Forensic Operations for Recognizing SQLite Content (FORC): An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices

Abstract

Mobile forensics is crucial in reconstructing various everyday activities accomplished through mobile applications during an investigation. Manual analysis can be tedious, time-consuming, and error-prone. This study introduces an automated tool called Forensic Operations for Recognizing SQLite Content (FORC), specifically designed for Android, to extract Simple Query Language Table Database Lightweight (SQLite) evidence. SQLite is a library that serves as a container for mobile application data, employing a zero-configuration, serverless, self-contained, and transactional SQL database engine. While some SQLite files possess extensions such as .db, .db3, .sqlite, and .sqlit3, others have none. The lack of file extensions may result in missing evidence that could unveil the truth. The proposed tool utilizes both the file extensions and headers of the SQLite data to recognize and identify SQLite data generated or modified by a mobile application. The FORC tool’s capability was evaluated using the Chrome application as a case study, and a comparison between FORC and other tools was conducted. The results suggest that FORC significantly simplifies mobile forensic analysis.

1. Introduction

The mobile phone industry has undergone significant growth in recent times [1], with people using their phones for more than just making calls or sending messages. Activities such as web browsing, sharing media, online shopping, playing games, and social-media networking consume most of the time spent on mobile phones [2]. With the increasing use of mobile devices such as smartphones and tablets, they have become a prime target for various cybercrimes, such as hacking, data theft, and malware attacks. As a result, the demand for mobile forensics to help investigators gather and analyze digital evidence from these devices to aid in criminal investigations has increased. Mobile forensics is a branch of digital forensics that deals with the recovery and investigation of digital crime evidence [3]. It involves the recovery and analysis of data from mobile devices, including call logs, text messages, emails, social-media activity, and location data. It requires the use of specialized techniques and tools to acquire, analyze, and interpret data from mobile devices, such as call logs, text messages, emails, photos, and videos. The ultimate goal of mobile forensics is to provide reliable and admissible evidence which can be used in legal proceedings.

The process of recovering digital evidence from mobile devices using accepted methods under forensically sound conditions is referred to as mobile forensics, according to the National Institute of Standards and Technology (NIST). Mobile-device forensics is a rapidly evolving specialty in digital forensics that involves collecting and analyzing data from smartphones and tablets while maintaining the data’s integrity. These data can be used as evidence in legal proceedings, which is why law enforcement agencies and private organizations involved in forensic investigations use specialized tools and techniques to extract and analyze digital evidence from mobile devices. NIST has issued a comprehensive guideline document, 800-101, which provides detailed instructions for conducting digital forensic investigations on mobile devices. This document encompasses a wide range of subjects related to mobile device forensics, including the mobile device forensic process, data acquisition, and analysis of mobile devices, as well as evidence preservation, legal considerations, and best practices. The process of mobile forensics, as per NIST 800-101, involves identification, preservation, collection, examination, analysis, and reporting.

SQLite databases are regarded as critical sources of digital evidence in forensic investigations when found on mobile devices. This is because SQLite is a database management system commonly used on mobile devices which stores various types of data, such as call logs, text messages, and internet history. Extraction and analysis of SQLite databases from mobile devices play significant roles in mobile forensics investigations, as they provide investigators with valuable information, such as the communication history of a suspect, web searches, and other digital artifacts relevant to an investigation. Investigators commonly use tools such as Belkasoft, Magnet AXIOM, and FINALMobileForensics to extract and analyze digital evidence, including SQLite databases, from mobile devices. These tools have features and capabilities such as data recovery, file carving, and timeline analysis to aid investigators in identifying and analyzing relevant digital artifacts from mobile devices. Research on SQLite evidence extraction in mobile devices is a rapidly developing field. A range of studies in digital forensics address key challenges and advancements in the domain. One study [4] underscores the evolving landscape of mobile devices, one which necessitates adaptive forensic methods due to changing security features and levels of encryption adoption. Another research effort [5] adopts agile methodology to develop forensic modules for Android social media and messaging apps, detailing implementation and challenges. Additionally, another study [6] enhances iOS data extraction through timeline analysis and plugin development. A literature review [7] forms the basis for a unified digital business forensic investigation (DBFI) process, promoting systematic forensic practices. Furthermore, another research effort [8] explores encryption’s impact on forensic data extraction, proposing a new acquisition model with a legal framework. Several studies [1,9,10,11] investigate social networking and messaging-app forensics, contributing insights and methods for evidence retrieval.

In sum, these studies collectively highlight the need for adaptive forensic techniques, standardized processes, and innovative approaches to address evolving technologies and data challenges in digital forensics. There are still some gaps and areas that require further investigation [12]:

• Standardization: To promote consistency and comparability in the extraction of SQLite evidence from mobile devices, there is a need for standardization. Current methods and tools used by researchers and practitioners can lead to inconsistencies and may compromise the reliability of findings. A unified framework is necessary to ensure an efficient and comprehensive approach to digital forensic investigations on various mobile phone platforms, accommodating different architectural models, storage paths, and device settings, as well as users’ security preferences. This framework will provide investigators with a reliable and consistent method of acquiring and analyzing digital evidence from mobile devices, regardless of the specific characteristics of the devices. The adoption of a standardized approach will mitigate the risk of errors or omissions in the investigation process, ensuring that all relevant evidence is collected and analyzed thoroughly and reliably [13].
• Performance: The performance of SQLite evidence extraction techniques needs to be evaluated further. Specifically, there is a need to investigate the effectiveness of different methods in extracting data from SQLite databases of different sizes and complexities.
• Privacy and Security: There is a need for research on the privacy and security implications of SQLite evidence extraction. Mobile devices may contain sensitive information that needs to be protected, and extracting data from SQLite databases may raise privacy concerns.
• Automation: Automating the SQLite evidence extraction process can save time and reduce human errors. There is a need for research on the development of automated tools and techniques for SQLite evidence extraction in mobile devices.
• Applicability: The applicability of SQLite evidence extraction in different types of mobile devices and operating systems needs to be investigated further. Some devices or operating systems may have different SQLite database structures or security measures that can affect evidence extraction.
• Big Data: The growing volume of data and the emergence of big data pose significant challenges in digital forensics [12]. Investigating the generated data, data encoding process, and storage location of data to systematically follow the evidence and reconstruct user activities is complex and challenging. This process often requires controlled experiments, which can be challenging given the increasing number of mobile apps and their frequent updates [14,15,16,17].

