creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 14:44:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit - 611 cybersecurity skills across all subdomains

Browse Source
This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/performing-sqlite-database-forensics/SKILL.md
+267
View File
@@ -0,0 +1,267 @@
---
name: performing-sqlite-database-forensics
description: Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode encoded timestamps, and extract evidence from browser history, messaging apps, and mobile device databases.
domain: cybersecurity
subdomain: digital-forensics
tags: [sqlite, database-forensics, freelist, wal, write-ahead-log, browser-history, mobile-forensics, deleted-records, b-tree, unallocated-space]
version: "1.0"
author: mahipal
license: MIT
---
# Performing SQLite Database Forensics
## Overview
SQLite is the most widely deployed database engine in the world, used by virtually every mobile application, web browser, and many desktop applications to store user data. In digital forensics, SQLite databases are critical evidence sources containing browser history, messaging records, call logs, GPS locations, application preferences, and cached content. Forensic analysis goes beyond simple SQL queries to examine the internal B-tree page structures, freelist pages containing deleted records, Write-Ahead Log (WAL) files preserving transaction history, and unallocated space within database pages where recoverable data may persist after deletion.
## Prerequisites
- DB Browser for SQLite (sqlitebrowser)
- SQLite command-line tools (sqlite3)
- Python 3.8+ with sqlite3 module
- Belkasoft Evidence Center or Axiom (commercial)
- Hex editor (HxD, 010 Editor) for manual page inspection
- Understanding of B-tree data structures
## SQLite Internal Structure
### Database Header (First 100 Bytes)
| Offset | Size | Description |
|--------|------|-------------|
| 0 | 16 | Magic string: "SQLite format 3\000" |
| 16 | 2 | Page size (512-65536 bytes) |
| 18 | 1 | File format write version |
| 19 | 1 | File format read version |
| 24 | 4 | File change counter |
| 28 | 4 | Database size in pages |
| 32 | 4 | First freelist trunk page number |
| 36 | 4 | Total freelist pages |
| 52 | 4 | Text encoding (1=UTF-8, 2=UTF-16le, 3=UTF-16be) |
| 96 | 4 | Version-valid-for number |
### Page Types
| Type | ID | Description |
|------|----|-------------|
| B-tree Interior | 0x05 | Internal table node |
| B-tree Leaf | 0x0D | Table leaf page containing actual records |
| Index Interior | 0x02 | Internal index node |
| Index Leaf | 0x0A | Index leaf page |
| Freelist Trunk | - | Tracks freed pages |
| Freelist Leaf | - | Freed page with recoverable data |
| Overflow | - | Continuation of large records |
## Deleted Record Recovery
### Method 1: Freelist Page Analysis
When records are deleted, SQLite may place their pages on the freelist rather than overwriting them immediately.
```python
import struct
import sqlite3
import os
def analyze_freelist(db_path: str) -> dict:
"""Analyze SQLite freelist to identify pages containing deleted data."""
with open(db_path, "rb") as f:
# Read header
header = f.read(100)
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
first_freelist_page = struct.unpack(">I", header[32:36])[0]
total_freelist_pages = struct.unpack(">I", header[36:40])[0]
freelist_info = {
"page_size": page_size,
"first_freelist_page": first_freelist_page,
"total_freelist_pages": total_freelist_pages,
"trunk_pages": [],
"leaf_pages": []
}
if first_freelist_page == 0:
return freelist_info
# Walk the freelist trunk chain
trunk_page = first_freelist_page
while trunk_page != 0:
offset = (trunk_page - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
next_trunk = struct.unpack(">I", page_data[0:4])[0]
leaf_count = struct.unpack(">I", page_data[4:8])[0]
leaves = []
for i in range(leaf_count):
leaf_page = struct.unpack(">I", page_data[8 + i * 4:12 + i * 4])[0]
leaves.append(leaf_page)
freelist_info["trunk_pages"].append({
"page_number": trunk_page,
"next_trunk": next_trunk,
"leaf_count": leaf_count,
"leaf_pages": leaves
})
freelist_info["leaf_pages"].extend(leaves)
trunk_page = next_trunk
return freelist_info
def extract_freelist_content(db_path: str, output_dir: str):
"""Extract raw content from freelist pages for analysis."""
info = analyze_freelist(db_path)
os.makedirs(output_dir, exist_ok=True)
with open(db_path, "rb") as f:
page_size = info["page_size"]
for page_num in info["leaf_pages"]:
offset = (page_num - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
output_file = os.path.join(output_dir, f"freelist_page_{page_num}.bin")
with open(output_file, "wb") as out:
out.write(page_data)
return len(info["leaf_pages"])
```
### Method 2: WAL (Write-Ahead Log) Analysis
The WAL file contains pending transactions that have not yet been checkpointed back to the main database.
