Software Epilog (SQLite analysis tool)

epilog (SQLite forensic tool)

e without dropWelcome to epilog - a software tool which allows investigators to recover deleted data from the widely-used database format, SQLite.

Without epilog, you could be missing out on potentially valuable evidence.

epilog with word

Without epilog, you could be missing out on valuable evidence

Many devices (whether mobile phones, computers, sat navs or other devices) store data in the SQLite database format.

Data stored in this type of database can provide a huge evidential opportunity for investigators.

Many "off-the-shelf" tools can be used to view the live records in the database, but epilog from CCL-Forensics extracts deleted and de-referenced data from the database files or across a disc image or hex dump.

epilog’s three recovery algorithms can be used on any SQLite database, regardless of the type of data stored. However, epilog signatures can be used to tailor its behaviour towards a particular database. Built in to the initial release of epilog are signatures including:

    • Android (SMS, call logs, calendars, address book and others)
    • iPhone (SMS, emails, calendar, and others)
    • Smartphone third party applications (including Yahoo Messenger, eBuddy chat and others)
    • Safari (internet history and cache and others)
    • Mozilla (cookies, internet history, form data and others)
    • Chrome (internet history)

Why use epilog?

Put simply, it gives you access to more data which could prove crucial in an investigation. SQLite is so widely used that, without epilog, you could be missing out on crucial data. For example, in a recent case handled by CCL-Forensics, epilog recovered and presented nearly 5,000 entries from a smartphone’s web cache, where there were only 400 live (visible) entries.

Watch epilog videos

Watch our series of brief videos to find out more about specific features of epilog.  

Video 1: epilog overview  

                                  Video 2: epilog chat-log recovery

                                  Video 3: SMS from JTAG images

Or view our epilog YouTube playlist here.

Features

Current version: Epilog v1.1.1

  • epilog presents deleted data contained in SQLite databases
  • epilog uses three different algorithms in order to recover and rebuild deleted records
  • epilog analyses SQLite data recovered records and matches them to a table in the live database files
  • epilog works on live and deleted database files, the temporary “journal files” which are generated during a database operation and across a disc image or hex dump
  • epilog enables the user to save a single field to file, or batch export multiple “blob” (binary files) fields from the recovered records for further analysis
  • epilog allows the user to generate “insert statements” from recovered records in order to facilitate the restoration of deleted records into a live database
  • Once purchased, new signatures, updates and bug fixes are provided for the current version of epilog

What's new in v1.1.1?

Database Rebuilder: Epilog 1.1 brings an integrated solution for rebuilding recovered records into a copy of the live database so that deleted data can be parsed or processed with tools and scripts meant only to operate on live data! Allows the user to choose whether to include the current live records, options to disable triggers and remove constraints from the database schema to tailor the rebuilding.

WAL File Parsing: Version 3.7 of the SQLite library introduced a new journal format called "Write Ahead Log" or "WAL". WAL differs from the traditional journal mechanism as, rather than backing up data that is to be changed to a rollback journal as a back-up WAL instead writes new data into a separate file when specifically requested by the database engine. Throughout a database's lifetime SQLite continues to use the same file without ever truncating the file so it is quite possible to find deleted or previous versions of rows present in the WAL file.

Raw Data Search: The requirement for an "associated database" (which could often be difficult to track down) has been removed, instead the user can provide the database page size and text encoding manually. Extra options for improving results when reading from raw dumps from flash chips have been added.

Signature Search: The signature search algorithm has been improved to remove the need for "In the case of multiple concurrent deletion" signatures.

Truncated records: Epilog now marks records that have been recovered but which are truncated in grey allowing the user to make more informed decisions about the data.

New Export Modes: Epilog now allows you to output to a flat tab separated values (tsv) file. Additionally the "INSERT export" has been overhauled to make it more convenient to use.

Database and Table Details: What was formally the "Table Analysis" feature has been upgraded to "Database and Table Details" and now reports further information regarding the database structure and parameters.

System requirements

epilog requires the following minimum specifications:

  • Windows XP, Vista or Windows 7
  • .NET runtime 3.5
  • local admin priviliges

Signature files

The following signature files are available to use with epilog and are available for separate download.  Further signature files will be developed over time, and will be made available for free download. Current set of signatures updated: April 2nd 2012.download_signatures_button

  • Android (includes calls, contacts, SMS messages, HTC email messages)
  • iPhone - NEW! covering iOS5 (includes calls, contacts, SMS messages, email, third party chat history)
  • PC browsers (Artefacts from Chrome, Firefox, Safari)
  • and more
Please also feel free to contact us at epilog@ccl-forensics.com with a sample database and we'll endeavour to add support in a future release.

Training

Training is provided at CCL-Forensics' laboratory in Warwickshire, UK, at a cost of 250.00 GBP per delegate. On-site training can be provided depending on attendee numbers. Please contact epilog@ccl-forensics.com for more information. Duration of course: 1 day.

Download/buy

epilog is available for instant download and a licence key for epilog is available for purchase. Payment is made by credit card using PayPal. Please choose your option below.

Epilog (v1.1.1) Setup file:  (Updated 2nd April 2012)

Individual licence:
Provides unlimited use of EPILOG on one nominated computer.
250.00 GBP

Site licence:
Unlimited use of EPILOG for multiple users at a single location
1250.00 GBP

For pricing for a corporate-wide licence, please email epilog@ccl-forensics.com.