Therefore, this research proposes an automated tool, namely, Forensic Operations for Recognizing SQLite Content (FORC), for mobile forensic data acquisition, analysis, and reporting. With the increasing use of mobile devices and the volume of data that needs to be analyzed, automating certain aspects of the forensic investigation process can help improve efficiency and accuracy. Several mobile operating systems, including Android, iOS, KAIOS, Windows Phone, Blackberry, etc., exist. Android stands out as the dominant global mobile operating system, commanding a market share of 71.93% [18]. Consequently, this research conducted an experiment using the Chrome application on Android. The process of extracting SQLite evidence in FORC involves using the header of the SQLite file and the file extension, which allows for automatic extraction of the relevant files. By utilizing a 16-byte hexadecimal “magic” header string, “53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00”, FORC is able to identify and extract all SQLite files created, generated, or revised by the application. Comparative evaluations with other popular forensic tools such as Belkasoft, Magnet AXIOM, and FINALMobile, demonstrate that FORC outperforms these tools in identifying and extracting SQLite files from Android devices. This suggests that FORC has the potential to significantly enhance the efficiency and accuracy of mobile forensic investigations.

This research not only introduces a practical and efficient solution for SQLite evidence extraction in Android devices but also lays the groundwork for standardization and future advancements in mobile forensic techniques. It addresses the pressing need for automation and reliability in digital forensics, both of which ultimately benefit law enforcement agencies and organizations involved in forensic investigations.

The research significantly contributes to the field of digital forensics by addressing critical challenges and advancements related to the extraction of SQLite evidence from mobile devices, with a particular focus on Android smartphones. The contributions of this research can be summarized as follows:

• Automated Tool Development: The research introduces a novel automated tool called FORC which is designed to streamline the process of mobile forensic data acquisition, analysis, and reporting. FORC employs a header-based and file-extension-based approach for the automatic extraction of SQLite files, enhancing the efficiency and accuracy of digital forensic investigations.
• Enhanced Efficiency: By utilizing FORC, investigators can automate certain aspects of the forensic investigation process, reducing manual effort and the potential for human errors. This automation is crucial in coping with the increasing use of mobile devices and the growing volume of data that requires analysis.
• Improved Extraction Accuracy: Comparative evaluations of FORC against popular forensic tools like Belkasoft, Magnet AXIOM, and FINALMobile demonstrate its superior performance in identifying and extracting SQLite files from Android devices. This enhancement in extraction accuracy contributes to more reliable and comprehensive forensic investigations.
• Addressing Standardization: The research highlights the need for standardization in the extraction of SQLite evidence from mobile devices. While this paper focuses on Android devices, the proposed framework and automated tool can serve as a foundation for standardized approaches that can be applied across various mobile platforms, ensuring consistent and reliable results in digital forensic investigations.
• Future Research Directions: The research identifies several areas that require further investigation, including performance evaluation, privacy and security implications, automation, applicability to different devices and operating systems, and the handling of challenges posed by big data in digital forensics. These areas provide opportunities for future research and innovation in the field.

2. Related Work

Numerous studies have contributed to the ever-evolving field of digital forensics [7,11,13,19,20,21,22,23,24], shedding light on various aspects of data retrieval and investigative techniques. This section highlights some key findings from recent studies. This article [4] proposes a novel approach to mobile forensic acquisition. Forensic investigators encounter a significant hurdle due to the ever-changing landscape of mobile devices and their software. Manufacturers frequently introduce new models with varying security features and operating systems, necessitating constant adaptation of forensic methods. Moreover, the growing adoption of encryption by consumers presents an additional challenge, rendering it increasingly complex for forensic experts accessing device data. Hence, it remains crucial for forensic investigators to remain current with the latest developments in mobile technology and innovate data-extraction techniques capable of keeping abreast of these advancements. In this research [5], the authors have delineated and implemented a procedure rooted in an agile methodology for crafting forensic investigation modules. Furthermore, we have elucidated the implementation specifics of modules encompassing nine widely used Android social-media and instant-messaging applications, encompassing aspects like wireless communication and system information. Ultimately, we have encapsulated the challenges confronted during the course of this study.

This research [6] introduces a technique for enhancing Log2Timeline to comprehensively extract temporal data from iOS devices. To achieve this, the authors develop a parser plugin tailored for Log2Timeline specifically designed to address any missing artifacts, such as “plists” or SQLite databases. The method is outlined as follows: Initially, we generate a forensic timeline utilizing the Plaso tool, using a previously acquired iOS image. Subsequent to this, we scrutinize the timeline for any gaps or missing artifacts. Following this, we devise a Plaso plugin engineered to parse these absent artifacts. Finally, we re-run Plaso, incorporating the new plugins, to construct a more exhaustive timeline. This process ultimately yields a thorough forensic timeline derived from the forensic image of an iOS device. Experimental results demonstrate that the integration of additional plugins significantly enhances the comprehensiveness of the forensic timeline extracted from iOS devices.

This paper [25] undertakes a comprehensive review of the existing literature to gain insights into the previously accomplished body of work. Moreover, we leverage this existing literature as a foundation to introduce a unified digital business forensic investigation (DBFI) process, employing design science research methodology. This unified DBFI process is structured around three essential categories: planning, preparation, and pre-response; acquisition and preservation; and analysis and reconstruction. Additionally, our DBFI framework has been meticulously designed to eliminate any potential confusion or ambiguity while offering practitioners a systematic approach to conducting DBFI with a heightened level of assurance.

This paper [8] delves into the heightened encryption and security safeguards present in contemporary mobile devices, highlighting their influence on conventional forensic data extraction approaches used in law enforcement. We illustrate how tackling encryption hurdles necessitates the adoption of novel mobile forensic methodologies centered around circumventing security features and capitalizing on system vulnerabilities. We introduce a fresh forensic acquisition model underpinned by a legal framework that emphasizes the usability of digital evidence acquired through vulnerability exploitation.

In a study focused on Android smart phones, the authors in [9] conducted the forensic analysis on different social networking apps: Whisper, Wickr, Instagram, WeChat, and LINE. Their primary objective was to determine whether data from these apps are stored within the device’s internal storage. Utilizing forensic tools such as Autopsy, XRY, and Magnet AXIOM, they successfully extracted a substantial amount of critical data, aiding in future crime investigations. In [10], the authors investigated real case records obtained from the Dubai Police department to address the main issues encountered by digital forensics, including the huge amount of data and the level of case complexity. The research utilized a mixed-methods approach, encompassing both quantitative and qualitative analyses, along with the phenomenology model (interview confirmation). This approach was employed to assess the strategies employed in case allocation and participant selection.

The study identified the main factors leading to delays in investigations, and the need for collaborative data processing and training among investigators.

Zamroni and Riadi [26] conducted a forensic examination of WhatsApp on Samsung C9 Pro handsets, emphasizing forensic techniques for analyzing WhatsApp-related artifacts. Their research scrutinized parameters like contact lists, chat messages, files, and logs. The study concluded that the combination of Magnet AXIOM and WA Key/DB Extractor yielded the best results for WhatsApp artifact recovery. Focusing on extracting digital evidence from Facebook Messenger, the study in [27] followed the NIST methodology and employed the Oxygen Forensics Suite and Magnet AXIOM. Researchers successfully obtained various pieces of digital evidence, including images, accounts, and conversation transcripts, with Magnet AXIOM outperforming Oxygen Forensics Suite. Researchers in [28] sought to address a knowledge gap by exploring the recovery of Facebook data after the app is uninstalled from a smartphone. Categorizing the retrieved data objects facilitated a clearer description of the user information and recoverable app data. This research paper’s accomplishments lay in identifying the recovery and path of Facebook data, offering a foundation for future studies. Mahmoud [19] proposed a two-stage model for data acquisition from Android smartphones, combining manual techniques for initial data collection and logical techniques for processing using a developed tool. The research demonstrated promising results in retrieving data from social networking apps like WhatsApp and Facebook Messenger, highlighting the potential for future improvements. In [29], a similar conclusion was drawn after examining both the logical and the physical acquisition methods. The study recommended utilizing more than one mobile forensic tool for evidence extraction.

In their work presented in [30], the investigators focused on WhatsApp, WeChat, Viber, and Telegram, all renowned as some of the most extensively employed encrypted instant-messaging applications. The research delved into the forensic implications surrounding encrypted instant-messaging systems. To scrutinize the artifacts generated by these applications, the researchers harnessed the Android Debugging Bridge (ADB) tool, complemented by several other open-source utilities. The study shed light on the challenges encountered by researchers when collecting forensically relevant artifacts. Furthermore, it provided investigators with valuable insights into where to locate crucial data within any of the applications under scrutiny during their investigative processes.

In a study carried out by Anglano et al. in 2017 [14], a methodology was employed for the forensic analysis of Android applications, with a particular focus on investigating Telegram Messenger. The primary approach involved meticulously planned experiments conducted on virtual smartphones, as opposed to real devices. This approach aimed to ensure the generality and repeatability of research results, which were subsequently rigorously validated for their applicability to Telegram. The accuracy and reliability of this methodology were further verified through a comparative analysis of results obtained from a subset of experiments conducted on actual smartphones.

The work by Jones and Winster in 2017 [31] represents a groundbreaking approach to acquiring digital evidence from compromised devices. This innovative method holds significant promise for digital investigators and legal proceedings. It offers a unique opportunity to gain deeper insights into the actions of cybercriminals who have exploited mobile devices. Their research primarily focused on the application of forensic tools to reconstruct past events on these mobile devices, providing valuable investigative support.

Azfar and colleagues conducted a study in 2016 [32], focusing on the analysis of five social applications: Twitter, Snapchat, Pinterest, POF Dating, and Fling. Their findings indicated that it is indeed feasible to retrieve various data types, including contact lists, sent and received photos, user information, timestamps of tweets, and notification logs from these applications.

Additionally, another study in 2016 [33] involved a comprehensive evaluation of both open-source and commercial forensic tools for mobile devices. In the evaluation, predefined software parameters were taken into account, and a cross-device and test-driven methodology was adapted. The outcome of this research resulted in the development of a comparison matrix which serves as a valuable resource for identifying the most suitable forensic solution tailored to the specific needs of investigative processes.

The study in [34] explores the impact of wearable and IoT devices on forensic science. These devices can serve as crucial sources of evidence in both civil and criminal cases. Data obtained from wearables can corroborate witness testimony by documenting various activities of individuals. The widespread use of smart home devices further enhances investigative capabilities. By aggregating data from wearables and smart home gadgets, investigators gain a comprehensive view of events within an environment, enabling a deeper understanding of cases. The study addresses challenges related to data extraction and analysis, offering techniques to automatically detect anomalies and correlations within the vast volume of time-series data collected from these devices.

