sqlite-forensic¶

Carve deleted rows out of a SQLite database without trusting it, without writing to it, and without re-surfacing a live row.

use sqlite_core::Database;
use sqlite_forensic::{audit, carve_all_deleted_records};

let db = Database::open(std::fs::read("History")?)?;
for anomaly in audit(&db) { /* graded findings */ }
for rec in carve_all_deleted_records(&db) { /* recovered deleted rows */ }

GitHub Repository →

What it does¶

sqlite-forensic reads the raw SQLite file format — header, b-tree, freelist + overflow chains, and a read-only WAL overlay — and does two things the live sqlite3/rusqlite path cannot:

Grades anomalies (sqlite-forensic::audit) into severity-ranked, confidence-scored forensicnomicon::report::Findings: non-empty freelist, uncheckpointed WAL state, page-count mismatch, non-standard reserved space.
Carves deleted records (carve_all_deleted_records) from freelist pages, in-page free blocks, and dropped-table pages — column count inferred per record — while structurally refusing to re-surface a live row.

The two crates¶

Crate	Role
`sqlite-core`	Raw, read-only, panic-free file-format reader. No findings.
`sqlite-forensic`	Anomaly auditor + deleted-record carver, built on `sqlite-core`.

Anomaly codes¶

Code	Severity	Observes
`SQLITE-DELETED-RECORD-RECOVERED`	Medium	A record-shaped cell recovered from unallocated space.
`SQLITE-FREELIST-NONEMPTY`	Low	Free pages present — consistent with prior deletions.
`SQLITE-WAL-UNCHECKPOINTED`	Medium	`-wal` overlay the main file does not reflect.
`SQLITE-PAGECOUNT-MISMATCH`	High	Header page count disagrees with file length.
`SQLITE-RESERVED-SPACE-NONZERO`	Low	Non-standard per-page reserved bytes (e.g. SQLCipher).

Validation¶

The deleted-record carver is reconciled against two independent reference tools, undark (C) and fqlite (Java):

RapidTriage ecosystem¶

sqlite-forensic is the SQLite parser in the RapidTriage DFIR toolkit alongside browser-forensic, winevt-forensic, srum-forensic, memory-forensic, and forensicnomicon.