In this chapter, we will revisit SQLite databases and examine a type of "journaling" file called a Write Ahead Log (WAL). Parsing a WAL file, due to the complexity of the underlying structure, makes this a more difficult task than our previous encounter with SQLite databases. There are no existing modules we can leverage to directly interact with the WAL file in the same way we used sqlite3 or peewee with SQLite databases. Instead, we will rely on the struct library and our ability to understand binary files.

Once we have successfully parsed the WAL file, we will leverage the re regular expression library in Python to identify potentially relevant forensic artifacts. Lastly, we will briefly introduce ...