Belkasoft Evidence Center Reads Cleared Skype Logs and iPhone Messages, Analyzes Destroyed SQLite Records

As you may already know, we have recently updated our flagship forensic product, Belkasoft Evidence Center 2013. The new release added a bunch of new major features. In this article we’re about to speak about one feature in more detail: the newly added fully native SQLite processing.

Native SQLite processing was barely mentioned in the official press-release. I wrote a few lines about it in the “What’s New” section. But what does this feature really mean for an investigator?

Native SQLite processing adds quite a bit of power to any investigation. Native SQLite support allows investigators to analyze destroyed SQLite databases – such as those that were deleted by the suspect and then recovered with file carving. In addition, freelist support allows accessing records that were deleted from SQLite databases. This includes logs and history files produced by Skype, as well as many iOS applications such as call log, messages including iMessage, and so on. Multiple Windows, Mac OS X, iOS and Android applications are using SQLite format to keep their communication history logs. Therefore, the ability to recover deleted records from cleared SQLite databases becomes essential for any investigation involving the analysis of suspects’ online communications.

Recovering Deleted Skype Logs

As you may already know, all versions of Skype going several years back keep their data in a database in SQLite format. Skype history logs contain everything about the user’s communications. Skype logs contain information on date and time of each conversation, record message content, as well as nicknames and IP addresses of remote parties. When investigating online crime, results of Skype log analysis may become important evidence.

Suspects routinely delete their conversation histories by clearing Skype logs. However, for performance reasons, SQLite does not wipe or erase records immediately. Deleted records end up in a special area, the so-called ‘freelist’. Freelists may contain records that were deleted a long time ago. Analyzing freelists gives investigators another chance to recover essential evidence.

With newly added native SQLite processing with freelist support, Belkasoft Evidence Center 2013 is able to retrieve deleted records from the freelist area, restoring evidence from cleared log files.

Restoring Destroyed iPhone Call Logs, Messages and Address Books

In Apple iOS architecture, many things are kept in SQLite databases. This includes call logs, address books, and message archives, which in turn contain all text messages (SMS) and iMessages sent and received with the device. If the suspect clears one or more of these logs, recovering evidence from these SQLite databases becomes extremely difficult. Only a few (expensive) tools can access deleted records stored in the ‘freelist’ area.

Belkasoft Evidence Center can successfully read freelist areas, extracting information about calls, messages, appointments, organizer items and contacts that was deleted by the suspect.

Accessing Deleted Database Records

Belkasoft Evidence Center 2013 now uses fully native code to parse the content of SQLite databases.

The components were developed from the scratch specifically for digital forensic purposes. Commonly available SQLite libraries are optimized for high performance under heavy load. In comparison, Belkasoft native components are optimized for in-depth comprehensive analysis of SQLite databases, specifically targeting databases that the suspect attempted to destroy. Targeting corrupted, badly damaged or incomplete SQLite databases, Belkasoft Evidence Center 2013 allows investigators extracting more valuable evidence out of log and history files produced by many popular applications.

Get Free Trial

Interested in trying the new feature? Get the free trial version of Belkasoft Evidence Center at http://belkasoft.com/trial

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: