SQLite was developed nearly twenty years ago. It has become the most widely deployed and used database engine in the world. Every instance uses Google Chrome and Firefox browser in existence. It is particularly important to mobile forensic analysts, and it is also installed on every Android and iOS device in existence today. It is the default database storage format for the millions of mobile device applications for both of these operating systems.
As of January 2020, Statista reports over 1,840,000 applications in the Apple App Store (iOS devices) and 2,570,000 applications in the Google Play Store (Android devices)2. That’s a combined total of over 4.3 million different applications that an examiner may encounter for any particular case.
Testing will focus on popular apps that are most likely to be forensically relevant, such as communications, including social media apps.
The SQLite data covered within this mobile specification addresses active data as contained within SQLite databases. Deleted SQLite data is quite complex in nature and, therefore, not covered within this document. This topic is covered in SQLite Deleted Data Recovery Specification, Test Assertions, and Test Cases.