CCL-Forensics has written and shared a comprehensive article about the forensic opportunities of a new feature of the popular SQLite database format.

Alex Caithness from the company's R&D team (who has been heavily involved in SQLite forensics and the creation of CCL-Forensics' SQLite analysis tool epilog) has blogged the implications – both pitfalls and opportunities – of the "Write Ahead Log".

The full blog can be read here, and it explores - in depth - the new opportunities surrounding SQLite which is used extensively on desktop and mobile operating systems. It is a standard storage format on both Android and iOS devices.

For more information on this – or any other aspect of CCL-Forensics' research and development function, please contact us at research@ccl-forensics.com or on +44 1789 261200

The monthly cell site blog is back – and this month, we’ll be looking at what makes for an high impact piece of cell site evidence in court, as well as how going that extra mile at the outset of a cell site investigation can, in the long run, save time, money and bring your case to a speedier, more positive conclusion.

A significant step forward has been made in improving the quality of computer and phone forensics, with the awarding of a Government-recommended standard to CCL-Forensics – the UK’s largest dedicated provider of digital forensic services.

The company, which also develops innovative forensic software products, has become the first of its kind to be awarded the coveted ISO17025 standard for both its computer and mobile phone forensic labs.

A new version of our popular SQLite forensics tool epilog has been released.  v1.1.1 includes a host of new features including a database rebuilder, WAL file parsing and new expot modes.

As anyone who has examined an iOS device (or an OSX device for that matter) will know, property list files are a major source of potential evidence. Being one of the main data storage formats they might contain anything from configuration details to browsing history to chat logs.

Absence of evidence is not necessarily evidence of absence... 

In what is probably the first published and peer-reviewed research paper of its kind, the title of this blog is, essentially, what I and my colleagues have argued.

Digital Investigation Journal has published our research in its December 2011 edition under the title: "Historic cell site analysis – Overview of principles and survey methodologies". In the paper, we make a number of scientifically-justified recommendations on how cell site analysis surveys should be carried out.

In a previous blog post we described a method to retrieve an Android pattern lock from the raw flash of a device. However, since version 2.2 (known as “Froyo”) Android has provided the option of a more traditional numeric PIN or alphanumeric password (both are required to be 4 to 16 digits or characters in length) as an alternative security measure.

What do you do if you have to examine an Android device which has a pattern lock enabled, but USB debugging is not initialised?

If a physical level acquisition can be performed, our technique can be used to retrieve the lock pattern from the device

The R&D team at CCL-Forensics are a busy bunch. Over the past couple of years, they’ve developed a number of forensic software tools to examine the evidence that standard tools can’t reach.

There are still a handful of places remaining on our popular "responding to computer misuse" training course in February.