New forensic development brings deleted data back to life

Digital forensic tool allows investigators to restore deleted database evidence from a wide variety of media.

Criminal investigators will have access to a wealth of, hitherto unavailable, evidence thanks to a new development in deleted data extraction.

Researchers at CCL-Forensics Limited have taken a significant step forward in their analysis of SQLite databases, which are extensively used by many computers, web browsers, mobile phones and SatNavs.

The latest development allows investigators to reinstate these databases to a point where the deleted data becomes live once again, and therefore available for forensic analysis. It essentially restores the deleted content back into the database.

This development builds on the "Epilog" forensic tool, which was developed by CCL-Forensics last year as an internal project to add value to investigations undertaken for Law Enforcement Agencies.

Now, following this latest development, the tool - with this additional functionality - is being made available to the Law Enforcement and digital forensic communities.

Amongst other uses, it can recover deleted data from Safari and Chrome browsers, iPhones and iPads (including SMS, email and calendar) and Android (SMS, call logs, calendars, address book and others).

Many 'off-the-shelf' tools can be used to view the live records in the SQLite database, but it is the deleted data which Epilog extracts that could prove pivotal in an investigation.

For example, in a recent case handled by CCL-Forensics, Epilog recovered and presented nearly 5000 entries from a smartphone's web cache, where there were only 400 live (visible) entries.

Alex Caithness, lead programmer for Epilog says: "SQLite databases are everywhere, and we've committed a significant resource over the last year to analysing how they treat deleted data and, in particular, where evidence may be located.

We developed Epilog to do recover this evidence, but it's not until recently that our further research has enabled us to add the functionality where databases can be resurrected in their historic form.

In addition to this, Epilog can now be used over an entire piece of media (e.g. a disc image) without being directed to a particular database."

Investigators can download a trial version of Epilog for a free evaluation at www.ccl-forensics.com/epilog, where further information about the tool can also be found.

Epilog is one of a number of digital forensic developments created by the Research and Development team at CCL-Forensics' ISO17025 accredited laboratory in Warwickshire, UK.

For more information, please contact Mark Larson, Forensics Manager on:

+1789 261200 or

by emailing:
epilog@ccl-forensics.com

Return to Products menu