As a summary, the field of digital forensics faces challenges such as a lack of standards and training among investigators and the growing volume of data that need to be evaluated. NIST issued a DF standard to satisfy the requirement for standardization, and certification programs are being offered to address the need for training. Law enforcement agents must be trained to acquire digital evidence and stay up-to-date with quickly changing technologies. The variety of devices, platforms, operating systems, manufacturers, and security cybercrimes is also a major challenge faced by the field of digital forensics.

Table 1. Summary of key findings in related work.

Ref.	Focus Area	Key Findings
[4]	▪ Mobile forensic acquisition ▪ Changing mobile device landscape ▪ Encryption adoption	▪ Challenges in adapting forensic methods to evolving devices. ▪ Emphasis on staying current with tech advancements.
[5]	▪ Agile methodology for forensic modules ▪ Social media and messaging apps ▪ Wireless communication and system info	▪ Implemented modules for Android apps, addressing challenges. ▪ Detailed implementation specifics.
[6]	▪ Temporal data extraction from iOS ▪ Parser plugin development ▪ Forensic timeline construction	▪ Development of a parser plugin for comprehensive timeline extraction. ▪ Enhanced completeness of timelines.
[25]	▪ Digital business forensic investigation ▪ DBFI process structure ▪ Planning, preparation, acquisition and analysis	▪ Introduction of unified DBFI process. ▪ Systematic approach to DBFI. ▪ Reduced confusion for practitioners.
[8]	▪ Impact of encryption on forensic data extraction ▪ Vulnerability exploitation ▪ Legal framework adoption	▪ Necessity for novel forensic methods due to encryption. ▪ Introduction of legal framework. ▪ Emphasis on usability of digital evidence.
[9]	▪ Forensic analysis of social networking apps on Android smartphones. ▪ Data storage within internal storage. ▪ Forensic tool utilization.	▪ Investigation of data storage within internal storage. ▪ Successful extraction of critical data.
[10]	▪ Impact of encrypted messaging systems on digital forensics ▪ Artifact analysis ▪ Forensic tools used	▪ Exploration of forensic implications of encrypted messaging systems. ▪ Identification of challenges in gathering significant artifacts.
[11]	▪ Forensic analysis of Android apps ▪ Investigation methodology ▪ Rigorous validation	▪ Utilization of virtual devices for generality and repeatability of results. ▪ Validation of methodology on real devices.
[26]	▪ Forensic examination of WhatsApp ▪ WhatsApp-related artifacts ▪ Contact lists, chat messages, files and logs	▪ Emphasis on forensic techniques for analyzing WhatsApp artifacts. ▪ Successful artifact recovery using Magnet AXIOM and WA Key/DB Extractor.
[27]	▪ Digital evidence from Facebook Messenger ▪ Forensic tool comparison ▪ Images, accounts, and conversation transcripts	▪ Successful extraction of digital evidence with Magnet AXIOM. ▪ Magnet AXIOM outperforms Oxygen Forensics Suite.
[28]	▪ Recovery of Facebook data post-uninstall ▪ Data object categorization ▪ User information and recoverable app data	▪ Identification of recovery path for Facebook data.
[19]	▪ Two-stage data acquisition from Android smartphones ▪ Manual and logical techniques	▪ Promising results in data retrieval from social-networking apps. ▪ Potential for future improvements.
[30]	▪ Forensic implications of encrypted instant-messaging apps ▪ Use of Android Debugging Bridge (ADB) ▪ Artifact analysis	▪ Exploration of forensic implications of encrypted instant-messaging systems. ▪ Identification of difficulties in gathering forensically significant data.
[14]	▪ Forensic analysis of Android apps ▪ Investigation of Telegram Messenger ▪ Planned experiments and validation	▪ Use of virtual smartphones for research results generality. ▪ Rigorous validation on real smartphones.
[31]	▪ Acquiring digital evidence from compromised devices ▪ Application of forensic tools ▪ Reconstruction of past events	▪ Groundbreaking approach to acquiring digital evidence from compromised devices. ▪ Valuable investigative support provided.
[32]	▪ Analysis of social applications ▪ Data types retrieved ▪ Contact lists, photos, user info, etc.	▪ Feasibility of retrieving various data types from social applications.
[33]	▪ Evaluation of mobile device forensic tools. ▪ Cross-device and test-driven methodology.	▪ Development of a comparison matrix for identifying suitable forensic solutions.
[34]	▪ Impact of wearable and IoT devices on forensic science. ▪ Data extraction and analysis challenges	▪ Wearables and IoT as sources of crucial evidence in civil and criminal cases. ▪ Techniques for detecting anomalies and correlations in time-series data.

provides an overview of the key findings and focus areas in recent related work in the field of digital forensics.

3. FORC Tool: Design and Analysis

3.1. FORC Overview

The FORC (Forensic Operations for Recognizing SQLite Content) tool has been meticulously developed to facilitate mobile forensic investigations, with a specific focus on SQLite data. The reasons behind customizing FORC to support extracting SQLite include:

• Ubiquity of SQLite: SQLite databases are ubiquitous in mobile devices, especially on Android and iOS platforms. Many critical pieces of information, such as call logs, text messages, and application data, are stored in SQLite databases. Given the prevalence of SQLite, SQL-based forensic tools like FORC are indispensable for comprehensive data extraction.
• Data Structure and Relationships: SQL databases, including SQLite, are known for their structured data format and support for complex relationships between data elements. Mobile devices often store data in structured tables with well-defined schemas, making SQL databases suitable for forensic investigations in which preserving data integrity and relationships is paramount.
• Standardization and Consistency: The use of SQL databases adheres to well-established data-management and querying standards. This standardization ensures consistency and reliability in data extraction, which is critical when dealing with digital evidence that may be subject to legal scrutiny.
• Data Recovery and Analysis: SQL-based tools offer advanced capabilities for data recovery and analysis. They can handle complex SQL queries, data joins, and filtering, enabling forensic experts to extract and interpret a wide range of digital artifacts effectively.
• Legacy Data: Many older mobile devices and applications rely heavily on SQL databases. Legacy data stored in these databases can provide crucial insights in forensic investigations. SQL-based tools are essential for extracting and analyzing data from older devices.