```python
def parse_wal_header(wal_path: str) -> dict:
"""Parse SQLite WAL file header and frame inventory."""
with open(wal_path, "rb") as f:
header = f.read(32)
magic = struct.unpack(">I", header[0:4])[0]
file_format = struct.unpack(">I", header[4:8])[0]
page_size = struct.unpack(">I", header[8:12])[0]
checkpoint_seq = struct.unpack(">I", header[12:16])[0]
salt1 = struct.unpack(">I", header[16:20])[0]
salt2 = struct.unpack(">I", header[20:24])[0]
wal_info = {
"magic": hex(magic),
"format": file_format,
"page_size": page_size,
"checkpoint_sequence": checkpoint_seq,
"frames": []
}
# Parse frames (24-byte header + page_size data each)
frame_offset = 32
frame_num = 0
file_size = os.path.getsize(wal_path)
while frame_offset + 24 + page_size <= file_size:
f.seek(frame_offset)
frame_header = f.read(24)
page_number = struct.unpack(">I", frame_header[0:4])[0]
db_size_after = struct.unpack(">I", frame_header[4:8])[0]
wal_info["frames"].append({
"frame_number": frame_num,
"page_number": page_number,
"db_size_pages": db_size_after,
"offset": frame_offset
})
frame_offset += 24 + page_size
frame_num += 1
return wal_info
```
### Method 3: Unallocated Space Within Pages
Deleted cells within active B-tree pages leave data in the unallocated region between the cell pointer array and the cell content area.
```python
def analyze_unallocated_space(db_path: str, page_number: int) -> dict:
"""Analyze unallocated space within a specific B-tree page."""
with open(db_path, "rb") as f:
header = f.read(100)
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
offset = (page_number - 1) * page_size
f.seek(offset)
page_data = f.read(page_size)
# Parse page header (8 or 12 bytes depending on type)
page_type = page_data[0]
first_freeblock = struct.unpack(">H", page_data[1:3])[0]
cell_count = struct.unpack(">H", page_data[3:5])[0]
cell_content_offset = struct.unpack(">H", page_data[5:7])[0]
if cell_content_offset == 0:
cell_content_offset = 65536
header_size = 12 if page_type in (0x02, 0x05) else 8
cell_pointer_end = header_size + cell_count * 2
unallocated_start = cell_pointer_end
unallocated_end = cell_content_offset
unallocated_size = unallocated_end - unallocated_start
return {
"page_number": page_number,
"page_type": hex(page_type),
"cell_count": cell_count,
"unallocated_start": unallocated_start,
"unallocated_end": unallocated_end,
"unallocated_size": unallocated_size,
"unallocated_data": page_data[unallocated_start:unallocated_end].hex()
}
```
## Common Forensic Databases
| Application | Database File | Key Tables |
|------------|--------------|------------|
| Chrome | History | urls, visits, downloads, keyword_search_terms |
| Firefox | places.sqlite | moz_places, moz_historyvisits |
| Safari | History.db | history_items, history_visits |
| WhatsApp | msgstore.db | messages, chat_list |
| Signal | signal.sqlite | sms, mms |
| iMessage | sms.db | message, handle, chat |
| Android SMS | mmssms.db | sms, mms, threads |
| Skype | main.db | Messages, Conversations |
## Timestamp Decoding
```python
from datetime import datetime, timedelta
def decode_chrome_timestamp(chrome_ts: int) -> datetime:
"""Convert Chrome/WebKit timestamp to datetime (microseconds since 1601-01-01)."""
epoch_delta = 11644473600
return datetime.utcfromtimestamp((chrome_ts / 1000000) - epoch_delta)
def decode_unix_timestamp(unix_ts: int) -> datetime:
"""Convert Unix timestamp to datetime."""
return datetime.utcfromtimestamp(unix_ts)
def decode_mac_absolute_time(mac_ts: float) -> datetime:
"""Convert Mac Absolute Time (seconds since 2001-01-01)."""
mac_epoch = datetime(2001, 1, 1)
return mac_epoch + timedelta(seconds=mac_ts)
def decode_mozilla_timestamp(moz_ts: int) -> datetime:
"""Convert Mozilla PRTime (microseconds since Unix epoch)."""
return datetime.utcfromtimestamp(moz_ts / 1000000)
```
## References
- SQLite File Format: https://www.sqlite.org/fileformat2.html
- Belkasoft SQLite Analysis: https://belkasoft.com/sqlite-analysis
- Spyder Forensics SQLite Training: https://www.spyderforensics.com/sqlite-forensic-fundamentals-2025/
- Forensic Analysis of Damaged SQLite Databases: https://www.forensicfocus.com/articles/forensic-analysis-of-damaged-sqlite-databases/
skills/performing-sqlite-database-forensics/assets/template.md
+31
View File
@@ -0,0 +1,31 @@
# SQLite Database Forensic Analysis Report
## Case Information
| Field | Value |
|-------|-------|
| Case Number | |
| Database File | |
| File Hash (SHA-256) | |
| Examiner | |
## Database Summary
| Property | Value |
|----------|-------|
| Page Size | |
| Total Pages | |
| Freelist Pages | |
| Text Encoding | |
| WAL Present | |
## Tables and Record Counts
| Table Name | Row Count | Columns |
|-----------|-----------|---------|
| | | |
## Recovered Deleted Records
| Source | Record Data | Recovery Method |
|--------|------------|----------------|
| | | |
## Findings
_(Summary of forensic analysis)_
skills/performing-sqlite-database-forensics/references/standards.md
+20
View File
@@ -0,0 +1,20 @@
# Standards and References - SQLite Database Forensics
## Standards
- NIST SP 800-86: Guide to Integrating Forensic Techniques
- SQLite File Format Specification: https://www.sqlite.org/fileformat2.html
- SWGDE Best Practices for Mobile Device Forensics
## Tools
- DB Browser for SQLite: Open-source GUI editor
- sqlcipher: Encrypted SQLite database handling
- Belkasoft Evidence Center: Commercial SQLite forensic analysis
- Exponent SQLite Explorer: Forensic SQLite viewer with timestamp auto-detection
- FORC (Forensic Operations for Recognizing SQLite Content): Automated Android extraction
## Key Database Locations
- Chrome History: %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
- Firefox places.sqlite: %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite
- Android SMS: /data/data/com.android.providers.telephony/databases/mmssms.db
- iOS SMS: /private/var/mobile/Library/SMS/sms.db
- WhatsApp: /data/data/com.whatsapp/databases/msgstore.db
skills/performing-sqlite-database-forensics/references/workflows.md
+39
View File
@@ -0,0 +1,39 @@
# Workflows - SQLite Database Forensics
## Workflow 1: Complete Database Analysis
```
Identify SQLite databases in evidence
|
Create forensic copies (preserve WAL and journal files)
|
Analyze database header (page size, encoding, freelist)
|
Query active tables for evidence
|
Analyze freelist pages for deleted records
|
Parse WAL file for transaction history
|
Examine unallocated space within pages
|
Decode timestamps (Chrome, Unix, Mac Absolute, Mozilla)
|
Document and export findings
```
## Workflow 2: Deleted Record Recovery
```
Open database in hex editor
|
Identify freelist trunk/leaf pages from header
|
Extract raw page data from freelist
|
Parse B-tree cell format to decode records
|
Check WAL for pre-deletion snapshots
|
Examine unallocated space between cell pointers and content area
|
Carve recoverable records
```
skills/performing-sqlite-database-forensics/scripts/process.py
+192
View File
@@ -0,0 +1,192 @@
#!/usr/bin/env python3
"""
SQLite Database Forensic Analyzer
Performs forensic analysis of SQLite databases including freelist analysis,
WAL parsing, deleted record recovery, and timestamp decoding.
"""
import sqlite3
import struct
import os
import sys
import json
from datetime import datetime, timedelta
from pathlib import Path
class SQLiteForensicAnalyzer:
"""Comprehensive SQLite database forensic analysis."""
def __init__(self, db_path: str, output_dir: str):
self.db_path = db_path
self.output_dir = output_dir
os.makedirs(output_dir, exist_ok=True)
def parse_header(self) -> dict:
"""Parse the 100-byte SQLite database header."""
with open(self.db_path, "rb") as f:
header = f.read(100)
if header[:16] != b"SQLite format 3\x00":
return {"error": "Not a valid SQLite database"}
page_size = struct.unpack(">H", header[16:18])[0]
if page_size == 1:
page_size = 65536
return {
"magic": header[:16].decode("ascii", errors="replace").strip("\x00"),
"page_size": page_size,
"write_version": header[18],
"read_version": header[19],
"reserved_space": header[20],
"file_change_counter": struct.unpack(">I", header[24:28])[0],
"database_size_pages": struct.unpack(">I", header[28:32])[0],
"first_freelist_page": struct.unpack(">I", header[32:36])[0],
"total_freelist_pages": struct.unpack(">I", header[36:40])[0],
"schema_cookie": struct.unpack(">I", header[40:44])[0],
"schema_format": struct.unpack(">I", header[44:48])[0],
"text_encoding": {1: "UTF-8", 2: "UTF-16le", 3: "UTF-16be"}.get(
struct.unpack(">I", header[52:56])[0], "Unknown"
),
"user_version": struct.unpack(">I", header[60:64])[0],
"application_id": struct.unpack(">I", header[68:72])[0],
}
def get_schema(self) -> list:
"""Extract complete database schema."""
