There’s no doubt that most of the forensically significant information on digital devices is stored inside databases. In the mobile world, the king of database formats is SQLite, but other contenders, like Realm, are already being used in popular mobile applications. In the standard workflow, Cellebrite Physical Analyzer decodes information out of these databases and transforms that data into the more readable form of “Analyzed Data.”

But what happens when an application is not yet supported by Cellebrite Physical Analyzer, or when there’s a need to validate or dig deeper into a specific piece of data?

For cases like this, Cellebrite Physical Analyzer features advanced data analysis tools like the File Format Viewer and the Database Viewer. In Cellebrite Physical Analyzer 7.25, Cellebrite released a completely new version of the Database Viewer, which includes performance improvements and advanced new features that provide forensic examiners with a much better look at data that’s stored inside SQLite and Realm databases. In this post, we’ll take a deep dive into the power features of Cellebrite’s new Database Viewer.

In-Depth Look Inside Cell Data

The first thing you might notice about the new viewer is the addition of a right pane that can show several representations of the data in the selected database cell. The new Database Viewer will automatically identify the type of data that’s stored in the selected cell and will suggest different views for it.

Most important for artifact verification and validation is the ability to view the original hex data of each cell. The hex view in the new viewer provides the most accurate information about the data contained in a cell, which is especially important for BLOB-type columns, for which other representations might be missing or misrepresenting data.

Figure 1. Hex data of an integer stored in an SQLite database

For number and string columns, the text view will show a textual representation of the data in the cell, whether it’s a string, integer, or a floating-point number. In addition, numbers that are identified as representing a timestamp will have a date and time view showing a string representation of the date. Strings that are identified as “Base64 encoded data” will have an automatically decoded hex view.

Figure 2. An automatically identified Base64 string is decoded in the right pane.

Figure 3. The date and time representation of a database cell is also automatically identified.

As in previous versions of the Database Viewer, the date and time format can also be set for an entire column using the column header context menu.

Figure 4. Selecting a timestamp format for an entire column is easy in the new Database Viewer.

But the real power of the new right pane is best seen when handling complex data types stored inside databases. For example, embedded images or HTML pages can now be viewed directly in the Database Viewer and data serialization formats, like JSON, binary PLists, Protocol Buffers (Protobuf), and many more, are detected and decoded in a searchable, dynamic tree view.

Figure 5. A PNG image stored inside a database can now be viewed directly in the right pane.

Figure 6. An HTML rendered in the right pane

Figure 7. A binary PList embedded inside a database cell can now be decoded in the right pane.

Recovering Records From Within The Database View

One of the strongest capabilities of Cellebrite Physical Analyzer is its ability to recover deleted records from SQLite databases. So far, this has been done behind the scenes by different database parsers or by advanced users using the integrated Python shell. With the new Database Viewer, record recovery is a now just a click away when viewing any table in an SQLite file.

Figure 8. Deleted records are easily recovered from an SQLite table.

When toggling “Include recovered records” in the table header, the Database Viewer will try to carve records that match the current table’s signature and will include those records (marked in red) in the display. Note that recovered records may have been deleted by an application, but these could also be older versions of existing intact records, which may help to follow the history of how a certain record came to be.

Regarding table signatures, the new Database Viewer now enables users to examine the “sqlite_master” table, which contains the definitions of all tables, indices, triggers, and views defined by an SQLite database. This provides a deeper understanding of how a database is being used and may grant otherwise hidden insights into the logic of mobile applications.

Figure 9. The sqlite_master table, containing “CREATE TABLE” statements of all tables

Support For Advanced Realm Database Features

Realm is a database system that’s been gaining popularity in recent years. It is essentially an object store, with an internal structure that is very different from SQLite, but the data within it can still be represented in a table-like manner.

The new Database Viewer in Cellebrite Physical Analyzer does just that, with added support for advanced features unique to the Realm database. It’s like having a database cell store not a single value but a list of values. This capability is another example of the flexibility of the right pane, which can decode these lists and display their values, supporting any data type.

Figure 10. An array column within a Realm database is decoded in the right pane.

Conclusion

The new Database Viewer in Cellebrite Physical Analyzer brings a new level of power to the hands of digital forensic practitioners, allowing them to have a better, deeper, and faster understanding of data stored within databases. This makes tasks like analyzing new applications and verifying decoded data quicker and more accessible than ever.

Share this post