To ensure the legality and admissibility of the extraction process in the court, the methodology recognized by National Institute of Standards and Technology (NIST), and known to forensic investigators, is followed. NIST is a U.S. government agency responsible for developing and promoting measurement standards, including standards related to digital forensics. The NIST methodology serves as a comprehensive framework for forensic practitioners to follow when conducting mobile device examinations. It helps maintain the integrity and reliability of the data, given the credibility, reliability and admissibility of digital evidence collected from mobile devices required in a legal context, such as in court proceedings. Procedures of the NIST methodology in mobile forensics include:

• Evidence Handling: Proper procedures for collecting, preserving, and documenting digital evidence from mobile devices to maintain its integrity and chain of custody.
• Data Acquisition: Guidelines for acquiring data from mobile devices, whether through logical, physical, or file-system-extraction methods, while minimizing potential data alteration.
• Data Analysis: Techniques for analyzing the acquired data, which may involve decoding and interpreting various file formats, databases, and system artifacts on mobile devices.
• Reporting: Recommendations for documenting findings, preparing reports, and presenting evidence in a clear and understandable manner for legal purposes.
• Validation: Ensuring that forensic tools and techniques used in the examination of mobile devices are scientifically validated and meet established standards.
• Legal Compliance: Adherence to legal and ethical standards, as well as compliance with relevant laws and regulations governing digital evidence collection and presentation.

The FORC tool, developed to validate the NIST methodology, is programmed using a combination of key technologies. FORC utilizes PYQT5, a free software used for designing the graphical user interface (GUI). The core programming is performed in Python 3.9.4, providing the tool’s functionality. Additionally, the Sleuth Kit, a library and set of digital forensic tools, is employed for handling forensic images, with integration facilitated through the pytsk3 library. The Sleuth Kit, created by Brian Carrier, is a versatile collection of open-source command-line tools frequently employed in digital forensics investigations. These tools offer a comprehensive set of functionalities, encompassing file recovery, metadata extraction, and keyword searching, and support various file systems such as NTFS, FAT, and Ext.

FORC’s primary objective is to automatically identify and recognize pertinent SQLite files essential for forensic examination. It employs a twofold approach to achieve this. First, it considers the file extensions of the target files to ensure that all potential evidence is systematically included. Additionally, FORC leverages a distinctive “magic” header string consisting of a 16-byte hexadecimal sequence, “53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00”, in ASCII format. This header string is intrinsic to valid SQLite database files and serves as a reliable marker for the accurate identification and extraction of pertinent SQLite evidence. Furthermore, FORC’s capabilities extend to encompass both physical image and ADB-backup acquisitions, broadening its range of applicability in data-acquisition scenarios. The sequential steps involved in FORC’s automated data acquisition, analysis, and reporting are depicted in Figure 1, illustrating the tool’s comprehensive workflow.

As illustrated in the flowchart, via FORC, investigators have the flexibility to initiate a new project or to load an existing one with a user-friendly wizard comprising two steps: inputting case information (i.e., including the case number, investigator’s name, date of the case, and case description) and connecting the device to the workstation via USB cable (automatically detecting smartphone specifications and installed packages). The primary window of the FORC tool is visually represented in Figure 2, while Figure 3 showcases the New Case window, which appears when initiating a new case.

To initiate a new acquisition, a USB cable is required to establish a connection between the mobile device and the workstation. Upon successful connection, FORC automatically retrieves essential smartphone specifications and the list of installed packages, as depicted in Appendix A Figure A1. Following a successful connection with the workstation, investigators are guided to select their preferred acquisition method, choosing between ADB backup or Raw image, as demonstrated in Appendix A Figure A2.

Upon method selection, FORC initiates the BusyBox software on port 8888 to enable the physical acquisition process, as highlighted in Appendix A Figure A3. Upon completion of this task, details such as image size, acquisition time, and data transfer speed are displayed, and a screen with the partition table, image hash value, and acquisition date appears. The resulting forensic image is saved with a .dd extension. Upon the successful acquisition of the image, a subsequent screen (Appendix A Figure A4) presents the partition table of the image, the hash value calculated using MD5, and the image acquisition date. FORC offers the flexibility to load ADB backups with .ab or .tar extensions by specifying the image path. It also enables the loading of physical images with the .dd extension for subsequent analysis. In this case, users must provide the image location. Additionally, the FORC tool incorporates a report function empowering investigators to generate case reports based on the assigned case number.

3.2. Acquisition Requirements

Acquisition is the crucial first step in the process of extracting data from smartphones. The extracted data is then processed forensically to obtain digital evidence. The FORC tool provides investigators with two options for acquisition: ADB backup and physical acquisition. Before starting the acquisition, investigators must consider the following points:

• Ensuring the smartphone is turned on.
• Ensuring the smartphone is unlocked.
• Enabling USB debugging.
• Connecting the smartphone to the computer or workstation using the original USB cable.
• Selecting the appropriate option on the smartphone screen to establish a communication between the mobile phone and the workstation.
• For ADB backup, rooting is not required, but for physical acquisition, rooting is essential, and it cannot be performed without rooting. The appropriate tool, such as BusyBox, must be used for rooting the device, depending on the mobile device and the installed Android version.3.2.1. Handling Forensics Image.
• ADB backup:

After executing the ADB backup command, a file with an .ab extension will be generated. To ensure compatibility with the FORC tool, a vital procedure entails converting the .ab file into a .tar file, as illustrated in Figure 4.

