A software tool which allows investigators to recover deleted data from the widely-used database format, SQLite. Without epilog, you could be missing out on potentially valuable evidence.
The sale of epilog is only on application. Please contact or call 01789 261200 to enquire about licence fees.
Without epilog, you could be missing out on valuable evidence.
Many devices (whether mobile phones, computers, sat navs or other devices) store data in the SQLite database format.
Data stored in this type of database can provide a huge evidential opportunity for investigators.
Many “off-the-shelf” tools can be used to view the live records in the database, but epilog from CCL extracts deleted and de-referenced data from the database files or across a disc image or hex dump.
epilog’s three recovery algorithms can be used on any SQLite database, regardless of the type of data stored. However, epilog signatures can be used to tailor its behaviour towards a particular database. Built in to the initial release of epilog are signatures including:
- Android (SMS, call logs, calendars, address book and others)
- iPhone (SMS, emails, calendar and others)
- Smartphone third party applications (including Yahoo Messenger, eBuddy chat and others)
- Safari (internet history and cache and others)
- Mozilla (cookies, internet history, form data and others)
- Chrome (internet history)
- System Requirements
- Windows XP, Vista or Windows 7
- .NET runtime 3.5
- Local admin privileges
|epilog (SQLite Analysis) Software, epilog Signature Files|
Why use Epilog
Why use Epilog
Put simply, it gives you access to more data which could prove crucial in an investigation. SQLite is so widely used that, without epilog, you could be missing out on crucial data. For example, in a recent case handled by CCL, epilog recovered and presented nearly 5,000 entries from a smartphone’s web cache, where there were only 400 live (visible) entries.
Current version: Epilog v1.3
- Recovers deleted data contained in SQLite databases.
- Analyses SQLite data recovered records and matches them to a table in the live database files.
- Works on live and deleted database files, the temporary “journal files” generated during a database operation and across a disc image or hex dump.
- Enables the user to save a single field to file, or batch-export multiple “blob” (binary objects) fields from the recovered records for further analysis.
- Includes a database rebuilder, which is an integrated solution for rebuilding recovered records into a copy of the live database.
- epilog v1.3
- Save and load recovery settings – the extraction settings in Epilog can now be saved and reloaded. If you have databases which you process often, you no longer need to set up Epilog’s extraction settings manually every time; just save the settings which work best for that database and re-load them on your next encounter.
- Command line interface – two new command line utilities are provided with epilog: “epilog-recover” and “epilog-rebuild” which allow command line recovery and rebuilding of databases respectively. Together, they allow multiple database forensic tasks to be batched together. For example: all of the recovery and rebuilding tasks from common databases found on a smart device extraction can be pre-composed and executed each time that platform is encountered. This “power-user” feature can significantly streamline recovery of multiple databases.
- Big improvements to how Epilog recognises a recovered record’s original table – the code which matches a recovered record to its original table has been completely overhauled. Epilog not only provides more accurate matches than ever, but it can now match records from tables whose schema has since changed (a common occurrence, especially on smart devices where App and OS versions have been updated).
- Further streamlining for database rebuilding – where records have been recovered from tables where the schema has since changed, Epilog will build INSERT statements which will reflect this change so that these records can easily be rebuilt into a database.
- New output format: HTML – available from the “Export Results” menu item
- Additional information about recovered records – offset of a record on a page is displayed in addition to the page number
- A number of UI and “under the hood” improvements
The following signature files are available to use with epilog and are available for separate download. Further signature files will be developed over time, and will be made available for free download. Current set of signatures updated: November 2014.
Please also feel free to contact us at or call 01789 261200 for more information.
Training is provided at CCL-Forensics’ laboratory in Warwickshire, UK. On-site training can be provided depending on attendee numbers. Please contact for more information. Duration of course: 1 day.
- New Signature Search Tools – epilog 1.3 introduces a new signature format which allows greater control of which records are recovered. This is achieved using validation of numerical values, lengths of strings and blobs and regular expression matching. This facilitates a more targeted approach which can vastly reduce false hits, especially when working with unallocated space and hex dumps.
- Signature Builder – To aid in the creation of signatures, epilog now includes a graphical signature builder. Signatures can be written from scratch, auto-generated using live databases or imported from old signature files to be enhanced with the new formats extra features.
- Write Ahead Log Time-lining – epilog can now use the Write Ahead Log (“-wal” files) to reconstruct the sequence of events that have recently taken place in the database, uncovering users’ behaviour.
- Brute Force Live Record Recovery – epilog can recover live records from corrupt or incomplete databases (eg. carved from unallocated space) which cannot otherwise be opened in traditional SQLite viewers.
- De-duplication – Where duplicate records are recovered epilog can now optionally remove identical duplicates from the results set.
- Signature Search ROWID Recovery – The signature search algorithm in all recovery modes can now optionally attempt to recover the ROWID of the record. This is especially useful when the ROWID is the field upon which table relationships are built.
- INSERT Statement Export Improvements – The INSERT statement export dialog can now auto-detect the most likely tables of the recovered records and auto-populate the table names, allowing the user to export multiple tables at once, streamlining the process.
- Database Rebuilder Additional Controls – Users can now select to copy live data from individual tables rather than all or none.