Pieces of Eight: iPods, iPads, iPhones, and SQLite

Share this

Even if you think the iPhone is an overpriced and buggy paperweight and the iPad just a larger version of the iPod, there is no denying the incredible popularity of both devices. Consumers have gone mad over both, with Apple selling 1.7 million new iPhone 4.0 units in the first three weeks of its release and the iPad selling three million in just eighty days.

That’s a heck of a lot of potential evidence containers circulating about. Now more than ever, forensic examiners need to understand and be able to acquire, exploit, and report on these devices.

Commercial applications for acquisition, analysis, and reporting on the iPhone, iPad, and iPod have come far, but as with any methodology or tool used for gathering and reporting of evidence in a court of law, they should be tested and validated.

This is why it is so important not only to understand the underpinnings of the device data structure, but also to use alternate means to examine what can be gleaned from it. The commercial tools can thus be vetted for use.

This article is concerned with understanding one of the structures used to store data on the iPhone and its siblings: the SQLite database.

Database Basics
Before we go too much farther, it would behoove us to take a momentary step back from the iPhone and SQlite and define what is meant by the term “database.” A database can be defined in terms of an analogy: simply put, it is a container composed of a file or set of files used to store organized data. Databases themselves comprise several elements.

Databases contain tables, which are structured lists that contain one specific type of data. A table cannot mix two different types of data, e.g. inventory and addresses. A table would need to be created for each different data type to be stored.

A table has a set of characteristics and properties that define the type of data that can be stored, how it is divided, etc. These property sets are known as the table’s schema. Schema can also be used to describe whole databases and the relationship from one table to another inside them.