SQLite Database Recovery
SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. It is the most widely deployed SQL database engine in the world and SQLite databases can be found on almost every digital device we may wish to examine. Our SQLite database recovery profile utilises Intelli-Carve® technology to find and extract SQLite databases. The recovery engine understands the structure of SQLite databases and can verify the integrity of the database during the recovery process.
As each database is recovered, it is checked for integrity. Any database which fails the integrity check is copied to a separate folder so that it may be manually checked at a later date. Any databases which are not fully recovered are also copied to a separate folder so they may be manually checked at a later date. All databases which pass integrity verification are copied to the main folder so that they may be examined first.
The data validation log keeps track of which databases failed the integrity check and also logs the reasons for their failure.
Jump List Recovery
Jump Lists are an interesting and common forensic artefact found when examining Microsoft Windows 7 or 8. They are a Taskbar feature that allow the user to quickly access recently accessed files and actions associated with a particular application.
Automatic Jump Lists (.automaticDestinations-ms files) are created by the operating system. These files are OLE Compound Files which contain in each stream a Windows Link File structure. There is also one special DestList stream which holds Most Recently Used (MRU) or Most Frequently Used (MFU) information for each of the Link File streams.
Our Jump List recovery profile deconstructs Automatic Jump Lists and for each Link File stream it writes out the recovered information to either CSV or Excel Specific CSV. The corresponding DestList information is prepended to each CSV Link File record. The user can also decide whether each Link File structure from the original source is also written out.
Other New Features
We have changed the way Blade® searches for artefacts and have implemented parallel processing which allows us to use more CPU processor cores. This should considerably increase the searching performance when multiple data recovery profiles are selected. We have now added support for installing Blade® on Microsoft Windows 8. In relation to supported image types, we have now added native support for EnCase® 7 ex01 image files.
Another important change in this version is a major upgrade to the recovery engine. Previously, Blade® would struggle to deal with the recovery of millions of files; this is no longer the case.
The full change log can be found here: Change Log v1.10