Advanced Applied Database Forensics

5 Days – 40Hrs

Cost: $2,995

Participants will receive

5-Days of Instruction
Course Manual
Practical Files
Attendance Certificate

Damien Attoe

Damien Attoe

Lead Developer

Before joining Spyder Forensics, Damien was a Managing Consultant at AccessData where he managed eDiscovery and digital forensics projects and provided services to companies in various industries including the Health Care, Energy, and Financial industries. Prior to that, Damien was a Computer Crime Specialist at the National White Collar Crime Center where he conducted digital forensic research and performed software validation studies on digital forensic software

Course Objectives

Learn to use various applications and utilities to successfully identify, process, understand and exploit numerous database structures found on iOS, Android, Windows and Apple systems.

This course includes 40hrs of instruction. both theroetical and hands on and students will be provided with a manual and access to the student data used in class to enable them to continue their learning after the course has completed. Upon completion students will recieve a certificate of attendance detailing the CPE hours gained.

The Spyder Forensics training team provides multiple delivery methods for this course to enable us to meet your organization’s needs.

Students will gain knowledge in how relational databases function in the storage of records and fields of information to support a front-end application. SQLite will be covered in great detail where the attendee will learn how to recover deleted information from Free Pages and unallocated space within the primary and journal files using scripting techniques. Additional databases will then be examined including ESE, MS Compound, UAV Data-files, and Binary Plists.

Students will examine data from a host of systems including: Mac, Windows, Android, iPhone.

Subjects covered in the course include, Relational Database Fundamentals, an examination of the SQLite Databases, SQLite B-tree Pages, Overflow Pages, Freelist Pages and Rollback Journals, Write-Ahead Logs (WAL) and Database Schemas, SQLite Query Language, ESE Database Analysis and Other Data Structures.

Finally, at the end of the course to ensure that the student gains an idea of how their knowledge has progessed in this field there will be the opportunity to perform self paced examinations of various databases.

Primary Learning Objectives

    Advanced Applied Database Forensics - Day 1

    Day 1 of the Spyder Forensics Advanced Applied Database Forensics course begins with an overview of the course along with an introduction to the Instructor.

    We will then move onto the fundamentals of relational databases and will create a simple SQLite Database, which will enable us to look at the different files associated with them and also understand the main database file header.

    During this module we will discuss the fundamentals of relational databases

    At the conclusion of this module, we will be familiar with what a relational database is, and the different terms used to describe components or actions taken on a database.

     

    • Discuss relational database concepts
    • Learn about relationships between different database tables
    • Gain an understanding of Database Terminology
    • Hands on Exercise – Creating and Populating an SQLite database

    Instructor Led Lab

    • Creating a simple SQLite Database
    • Gain an understanding of table relationships

    Instructor Led Lab

    Examination of the SQLite Databases

    • Examining the SQLite Main database file header

      During this module we will introduce the SQLite Database format and discuss the main database file header.

      At the conclusion of this module, you will be familiar with the different files associated with an SQLite Database, the different SQLite page types, and understand the structure of the main database file header.

       

      • SQLite Overview
      • Introduction to SQLite data files
      • Main Database File
        • Discuss different SQLite page types
        • Explore the main database file header

      Advanced Applied Database Forensics - Day 2

      Day 2 of the course will see the student looking at and learning how to navgate B-trees. Alongside this we will look at B-tree Table Leaf pages and investigate the methods needed to recover deleted records from freeblocks and page unallocated space.

      During this module we will discuss SQLite B-tree page structures and how to navigate the B-Trees.

      At the conclusion of this module, you will understand the general structure of an SQLite B-Tree page and how to identify which pages belong to a particular B-Tree.

       

       

      • Introduction to SQLite B-Trees
      • Explore SQLite B-Tree Page Structures
        • Define Page Header
        • Learn How to Interpret the Cell Pointer Array
        • Understand Page Unallocated Space
      • Navigating SQLite B-Trees
        • Table Interior Page Cell Structures 
        • Introduction to Decoding Varints

      Instructor Led lab

      Navigating SQLite B-trees

      • Decoding SQLite B-trees

      Instructor Led Lab

      SQLite B-Tree Pages

      • Decoding SQLite B-tree table leaf pages
      • Recovering Deleted records from freeblocks and page unallocated space

        During this module we will deep dive into SQLite B-tree Table Leaf pages.

        At the conclusion of this module, you will be familiar with the structure of a B-Tree Table leaf page and how to decode it.

         

        • Exploring the structure of SQLite B-Tree Table Leaf Pages
          • Define Page Header
          • Learn How to Interpret the Cell Pointer Array
          • Examine Page Unallocated Space
          • Map Cell Content Area
            • Introduction to Decoding Cells
          • Explore Freeblocks
        • Understand the concept of Secure_Delete

        Advanced Applied Database Forensics - Day 3

        Recovering deleted records is part of the forensic examiners armoury and during Day 3 of the course we will learn what possibilities there are of recovering deleted records.

