Course Objectives

Learn to use various applications and utilities to successfully identify, process, understand and exploit numerous database structures found on iOS, Android, Windows and Apple systems.

This course includes 40hrs of instruction. both theroetical and hands on and students will be provided with a manual and access to the student data used in class to enable them to continue their learning after the course has completed. Upon completion students will recieve a certificate of attendance detailing the CPE hours gained.

The Spyder Forensics training team provides multiple delivery methods for this course to enable us to meet your organization’s needs.

Students will gain knowledge in how relational databases function in the storage of records and fields of information to support a front-end application. SQLite will be covered in great detail where the attendee will learn how to recover deleted information from Free Pages and unallocated space within the primary and journal files using scripting techniques. Additional databases will then be examined including ESE, MS Compound, UAV Data-files, and Binary Plists.

Students will examine data from a host of systems including: Mac, Windows, Android, iPhone.

Subjects covered in the course include, Relational Database Fundamentals, an examination of the SQLite Databases, SQLite B-tree Pages, Overflow Pages, Freelist Pages and Rollback Journals, Write-Ahead Logs (WAL) and Database Schemas, SQLite Query Language, ESE Database Analysis and Other Data Structures.

Finally, at the end of the course to ensure that the student gains an idea of how their knowledge has progessed in this field there will be the opportunity to perform self paced examinations of various databases.

Primary Learning Objectives

Day 1 of the Spyder Forensics Advanced Applied Database Forensics course begins with an overview of the course along with an introduction to the Instructor.

We will then move onto the fundamentals of relational databases and will create a simple SQLite Database, which will enable us to look at the different files associated with them and also understand the main database file header.

Day 2 of the course will see the student looking at and learning how to navgate B-trees. Alongside this we will look at B-tree Table Leaf pages and investigate the methods needed to recover deleted records from freeblocks and page unallocated space.

Recovering deleted records is part of the forensic examiners armoury and during Day 3 of the course we will learn what possibilities there are of recovering deleted records.

We will also look at the importance of Rollback Journals and the relevence of them during an investigation.

Finally we will look at SQLite Write-Ahead logs and how they are used alson with their forensic relevance.

Day 4 of the Spyder Forensics Advanced Applied Database Forensics course deals with the SQLite database schema along with the basics of SQLite Query Language. Participants will gain information on how to decode the database scheme and learn how to construct querries in order to interrogate the database.

We will also look at Chromium SNAA Files and the way in which they can be used to uncover users browser history.

The concluding day of the course sees us looking at LevelDB’s along with ESE database analysis and will conclude with an examination of Apple Plist Files.

By the end of Day 5 students will be familiar with all the formats.