단 지성 (Programming collective intelligence) 스터디: Chapter 4 - Searching & Ranking
 
[Solr 스터디] Solr 설정 및 색인 (2017)
[Solr 스터디] Solr 설정 및 색인 (2017)[Solr 스터디] Solr 설정 및 색인 (2017)
[Solr 스터디] Solr 설정 및 색인 (2017)
 
파이썬 파일처리 이해하기
파이썬 파일처리 이해하기파이썬 파일처리 이해하기
파이썬 파일처리 이해하기
 
그림으로 공부하는 오라클 구조
그림으로 공부하는 오라클 구조그림으로 공부하는 오라클 구조
그림으로 공부하는 오라클 구조
 
Oracle History #7
Oracle History #7Oracle History #7
Oracle History #7
 
(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox
 
저장장치
저장장치저장장치
저장장치
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysisINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threatINSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in koreaINSIGHT FORENSIC
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memoryINSIGHT FORENSIC
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dumpINSIGHT FORENSIC
 
(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profileINSIGHT FORENSIC
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log trackerINSIGHT FORENSIC
 
(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 storyINSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump
 
(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker
 
(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story
 

(140625) #fitalk sq lite 삭제된 레코드 복구 기법

  • 1. FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA SQLite Recovery Deok9 DDeok9@gmail.com
  • 2. forensicinsight.org Page 2 Contents of Table 1. Introduction 2. Case 3. How 4. Conclusion
  • 4. forensicinsight.org Page 4 Introduction  SQLite 파일의 복구 • 데이터 추출을 효과적으로 하는 방법  텍스트 형식으로 저장되어 있으므로, Strings 같은 명령어로 모든 데이터를 볼 수 있음  삭제된 데이터로 범위를 줄인 후 분석하면 조금이나마 더 효율적 • SQLite Viewer로 볼 수 있도록 복원하는 방법  SQLite Viewer가 해석할 수 있도록 구조를 복원하고 Cell을 연결시키는 작업 SQLite Recovery
  • 6. forensicinsight.org Page 6 Case  아이폰 문자메시지 백업 파일 Target App Data Type Location(WinXP) Safari Cache %USERPROFILE%Local SettingsApplication DataApple ComputerSafariCache.db I-Phone Mobile Comm %USERPROFILE%Local SettingsApplication dataApple ComputerMobileSyncBackup <Random>.mdata Firefox History Cookie %USERPROFILE%Local SettingsApplication DataMozillaFirefoxProfiles<Random> places.SQLite or cookies.SQLite Chrome Cache History Cookie %USERPROFILE%Local SettingsApplication DataGoogleChromeUserDataDefault Cache or History or Cookies Zero Fill Zero Fill If delete(group_msg): group_msg = unallocated space
  • 8. forensicinsight.org Page 8 How  Header Page + Page Chain SQLite 구조(간략) Database Header … Schema Table Unallocated Page Root Page … Header Page Page Chain(B-Tree)
  • 9. forensicinsight.org Page 9 How  Database Header 우선 페이지 크기를 확인하자 SQLite File Signature Page Size(Big endian)
  • 10. forensicinsight.org Page 10 How  Database Schema Table 다음으로 루트 페이지 번호를 확인하자 Schema Type SQL Query Statement Schema Name Root Page Number
  • 11. forensicinsight.org Page 11 How  Page Header + Cell offset + Free Space + Cell 페이지 구조(간략) Database Header Cell offset 1…n Free Space Cell n…1
  • 12. forensicinsight.org Page 12 How  Leaf 페이지 헤더 • 이것만 잘 해석해도 절반 이상은 건짐 실제 데이터가 존재하는 페이지는 Leaf 페이지 Offset Contents 0 Page Flag : 0x0D 1-2 First Unallocated Block Offset 3-4 Cell Count 5-6 First Cell Offset 7 Over 3Byte Unallocated Block Count
  • 13. forensicinsight.org Page 13 How  Leaf Cell 구조(간략) 그럼 Leaf 페이지 안의 Cell은 어떤 구조? Record Size Row ID Length of Data Header Type1 … TypeN Data1 … DataN Cell Header Data Header Data Area Record Cell Header Next Free Block Free Block Len Deleted
  • 14. forensicinsight.org Page 14 How 1. Leaf 페이지를 찾는다. 2. Free Space를 찾는다. 1. 페이지 헤더의 오프셋 5~6에 있는 가장 첫 번째 활성 셀을 찾고 2. 셀 오프셋 체인의 오프셋이 0x0000이 될 때까지 확인 3. 그럼 셀 오프셋 n과 셀 n 사이의 공간을 복구하면 끝 일단 Free Space 부터 복구 Page Header Cell offset 1…n Free Space Cell n..1
  • 15. forensicinsight.org Page 15 How 1. Leaf 페이지를 찾는다. 2. 첫 번째 Free Block을 찾는다. 1. 페이지 헤더의 오프셋 1~2에 있는 가장 첫 번째 비 활성 오프셋을 찾고 2. 삭제된 Leaf Cell 체인을 읽어나가자 다음으로 Free Block 복구 Page Header Cell offset 1…n Free Space Cell n Deleted cell Cell n-2 … 1
  • 16. forensicinsight.org Page 16 How 복원은 어떻게 함1  복원해야 할 부분 • Legnth of Record • Row ID • Length of Data Header 일부분 Record Size Row ID Length of Data Header Type1 … TypeN Data1 … DataN Data Header Data AreaNext Free Block Free Block Len 복구해야 할 부분
  • 17. forensicinsight.org Page 17 How 복원은 어떻게 함2  일단 데이터 헤더와 데이터 연결부터 • 데이터 헤더의 값과 데이터 길이의 관계 • 브루트 포싱 ㄱ ㄱ Value Data Type Data Size 0 NULL 0 N (N=1-4) Signed Integer N 5 Signed Integer 6 6 Signed Integer 8 7 IEEE float 8 8-11 Reserved N>12 (N:even) BLOB (N-12)/2 N>13 (N:odd) TEXT (N-13)/2
  • 19. forensicinsight.org Page 19 How 한눈에 봅시다(어딘가 모르게 익숙한 그림) Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Data Header Record Variable length integer Length of Record Row ID Length of Data Header Size of Field 1 Size of Field 2 ... Size of Field N Data of Field 1 Data of Field 2 ... Data of Field N Offset of next free block Length of free block 2 Byte2 Byte Data Header Record
  • 20. forensicinsight.org Page 20 Conclusion Recover Iphone Message  복원은 아니고 복구만