Chapter 12. Recovering Transient Database Records

In this chapter, we will revisit SQLite databases and examine a type of "journaling" file called a Write Ahead Log (WAL). Parsing a WAL file, due to the complexity of the underlying structure, makes this a more difficult task than our previous encounter with SQLite databases. There are no existing modules we can leverage to directly interact with the WAL file in the same way we used sqlite3 or peewee with SQLite databases. Instead, we will rely on the struct library and our ability to understand binary files.

Once we have successfully parsed the WAL file, we will leverage the re regular expression library in Python to identify potentially relevant forensic artifacts. Lastly, we will briefly introduce ...

Get Learning Python for Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.