• Physical acquisition:

For physical acquisition, as previously noted, rooting is imperative, resulting in a .dd file extension. To process forensic images with the .dd extension, the FORC tool seamlessly integrates the Sleuth Kit library through the pytsk3 module. The extracted data can be handled like any other folder on the computer, akin to data extracted in the case of ADB backup.

3.3. FORC Data Processing: Recognizing SQLite Files

Within mobile devices, databases function as containers housing data from various mobile applications, each maintained within its SQLite database. The FORC tool streamlines the automatic extraction of SQLite evidence, employing both file extensions and file headers for identification and extraction, as elucidated in Appendix A Figure A5. SQLite files exhibit various extensions (e.g., .db, .db3, .sqlite, and .sqlit3) or may even be devoid of an extension altogether. However, each valid SQLite database file unmistakably includes a “magic” header string, fundamental for the identification and recognition of SQLite files.

With FORC, SQLite files are seamlessly extracted, granting investigators direct access to explore and examine them, without necessitating additional software. Moreover, FORC empowers investigators to select sets of evidence directly from these databases, associating them with specific case numbers for subsequent report generation. The generated report encompasses four primary sections:

• Case Information: This section includes critical case details, such as the case date, case description, investigator’s name, case number, and image hash value.
• Workstation Information: Automatically generated by the FORC tool, this section provides insights into the workstation used for forensic analysis, including the operating system, node name, and username.
• Mobile Device Details: This section presents information related to the mobile device in question, including the serial number, device name, and manufacturer.
• Evidence Details: Investigators can comprehensively document the selected set of pieces of evidence, including evidence specifics, the table and column where the evidence resides, and the path to the SQLite database file.

4. Experiment, Results and Discussion

The following section exhibits the outcomes and analysis of the test carried out to showcase the efficiency of FORC tool in retrieving SQLite data.

4.1. Experiment Setup

To ensure the successful execution of the experiment, an appropriate environment, including all necessary equipment and tools, was prepared.

Table 2. Experimental tools.

NO.	Tools/Devices	Description
1	Samsung Galaxy A7 2016, Model no.: SM-A710FD Android Ver.: 7.0 Kernel:3.10.61-14301096K Issued No.: NRD90M.A710FXXU2CRL1	A smart mobile phone used in the experiment
2	Final Mobile Forensics User version: File version is 2020.04.22. CDF version is 2020.04.22.	Forensic tool: used for extraction and analysis
3	Original USB Cable	Media to connect the smartphone with workstation
4	Hp Zbook, windows 10, 64 bit, 8 GB Ram, Intel(R) Core™ i7-7700HQ [email protected] GHz 2.81 GHz	Workstation
5	Belkasoft	Forensics tool
6	MAGNET AXZIOM	Forensics tool
7	Odin3 V3.10	A software utility used to root the smartphone

shows the devices and tools that were utilized in the experiment.

Rooting the Smartphone

Before proceeding with data retrieval, it was imperative to root the Android smartphone. Rooting grants the investigator “superuser” privileges, enabling physical acquisition. The rooting process was carried out as follows:

• Installing Odin 3.13.1 software on the workstation.
• Enabling “Developer Mode” by tapping the build number seven times, activating USB debugging mode, and unlocking the Original Equipment Manufacturer (OEM) controls on the smartphone, as demonstrated in Appendix A Figure A6.
• Powering off the smartphone, followed by simultaneously pressing and holding the Power, Volume Down, and Home buttons until a warning message appeared. Then, pressing the volume up button allowed the smartphone to enter “Download Mode,” facilitating communication with Odin3.
• Connecting the smartphone to the workstation via a USB cable.
• Running Odin3 software as an “Administrator.” The program verified the connection between the smartphone and the workstation when the message “Added” appeared, as depicted in Appendix A Figure A7.
• Selecting the root file by clicking on “AP,” as illustrated in Appendix A Figure A7. This file typically carries an extension of .tar.md5 and must be compatible with the smartphone’s make and Android version.
• Initiating the rooting process by clicking the Start button.

Upon successful completion of the rooting process, the BusyBox tool, which is a set of Linux commands, was installed to allow the performance of actions on Android with “superuser” privileges. The tool can only be installed on rooted devices and can be downloaded from the Play Store.

4.2. Forensics Analysis: Chrome Application as a Case

In this study, we selected the Chrome application and extracted digital evidence sets. We conducted a comparison of the proposed tool with other tools, including BelkaSoft, MAGNET AXZIOM, and FINALMobile, by following the methodology proposed by NIST. The NIST methodology comprises evidence collection, examination, analysis, and reporting.

4.2.1. Evidence Collection

To ensure robust evidence collection, we followed these steps:

• Enabling Airplane Mode: We enabled Airplane Mode on the smartphone to isolate the processes of receiving and transmitting signals.
• Enabling Developer Mode and USB Debugging: Developer mode, USB debugging, and OEM unlocking were enabled on the smartphone.
• Connecting to Workstation: The smartphone was connected to the workstation via a USB cable.
• Obtaining Physical Images: Utilizing the FORC tool, we obtained physical images of the device.

4.2.2. Evidence Examination

In this subsection, we provide detailed insights into how each of the tested forensic tools handles evidence examination:

• Belkasoft: Belkasoft necessitates filling out case data and importing the forensic image. It requires manually searching for SQLite files within the partition table of the image (see Figure 5, Figure 6 and Figure 7). Figure 6 provides a comprehensive overview of the data extraction process from the forensic transcript, specifically, when conducting searches and pinpointing SQLite files. This particular approach demands a higher level of expertise and proficiency. In such instances, it becomes imperative to explore the file system and employ the partition table of the image, as depicted in Figure 7. During this phase, the investigator must delve into the intricacies of the file system, using techniques such as examining the “hex dump” for each file. The objective here is to identify these files based on their distinctive file headers, a point that was previously discussed. This meticulous process allows the investigator to distinguish SQLite files effectively, further enhancing the forensic analysis.