conn = sqlite3.connect(f"file:{self.db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT type, name, tbl_name, sql FROM sqlite_master ORDER BY type, name")
schema = [
{"type": row[0], "name": row[1], "table_name": row[2], "sql": row[3]}
for row in cursor.fetchall()
]
conn.close()
return schema
def get_table_stats(self) -> dict:
"""Get row counts and basic stats for all tables."""
conn = sqlite3.connect(f"file:{self.db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
tables = [row[0] for row in cursor.fetchall()]
stats = {}
for table in tables:
try:
cursor.execute(f'SELECT COUNT(*) FROM "{table}"')
count = cursor.fetchone()[0]
cursor.execute(f'PRAGMA table_info("{table}")')
columns = [
{"name": col[1], "type": col[2], "notnull": bool(col[3]), "pk": bool(col[5])}
for col in cursor.fetchall()
]
stats[table] = {"row_count": count, "columns": columns}
except sqlite3.OperationalError:
stats[table] = {"error": "Could not read table"}
conn.close()
return stats
def analyze_freelist(self) -> dict:
"""Analyze freelist for deleted data."""
header = self.parse_header()
page_size = header.get("page_size", 4096)
first_freelist = header.get("first_freelist_page", 0)
total_freelist = header.get("total_freelist_pages", 0)
if first_freelist == 0:
return {"freelist_pages": 0, "recoverable": False}
freelist_pages = []
with open(self.db_path, "rb") as f:
trunk = first_freelist
while trunk != 0:
offset = (trunk - 1) * page_size
f.seek(offset)
data = f.read(page_size)
next_trunk = struct.unpack(">I", data[0:4])[0]
leaf_count = struct.unpack(">I", data[4:8])[0]
leaves = []
for i in range(min(leaf_count, (page_size - 8) // 4)):
leaf = struct.unpack(">I", data[8 + i * 4:12 + i * 4])[0]
leaves.append(leaf)
freelist_pages.append({
"trunk_page": trunk,
"leaf_count": leaf_count,
"leaves": leaves
})
trunk = next_trunk
return {
"total_freelist_pages": total_freelist,
"trunk_pages": len(freelist_pages),
"details": freelist_pages,
"recoverable": total_freelist > 0
}
def check_wal(self) -> dict:
"""Check for WAL file and analyze its contents."""
wal_path = self.db_path + "-wal"
if not os.path.exists(wal_path):
return {"exists": False}
wal_size = os.path.getsize(wal_path)
with open(wal_path, "rb") as f:
header = f.read(32)
if len(header) < 32:
return {"exists": True, "valid": False}
magic = struct.unpack(">I", header[0:4])[0]
page_size = struct.unpack(">I", header[8:12])[0]
checkpoint = struct.unpack(">I", header[12:16])[0]
frame_count = (wal_size - 32) // (24 + page_size) if page_size > 0 else 0
return {
"exists": True,
"valid": magic in (0x377f0682, 0x377f0683),
"size_bytes": wal_size,
"page_size": page_size,
"checkpoint_sequence": checkpoint,
"estimated_frames": frame_count
}
def generate_report(self) -> str:
"""Generate comprehensive forensic analysis report."""
report = {
"analysis_timestamp": datetime.now().isoformat(),
"database_path": self.db_path,
"file_size": os.path.getsize(self.db_path),
"header": self.parse_header(),
"schema": self.get_schema(),
"table_stats": self.get_table_stats(),
"freelist": self.analyze_freelist(),
"wal": self.check_wal(),
}
report_path = os.path.join(self.output_dir, "sqlite_forensic_report.json")
with open(report_path, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[*] Database: {self.db_path}")
print(f"[*] Page size: {report['header'].get('page_size', 'N/A')}")
print(f"[*] Tables: {len(report['table_stats'])}")
print(f"[*] Freelist pages: {report['freelist'].get('total_freelist_pages', 0)}")
print(f"[*] WAL present: {report['wal'].get('exists', False)}")
print(f"[*] Report: {report_path}")
return report_path
def main():
if len(sys.argv) < 3:
print("Usage: python process.py <sqlite_db_path> <output_dir>")
sys.exit(1)
analyzer = SQLiteForensicAnalyzer(sys.argv[1], sys.argv[2])
analyzer.generate_report()
if __name__ == "__main__":
main()