Saturday, April 12, 2014

Daily Blog #294: Sunday Funday 4/13/14

Hello Reader,
              It's Sunday and time for another challenge of your DFIR skills and knowledge. If you watched the Forensic Lunch on Friday you heard David Dym talk about his new tool SQLiteDiver. With all the challenges we've done over the last 294 posts we've never gone into depth into one of the most common forensic artifact locations both on mobile devices and standard systems. Good luck and give it your best shot, you never can tell when your answer could be the only submission!       

The Prize:
A $200 Amazon Gift Card



The Rules:
  1. You must post your answer before Monday 4/14/14 8AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
 SQLite is becoming one of the most common application databases used across multiple operating systems and devices. As DFIR analysts we love SQLite for its ability to preserve deleted data. For this challenge let's see how well you understand why this rich deleted data set exists. Answer the following questions.
1. Why are deleted records accessibly in SQLite databases
2. What is the write ahead journal
3. What will cause deleted records to be overwritten