How to recover deleted SQLite records with Undark
Nowadays recovering deleted records from SQLite databases is a common task during lots of forensic investigations.
Of course, there are a lot of commercial tools that can help an examiner with such recovery, for example, Belkasoft Evidence Center, but it’s always good to have a number of variants to check the results, especially open source ones.
One of such tools is called Undark. It’s an open source SQLite deleted and corrupted data recovery tool, developed by Paul L. Daniels, and can be used both in computer forensics (for example, to recover deleted Chrome browser history) and mobile forensics (for example, to recover deleted SMS messages).
So, what can it do?
- Retrieve most available records from a SQLite database (version 3);
- Dump actual records;
- Recover deleted records;
- Retrieve data from a corrupted SQLite database.
It’s important to note that deleted SQLite records can be recovered only if the database has not been fully vacuumed and defragmented. If it is, there is no chance of recovery. What is more, Undark does not differentiate between current and deleted data, you’ll have to check it manually, for example, using Sqliteman.
Using of the tool is quite straightforward:
undark.exe -i source_database.db > output_file.csv
As a result, you’ll get an CSV file with all records stored in the database.
The latest release of the tool is version 0.7 – with floating-point decoding issue fixed by Steven Lee. Both win32 binary and source code can be downloaded here.