epilog - a software tool which allows investigators to recover deleted data from the widely-used database format, SQLite. Without epilog,you could be missing out on potentially valuable evidence.
Without epilog, you could be missing out on valuable evidence
Many devices (whether mobile phones, computers, sat navs or other devices) store data in the SQLite database format.
Data stored in this type of database can provide a huge evidential opportunity for investigators.
Many "off-the-shelf" tools can be used to view the live records in the database, but epilog from CCL extracts deleted and de-referenced data from the database files or across a disc image or hex dump.
epilog’s three recovery algorithms can be used on any SQLite database, regardless of the type of data stored. However, epilog signatures can be used to tailor its behaviour towards a particular database. Built in to the initial release of epilog are signatures including:
- Android (SMS, call logs, calendars, address book and others)
- iPhone (SMS, emails, calendar, and others)
- Smartphone third party applications (including Yahoo Messenger, eBuddy chat and others)
- Safari (internet history and cache and others)
- Mozilla (cookies, internet history, form data and others)
- Chrome (internet history)
Why use epilog?
Put simply, it gives you access to more data which could prove crucial in an investigation. SQLite is so widely used that, without epilog, you could be missing out on crucial data. For example, in a recent case handled by CCL, epilog recovered and presented nearly 5,000 entries from a smartphone’s web cache, where there were only 400 live (visible) entries.
Watch epilog videos
Or view our epilog YouTube playlist here.
Current version: Epilog v1.1.1
- epilog presents deleted data contained in SQLite databases
- epilog uses three different algorithms in order to recover and rebuild deleted records
- epilog analyses SQLite data recovered records and matches them to a table in the live database files
- epilog works on live and deleted database files, the temporary “journal files” which are generated during a database operation and across a disc image or hex dump
- epilog enables the user to save a single field to file, or batch export multiple “blob” (binary files) fields from the recovered records for further analysis
- epilog allows the user to generate “insert statements” from recovered records in order to facilitate the restoration of deleted records into a live database
- Once purchased, new signatures, updates and bug fixes are provided for the current version of epilog
What's new in v1.1.1?
Database Rebuilder: Epilog 1.1 brings an integrated solution for rebuilding recovered records into a copy of the live database so that deleted data can be parsed or processed with tools and scripts meant only to operate on live data! Allows the user to choose whether to include the current live records, options to disable triggers and remove constraints from the database schema to tailor the rebuilding.
WAL File Parsing: Version 3.7 of the SQLite library introduced a new journal format called "Write Ahead Log" or "WAL". WAL differs from the traditional journal mechanism as, rather than backing up data that is to be changed to a rollback journal as a back-up WAL instead writes new data into a separate file when specifically requested by the database engine. Throughout a database's lifetime SQLite continues to use the same file without ever truncating the file so it is quite possible to find deleted or previous versions of rows present in the WAL file.
Raw Data Search: The requirement for an "associated database" (which could often be difficult to track down) has been removed, instead the user can provide the database page size and text encoding manually. Extra options for improving results when reading from raw dumps from flash chips have been added.
Signature Search: The signature search algorithm has been improved to remove the need for "In the case of multiple concurrent deletion" signatures.
Truncated records: Epilog now marks records that have been recovered but which are truncated in grey allowing the user to make more informed decisions about the data.
New Export Modes: Epilog now allows you to output to a flat tab separated values (tsv) file. Additionally the "INSERT export" has been overhauled to make it more convenient to use.
Database and Table Details: What was formally the "Table Analysis" feature has been upgraded to "Database and Table Details" and now reports further information regarding the database structure and parameters.
epilog requires the following minimum specifications:
- Windows XP, Vista or Windows 7
- .NET runtime 3.5
- local admin priviliges
The following signature files are available to use with epilog and are available for separate download. Further signature files will be developed over time, and will be made available for free download. Current set of signatures updated: March 2013. This latest update includes a number of new Android signatures (including vendor-specific databases)
Android (includes calls, contacts, SMS messages, HTC email messages)
- NEW! files for: Android 4.0 (Ice Cream Sandwich) Android 4.1 (Jelly Bean) Android 3rd Party ApplicationApply
- iPhone - NEW! covering iOS6 and 3rd party applications (includes calls, contacts, SMS messages, email, third party chat history)
Skype - NEW!
PC browsers (Artefacts from Chrome, Firefox, Safari) and more
Please also feel free to contact us at email@example.com or call 01789 261200 for more information.
TrainingTraining is provided at CCL-Forensics' laboratory in Warwickshire, UK. On-site training can be provided depending on attendee numbers. Please contact firstname.lastname@example.org for more information. Duration of course: 1 day.
The sale of epilog is only on application. If you would like more information please contact email@example.com or call 01789 261200
The epilog set up file is available for download here, however this will only work with a valid licence.
Epilog (v1.1.1) Setup file: (Updated April 2012)
Download epilog signature files: (Updated March 2013)