Monthly Archives: October 2013

Belkasoft Evidence Center Reads Cleared Skype Logs and iPhone Messages, Analyzes Destroyed SQLite Records

As you may already know, we have recently updated our flagship forensic product, Belkasoft Evidence Center 2013. The new release added a bunch of new major features. In this article we’re about to speak about one feature in more detail: the newly added fully native SQLite processing.

Native SQLite processing was barely mentioned in the official press-release. I wrote a few lines about it in the “What’s New” section. But what does this feature really mean for an investigator?

Native SQLite processing adds quite a bit of power to any investigation. Native SQLite support allows investigators to analyze destroyed SQLite databases – such as those that were deleted by the suspect and then recovered with file carving. In addition, freelist support allows accessing records that were deleted from SQLite databases. This includes logs and history files produced by Skype, as well as many iOS applications such as call log, messages including iMessage, and so on. Multiple Windows, Mac OS X, iOS and Android applications are using SQLite format to keep their communication history logs. Therefore, the ability to recover deleted records from cleared SQLite databases becomes essential for any investigation involving the analysis of suspects’ online communications. Continue reading