SQLite Artifact Recovery Framework (SLARF)

I got this idea awhile back when I wrote a tool called, BARFF - Browser Artifact Recovery Forensic Framework. It was more or less a glorified SQLite parser, which is again, more or less what SLARF is, but it uses a plugin based architecture similar to the code I wrote for, python-regparse (written in Python).

Why SLARF?

It is extensible. If you come across a new SQLite database artifact all you need to do is copy a bit of plugin code and in 10 - 15 mins you have a new plugin to pull the data out.

Cell phones more or less equates to running various queries against a range of SQLite databases. Likewise with modern browsers and a whole bunch of other programs from Garmin GPS backups to everyday applications like Evernote, they all use SQLite databases to store information relevant to an investigation.

So rather than writing a tool for each application, or keeping a bunch of SQL queries pasted in a notebook for later use, it is much easier to have a set of ready to use plugins.

So let's take a look and see how it works.

Help

python slarf.py -h

usage: slarf.py [-h] [--plugin PLUGIN] [--listplugins] [--plugindetails]
                [--database DATABASE] [--format format]
                [--format_file format_file]
Parses SQLite Databases.
optional arguments:
  -h, --help            show this help message and exit
  --plugin PLUGIN       Specify plugin to run.
  --listplugins         Lists all of the available plugins.
  --plugindetails       Lists details available plugins.
  --database DATABASE   SQLite Database.
  --format format       Custom output.
  --format_file format_file
                        Custom output template.

Plugins

Right now I do not have a lot of plugins written for SLARF, but I will be adding to them over time. If there is one you want now let me know and I can write it for you, or you can simply pass me the SQL query and I can build the Python plugin for you.

The following plugins were some sample ones that I did to test out the tools effectiveness.

  • dbinfo - prints information about the database
  • nuvi2757lm_rs (see image below)
  • safari_histody_db - parses safari history database
  • unallocated - recovers data from unallocated space within the sqlite database
python slarf.py --listplugins

dbinfo
nuvi2757lm_rs
safari_history_db
unallocated
python slarf.py --plugindetails

NUVI2757LM_RS
	Plugin: 	NUVI2757LM_RS
	Author: 	Patrick Olsen
	Version: 	0.1
	Reference: 	http://sysforensics.org
	Print Fields: 	"{{ rank }}|{{ string }}"
	Description: 	Parses the searches table from the recent_searches.db on the Garmin Nuvi 2757LM GPS.

Templates

The HTML output uses predefined templates. You can see an example of one here on my GitHub.

The output when using templates look like this:

python slarf.py --plugin nuvi2757lm_rs --database recent_searches.db --format_file templates/nuvi2757lm_rs.html

Silvrback blog image

User Defined Output

python slarf.py --plugin nuvi2757lm_rs --database recent_searches.db --format '{{rank}}|{{string}}'
0|Nordstrom
1|Washington DC, DC
2|Starbucks
3|Kroger
4|Radisson Hotel-Nashville International
5|St Louis, MO

Summary

So yeah, there it is. I have to write a bunch more plugins, and to be quite honest I don't do much analysis of SQLite DBs so if you have some ideas, or common queries, etc. by all means let me know and I'll see what I can do to create some for you.

I find myself short on time these days.

One more point. It really doesn't have to be just SQLite DBs... You could write your plugins to process any kind of database really. You will just need to add the respective imports.

You can download SLARF on my GitHub.

If you find these posts useful and educational you can donate via PayPal.Me here: $1, $2, $3, $4, $5 or Custom.

Enjoy!