有需要请联系 SQLite数据库文件取证工具 支持 碎片恢复 从同样结构库加载表结构 支持临时文件 支持日志提取记录 支持删除记录恢复 删除表恢复等等 下面是详细介绍:
Without epilog, you could be missing out on valuable evidence.
Many devices (whether mobile phones, computers, sat navs or other devices) store data in the SQLite database format.
Data stored in this type of database can provide a huge evidential opportunity for investigators.
Many “off-the-shelf” tools can be used to view the live records in the database, but epilog from CCL extracts deleted and de-referenced data from the database files or across a disc image or hex dump.
epilog’s three recovery algorithms can be used on any SQLite database, regardless of the type of data stored. However, epilog signatures can be used to tailor its behaviour towards a particular database. Built in to the initial release of epilog are signatures including:
- Android (SMS, call logs, calendars, address book and others)
- iPhone (SMS, emails, calendar, and others)
- Smartphone third party applications (including Yahoo Messenger, eBuddy chat and others)
- Safari (internet history and cache and others)
- Mozilla (cookies, internet history, form data and others)
- Chrome (internet history)
- EPILOG
- Recovers deleted data contained in SQLite databases.
- Analyses SQLite data recovered records and matches them to a table in the live database files.
- Works on live and deleted database files, the temporary "journal files" generated during a database operation and across a disc image or hex dump.
- Enables the user to save a single field to file, or batch-export multiple "blob" (binary objects) fields from the recovered records for further analysis.
- Includes a database rebuilder, which is an integrated solution for rebuilding recovered records into a copy of the live database.
- EPILOG V1.3
- Save and load recovery settings – the extraction settings in Epilog can now be saved and reloaded. If you have databases which you process often, you no longer need to set up Epilog’s extraction settings manually every time; just save the settings which work best for that database and re-load them on your next encounter
- Command line interface – two new command line utilities are provided with epilog: “epilog-recover” and “epilog-rebuild” which allow command line recovery and rebuilding of databases respectively. Together, they allow multiple database forensic tasks to be batched together. For example: all of the recovery and rebuilding tasks from common databases found on a smart device extraction can be pre-composed and executed each time that platform is encountered. This “power-user” feature can significantly streamline recovery of multiple databases .
- Big improvements to how Epilog recognises a recovered record’s original table – the code which matches a recovered record to its original table has been completely overhauled. Epilog not only provides more accurate matches than ever, but it can now match records from tables who’s schema has since changed (a common occurrence, especially on smart devices where App and OS versions have been updated) .
- Further streamlining for database rebuilding – where records have been recovered from tables where the schema has since changed, Epilog will build INSERT statements which will reflect this change so that these records can be easily be rebuilt into a database.
- New output format: HTML – available from the “Export Results” menu item
- Additional information about recovered records – offset of a record on a page is displayed in addition to the page number
- A number of UI and “under the hood” improvements
- New Signature Search Tools – epilog 1.3 introduces a new signature format which allows greater control of which records are recovered. This is achieved using validation of numerical values, lengths of strings and blobs and regular expression matching. This facilitates a more targeted approach which can vastly reduce false hits, especially when working with unallocated space and hex dumps
- Signature Builder – To aid in the creation of signatures, epilog now includes a graphical signature builder. Signatures can be written from scratch, auto-generated using live databases or imported from old signature files to be enhanced with the new formats extra features.
- Write Ahead Log Time-lining – epilog can now use the Write Ahead Log (“-wal” files) to reconstruct the sequence of events that have recently taken place in the database, uncovering users' behaviour.
- Brute Force Live Record Recovery – epilog can recover live records from corrupt or incomplete databases (eg. carved from unallocated space) which cannot otherwise be opened in traditional SQLite viewers.
- De-duplication – Where duplicate records are recovered epilog can now optionally remove identical duplicates from the results set.
- Signature Search ROWID Recovery – The signature search algorithm in all recovery modes can now optionally attempt to recover the ROWID of the record. This is especially useful when the ROWID is the field upon which table relationships are built.
- INSERT Statement Export Improvements – The INSERT statement export dialog can now auto-detect the most likely tables of the recovered records and auto-populate the table names, allowing the user to export multiple tables at once, streamlining the process.
- Database Rebuilder Additional Controls – Users can now select to copy live data from individual tables rather than all or none.
Current version: Epilog v1.3