Introducing Anti-Forensics to SQLite Corpora and Tool Testing

As one of the widest spread database systems in the world, SQLite is used on an immense number of computer systems. This is especially true for mobile devices, such as smartphones. As a consequence, data stored by SQLite gains significant relevance in many forensic investigations. Different tools are available for the (forensic) analysis of the underlying database files. However, appropriate collections of databases, that can be leveraged by the forensic community for purposes like testing, validating, comparing and improving such tools, are still missing. A first collection specific to SQLite has been made available with the SQLite Forensic Corpus in 2018. In this work, we enhance this corpus by anti-forensic aspects and present a collection of specifically crafted databases that do not necessarily conform to the SQLite file format specification. We use these databases to evaluate a selection of tools available for the analysis of SQLite - and thereby challenge their (forensic) extraction and recovery routines. Finally, we present the results of our analyses and derive some claims regarding the functionality of forensic tools in general.