Blog » File Format » How to Decrypt Sqlite Database File?

How to Decrypt Sqlite Database File?

Simon | October 5th, 2015 | Forensics

Sqlite files are used by many applications for storing data in it. Many applications initially used Sqlite files to store the data without implementing any security on it. However, nowadays, many of the applications store this data in Sqlite database in encrypted format. This encryption is applied to Sqlite files and it protects the files from external undesirable access. However, while investigating these files, this encryption can partially block investigators from viewing the database contents. In such situation, it is extremely essential to decrypt Sqlite database file. It is not as easy as it seems and requires a complete set of applications for performing the decryption method on encrypted databases. Let us see how this decryption is performed and what the pre-requisites are for the same.

Pre-requisites:

Python Installation

  • It is recommended to install Python 2.7. The version can be chosen according to the architecture of Windows versions that is compatible to it. While installing, make sure that you choose “Just install for me” option instead of “all users” option. Or, there can be issues in detecting python installation from module package.
  • After installation, update path variable providing the python folder location. This can be done by right-clicking Computer >> Properties >> Advanced System Settings >> Advance >> Environment variables >> System Variables where the python folder location can be provided.

pyCrypto Installation

  • An assembled binary is available for Windows 7 (64bit) which can be downloaded and extracted in your Python main dir. This pycrypto will be stored in Lib/site-packages.

pySqlite Installation

  • pysqlite-2.6.3.win-amd64-py2.7.binary can be downloaded for Windows 7 (64 bit) system.

simplejson

  • simplejson-2.6.2.win-amd64-py2.7.exe binary can be downloaded for Windows 7 (64 bit) system.

Funf Scripts

  • To decrypt Sqlite database file, download the funf scripts and extract it in system in a folder. Also, install Sqlite studio.

Decryption of Sqlite Database

  • Once the Sqlite database is copied from mobile device to the system, below mentioned command can be used to decrypt data file.

python <funf scripts folder>\dbdecrypt.py <file name_mainPipeline.db>

  • This execution will demand a password; here same password, which is provided to you, can be entered.
  • Sqlite studio can be used in order to verify whether the file has been successfully decrypted or not and the data is readable or not. For this, you can perform the below mentioned steps;
  1. Open Sqlite application and go to Databases>>Add Database.
  2. Here mention about the decrypted database file in textbox.
  3. Decrypted data can be collected to table data (Tables>>Data).
  4. Click on Data tab available in left tree once this table is opened. Right pane will display the collected sensor data with details like data (column: value) along with time (column: timestamp).

Merging of Multiple Decrypted DB Files

  • Below mentioned command can be used to merge multiple decrypted databases into one database for better analysis.

python <funf scripts folder>\dbmerge.py <file1> <file2> …

  • This will result into creation of a new database file with data merged belonging to all the decrypted files. It will be named as merged_*.db.
  • Sqlite can be used to view the merged data as done in previous section.

Encryption in the databases has undoubtedly secured the Sqlite databases. However, in order to access these database for investigation purpose this encryption becomes a roadblock for further processing. The segment elaborated above highlights the method to decrypt the Sqlite databases. It also confers about a method to merge multiple decrypted Sqlite databases. Acquiring the applications needed for decryption, and utilizing these methods users can easily follow the process of decryption.