• MAGNET AXZIOM: Similar to Belkasoft, MAGNET AXZIOM demands the entry of case data and the uploading of the forensic image. It also involves a manual process of selecting the necessary folder (e.g., com.android.chrome) containing user data for the Chrome application (Figure 8, Figure 9 and Figure 10). Similar to the procedure in the Belkasoft tool, the initial step involves entering the case’s particulars, as illustrated in Figure 8. Subsequently, the forensic image is uploaded to the tool for processing. Once the tool completes the processing of the forensic image, it presents a summary screen displaying the acquired artifacts, as depicted in Figure 9. Notably, the tool offers the capability of directly visualizing these artifacts, as demonstrated in Figure 10. Handling the file system is executed in a manner akin to the approach employed by Belkasoft, as illustrated in Figure 10. This process, however, is manual in nature. The investigator is responsible for selecting the relevant folder, in this case, “com.android.chrome,” which contains user data pertinent to the Chrome application. Following this, the investigator navigates through all subfolders nested within the “com.android.chrome” directory, actively seeking out SQLite files. It is important to note that this task necessitates a profound level of expertise and skill, since not all SQLite files possess identifiable extensions, rendering the recognition of SQLite files a challenging endeavor.
• FINALMobileForensics: In contrast to the previous tools (Belkasoft and MAGNET AXZIOM), the FINALMobileForensics tool does not necessitate the entry of case details. Instead, it offers the option to commence directly by uploading the forensic image into the tool. However, it distinguishes itself by requiring the use of an MD5 hash as a crucial component of the forensic image analysis process, as demonstrated in Figure 11. Similar to the preceding tools, the extraction of SQLite files entails interacting with the file system and leveraging the partition table of the forensic image, as depicted in Figure 12. These files are accessible through a file explorer. As highlighted earlier, this task places a premium on the investigator’s expertise and skill, demanding the ability to effectively locate these files within the system.
• FORC Tool: The FORC tool simplifies the process by automatically calculating the hash code, displaying the partition table, and directly extracting data from the selected application. Additionally, it automatically extracts all SQLite files under the main folder of the selected application. Within the FORC tool’s workflow, the initial step involves filling in the case data, a process detailed previously. Subsequently, the forensic image is uploaded, as illustrated in Figure 13. At this point, the tool undertakes several key operations. Initially, it computes a hash code based on the MD5 hash and the timestamp corresponding to the time when the forensic image was generated. Following this, the tool retrieves the partition table, which provides essential information such as descriptions, start addresses, and lengths of partitions. As previously emphasized, adeptly navigating and interpreting the partition table demands the investigator’s experience and skill. Once the target application has been selected, the tool efficiently extracts data, saving it to the workstation’s disk within a folder named after the chosen application. Notably, the FORC tool streamlines the subsequent steps for the digital forensic investigator. There is no need for manual navigation through subfolders or searching based on file extensions or SQLite file headers. Instead, the FORC tool automates these tasks, conducting a comprehensive extraction of all SQLite files located under the main folder of the selected application, as exemplified in Figure 14.

4.2.3. Evidence Analysis

In this phase, we elaborate on the analysis of artifacts from forensic images:

• Belkasoft: This tool (Figure 15) requires the selection of artifacts from each table individually, potentially leading to the loss of previously selected artifacts when switching between tables. Following the manual identification of SQLite database files, as illustrated in Figure 15, the next step involves selecting the “SQLite” tab to access and display all the tables within the file. Subsequently, artifacts pertinent to the case are chosen from each table, as demonstrated in Figure 15. It is worth noting that when transitioning to another table, any previously selected artifacts from the previous table will be lost unless a distinct report is generated for each artifact individually, based on the respective tables.
• MAGNET AXZIOM: After selecting the SQLite Viewer tab, MAGNET AXZIOM allows the user to browse artifacts associated with the case by choosing a specified table (Figure 16). The procedure follows a similar approach to that of the Belkasoft tool, for which the manual recognition of SQLite files is illustrated in Figure 16. Afterward, the “SQLite VIEWER” tab is activated, followed by the selection of the table, as demonstrated in Figure 16. Subsequently, the artifacts relevant to the case are examined. It is important to note that this tool lacks the capability to select artifacts for later inclusion in the case report; therefore, artifacts must be documented in real time during the examination process.
• FINALMobileForensics: This tool permits the viewing of SQLite file contents, but lacks support for selecting and adding artifacts to the case report later (Figure 17 and Figure 18). Similarly, in this tool, as in the preceding ones, the process of searching for SQLite files is performed manually, as depicted in Figure 17. To access the contents of a SQLite database file, users must select the desired file and then right-click. However, it is worth noting that the SQLite DB Viewer in FINALMobile, as shown in Figure 18, does not display many of the search terms. Furthermore, this tool does not provide the option to select artifacts for later inclusion in the case report.
• FORC Tool: The FORC tool (Figure 19) streamlines evidence retrieval and enables the viewing of contents with a single click. Investigators can conveniently select artifacts and save evidence for later inclusion in the report. The FORC tool automatically acquires all SQLite files without manual intervention. To access the contents of any file, users simply need to click on the file to open its contents, and then select the desired table to view the information stored within it. One notable feature of this tool is that it enables investigators to choose artifacts for potential inclusion in the report at a later stage, as illustrated in Figure 19.