        We will also look at the importance of Rollback Journals and the relevence of them during an investigation.

        Finally we will look at SQLite Write-Ahead logs and how they are used alson with their forensic relevance.

        Instructor Led Lab

        SQLite Overflow Pages & Freelist Pages

        • Decoding SQLite Overflow Pages
        • Identifying Freelist Pages in the database

        This module will focus on Overflow Pages and Freelist Pages.

        At the conclusion of this module students will understand how Overflow Pages and Freelist Pages are used in SQLite databases and the possibilities for recovering deleted records.

         

        • Learn how Overflow Pages are used
          • Explore Overflow page structure
        • Learn how to identify Freelist Pages in the database
        • Explore the Freelist Trunk page structure
        • Discuss the importance of Freelist Pages in an Investigation

        During this module we will be learning about how the SQLite Rollback Journals work.

        At the conclusion of this module students will understand how Rollback Journals are used in SQLite databases and the forensic relevance of them during an investigation.

         

        • Learn how SQLite Rollback Journals Work
        • Examine the File Structure
        • Understand the Forensic Relevance of Rollback Journals

        Instructor Led Lab

        SQLite Rollback Journals

        • Examining Page Records in an SQLite Rollback Journal

        Instructor Led Lab

        SQLite Write-Ahead Logs

        •  Examining Frames in an SQLite Write-Ahead Log

        During this module we will be learning about how the SQLite Write-Ahead Logs work.

        At the conclusion of this module students will understand how Write-Ahead logs are used in SQLite databases and the forensic relevance of them during an investigation.

         

         

        • Learn how SQLite Write-Ahead Logs Work
        • Examine the File Structure
        • Understand the Forensic Relevance of Write-Ahead Logs

        Advanced Applied Database Forensics - Day 4

        Day 4 of the Spyder Forensics Advanced Applied Database Forensics course deals with the SQLite database schema along with the basics of SQLite Query Language. Participants will gain information on how to decode the database scheme and learn how to construct querries in order to interrogate the database.

        We will also look at Chromium SNAA Files and the way in which they can be used to uncover users browser history.

        During this module we will explore the SQLite database schema and how it can be used to gain an understanding of the relationships between tables and what type of data can be stored in the database.

        At the conclusion of this module students will gain the knowledge to decode the database schema to aid in the construction of queries to interrogate the database.

         

        • Explore the Database Schema
          • Structure of Tables
          • Identify Constraints
          • SQLite Indexes
          • Database Triggers
          • SQLite Views

        Instructor Led Lab

        SQLite Database Schema

        • Exploring the database schema

        Instructor Led Lab

        SQLite Query Language

        • Interrogating the Mozilla Thunderbird Global-Message-db SQLite Database

        During this module we will go over the basics of SQLite Query Language to extract relevant data from an SQLite database.

        At the conclusion of this module students will gain the knowledge to decode the database schema to aid in the construction of queries to interrogate the database.

         

         

        • Introduction to SQLite Query Language
        • Construct queries to interrogate database tables
        • Learn how to join tables to create more robust reports
        • Converting DateTime Stamps

        During this module we will cover Chromium SNSS Files as an artifact that can be used uncover users browsing history.

        At the conclusion of this module students will understand the purpose of Chromium Session files and how to decode them.

         

        • Introduction to Chromium Session Files
        • Exploring the Structure of SNSS Files

        Instructor Led Lab

        Chromium SNSS Files

        • Examining Chromium SNSS Files

        Advanced Applied Database Forensics - Day 5

        The concluding day of the course sees us looking at LevelDB’s along with ESE database analysis and will conclude with an examination of Apple Plist Files.

        By the end of Day 5 students will be familiar with all the formats. 

        Instructor Led Lab

        LevelDB Analysis

        • Examining Bitpay App LevelDB
        • Examining Trezor Suite LevelDB

        During this module we will discuss analysis of LevelDB’s.

        At the conclusion of this module students will understand how LevelDB’s work and how analyze them.

         

        • Introduction to LevelDB’s
        • How LevelDB’s work
        • Examining LevelDB’s

        During this module we will be reviewing the default mail application on a Windows 10 system and the challenges of forensic analysis.

        At the conclusion of this module students will be familiar with ESE database formats and how to examine them.

         

         

        • Discuss the Extensible Storage Engine Database structure
        • Review typical implementation of the ESE data files
        • Windows Mail
        • Windows Search database

        Instructor Led Lab

        ESE Database analysis

        • Exercises in the analysis of the Windows 11 Mail Unistore database
        • Exercises in the analysis of the Windows Search database

        Instructor Led Lab

        Apple PList Files

        • Examining Binary Plists

        During this module we will examine Apple Plist Files.

        At the conclusion of this module students will be familiar with Apple Plist files.

         

        • Introduction to Plist Files
        • Review of HTML/JSON Plist Files
        • Decoding Binary Plists