SQLite is a lightweight, self-contained, and serverless relational database management system (RDBMS) widely used in various applications and devices. It is essential knowledge for all forensic examiners. SQLite databases are based on the SQL database language, a standard and widely used language for storing, organizing, and accessing data in a structured format.

SQLite databases are typically stored in a single file on a device with each application having its own database, which can be accessed and manipulated using SQL queries. Their lightweight nature, ease of use, and lack of additional infrastructure and setup requirements make SQLite databases well suited for many applications, including mobile apps, browser and much more.

Due to their extensive use in browsers and mobile devices, SQLite databases are particularly interesting from a forensic perspective. Interacting with SQLite databases is straightforward using tools like SQLite Browser,¹ which can be seen in Figure 5.1. With this, you can open the database file using the software, and read and write to the database using SQLite queries.

• SQLite Browser: A high-quality, open-source tool to create, design, and edit database files compatible with SQLite.
• SQLite Miner²: An open-source tool to identify and examine blob objects within SQLite databases, parse them, and export the files into a useful format.
• sqlparse.py by Mari DeGrazia³: An open-source Python script that helps recover deleted entries in ...