This is a module used by both the chromehistory and firefoxhistory groups of plugins I wrote for the 2014 Volatility Plugin Contest. It provides a number of functions for locating and converting data found in SQLite databases. The functions provided are described below.
The following links are very helpful for understanding the structure of SQLite databases:
- http://www.evolane.com/support/manuals/shared/manuals/tcltk/sqlite/fileformat.html
- http://forensicsfromthesausagefactory.blogspot.com/2011/04/carving-sqlite-databases-from.html
- http://forensicsfromthesausagefactory.blogspot.in/2011/05/analysis-of-record-structure-within.html
The section on the Variable Length Integer Format in the first link above is especially relevant for many of the functions below. SQLite database store integers in a variable integer format which is anywhere from 1 to 9 bytes. This allows small integer values to only use 1 or 2 bytes. It also means all negative numbers are 9 bytes.
unix_time(dt)
Converts a Python datetime object to a Unix epoch based timestamp.
get_wintime_from_msec(msec)
Takes as input the number of microseconds since 1601/01/01 and outputs a Python datetime object.
get_nixtime_from_sec(sec)
Takes as input the number of seconds since 1970/01/01 and outputs a Python datetime object.
get_nixtime_from_msec(msec)
Takes as input the number of microseconds since 1970/01/01 and outputs a Python datetime object.
varint_type_to_length(varint)
The lengths in the header section for integers aren’t actual lengths, but map to different values, as described in the Database Record Format in the first link above. This function maps these values to the actual lengths of the data fields.
ones_comp(bin_str)
Takes a binary number represented as a string of 0s and 1s, and returns the one’s complement in string format. This is used varints that hold a negative number.
find_varint(buff, start, direct)
This function locates the next variable length integer, in either a forward or backward direction as specified in the buffer buff from the starting index start. The last byte in a varint will be less than 128 and can be used to determine where a varint ends when moving forwards or where the previous varint ends when going backwards.
varint_to_int(buff)
Converts a varint to an integer value.
varint_to_blob_length(l)
Converts the header length field to the actual data length which is (length-12)/2
varint_to_text_length(l)
Converts the header length field to the actual data length which is (length-13)/2
sql_unpack(buff)
Converts a 1, 2, 3, 4, 6, or 8 byte value into an integer. Integers are stored in the data portion of the SQLite record, while varints are used in the header portion.