Forensic Operations for Recognizing SQLite Content (FORC): An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices

Abstract

Mobile forensics is crucial in reconstructing various everyday activities accomplished through mobile applications during an investigation. Manual analysis can be tedious, time-consuming, and error-prone. This study introduces an automated tool called Forensic Operations for Recognizing SQLite Content (FORC), specifically designed for Android, to extract Simple Query Language Table Database Lightweight (SQLite) evidence. SQLite is a library that serves as a container for mobile application data, employing a zero-configuration, serverless, self-contained, and transactional SQL database engine. While some SQLite files possess extensions such as .db, .db3, .sqlite, and .sqlit3, others have none. The lack of file extensions may result in missing evidence that could unveil the truth. The proposed tool utilizes both the file extensions and headers of the SQLite data to recognize and identify SQLite data generated or modified by a mobile application. The FORC tool’s capability was evaluated using the Chrome application as a case study, and a comparison between FORC and other tools was conducted. The results suggest that FORC significantly simplifies mobile forensic analysis.