4.2.4. Reporting

The final stage of digital forensics involves preparing a court-acceptable report that presents the evidence collected by the digital forensic investigator. This report is crucial, as it can either substantiate or refute a case. Below, we examine the reports generated by the tools used in the experiment:

• Belkasoft: Belkasoft generates reports by directly selecting artifacts from SQLite files, creating separate reports for each table in each SQLite file (Figure 20). The report comprises four sections: The first section includes the report’s creation date and the name of the workstation user. The second section details the case, including its name, description, creation date, investigator’s name, and time zone. The third section provides report customization options, such as artifact arrangement and grouping. The final section presents a table of artifacts. Importantly, a distinct report is created for each table in every SQLite file.
• MAGNET AXIOM: The use of MAGNET AXIOM requires the inclusion of evidence screenshots from SQLite files in the report (Figure 21). It does not permit the direct selection of artifacts from SQLite files, but suggests capturing screenshots of evidence found in SQLite databases, as depicted. Each set of evidence referenced in the forensic report can be represented as a screenshot.
• FINALMobileForensics: FINALMobileForensics captures evidence group screenshots and exports them as an Excel file. However, it notably lacks support for Arabic searches (Figure 22). In this tool, selecting evidence directly from SQLite files for report inclusion isn’t feasible. Instead, each group of evidence mentioned in the forensic report can be captured as a screenshot, as seen in Figure 22. Evidence can also be exported to an Excel file, with each table’s evidence in a separate Excel file. Notably, Arabic search terms may not display.
• FORC Tool: The FORC tool adds selected evidence sets directly to the report, associating them with the case’s name. This simplifies the creation of a unified report containing evidence from various tables and SQLite database files (Figure 23). In FORC, each SQLite file is opened, the table contents are reviewed, and evidence from each table is selected. The chosen evidence is then directly incorporated into the report and linked to the case’s name. This approach enables the generation of a single report incorporating all the investigator-selected evidence from diverse tables and SQLite database files. The report is segmented into four sections: The first section contains case data (e.g., case name, description, date, and investigator’s name), the second section encompasses workstation data (e.g., operating system, workstation name, and username), the third section includes phone data (e.g., device serial number, manufacturer, and device name), and the fourth section presents the pieces of evidence, complete with their paths, table names, and column names.

5. Results and Discussion

We conducted a thorough experimental analysis of the capabilities of four prominent mobile forensics tools: BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC. The primary focus was on their effectiveness in retrieving various types of artifacts from mobile devices. Our experiment underscored a critical disparity in the current landscape of these digital forensics tools.

Belkasoft, MAGNET AXZIOM, and FINALMobileForensic, while undoubtedly powerful, necessitate a high degree of investigator expertise and substantial manual labor for evidence extraction. These tools rely on manual methods, which, though time-consuming and labor-intensive, have been the norm in the field. However, this conventional approach has its limitations. It is prone to human error, often leading to files being overlooked or left unrecognized, particularly when file extensions are absent. Such shortcomings can have profound implications for investigations and potentially hinder the pursuit of justice. In response to these challenges, we introduced the FORC tool. This tool represents a paradigm shift in digital forensics, designed to address the shortcomings of manual extraction methods. The core innovation of FORC lies in its ability to autonomously identify and recognize SQLite files, irrespective of file extensions. This is achieved through advanced file header recognition algorithms, making it a powerful addition to the digital forensics toolkit.

The first aim of this experiment was to evaluate the efficacy of the FORC tool in retrieving artifacts from a mobile device. The results of our investigation are summarized in

Table 3. Comparison of artifacts retrieved by mobile forensics tools.

Tool	Artifacts
BelkaSoft	Bookmarks, history, cookies, cache, passwords, extensions, apps
Magnet AXIOM	Bookmarks, history, cookies, cache, passwords, extensions, apps, autofill data, form history, download history, geolocation history
FINAL Mobile	Bookmarks, history, cookies, cache, passwords, extensions, apps, autofill data, form history, download history, geolocation history
FORC	Bookmarks, history, cookies, cache, passwords, extensions, apps, autofill data, form history, download history, geolocation history, webRTC logs, HSTS preload list

, which provides a comprehensive breakdown of the artifacts retrieved by these tools. As shown, all four tools retrieved a similar set of artifacts from Chrome. However, FORC also retrieved webRTC logs and an HSTS preload list, which are not retrieved by the other tools. WebRTC logs can be used to track the websites that a user has visited using voice or video chat. The HSTS preload list is a list of websites that are configured to use HTTPS only. This information can be used to identify websites that a user has visited that are not secure.

Figure 24 shows that FORC is the only tool that can automatically identify and extract all 24 SQLite files. FORC does not require manual searching, which can save time and effort for the investigator and prevents the investigator from forgetting or overlooking any files. Figure 24 also shows the time saved in hours. The time savings is calculated based on the following assumptions:

• The investigator spends 1 h manually searching for SQLite files;
• FORC can automatically identify and extract all 24 SQLite files in 0.5 h;
• The other three tools require the investigator to manually search for the SQLite files, and they may not be able to find all of the files.

As shown, FORC can save the investigator 4 h by automatically identifying and extracting all 24 SQLite files. The other three tools, FinalMobile, Megnet AXIOM, and Belkasoft can save the investigator 2, 1, and 0 h, respectively.

The second aim of the experiment is to evaluate the efficacy of the FORC tool in extracting SQLite data. The results we obtained were revelatory. The FORC tool successfully extracted a total of twenty-four SQLite files, each containing invaluable evidence tables, as outlined in

Table 4. SQLite files of the Chrome application.

No	SQLite File	Path	No. of Tables
1	480855723014605.null.4.-1.131521619_ 491657472117246_2610685952396923789_ n.mp4.117813.1624790215353.v2.exo	\app_chrome\AutofillRegex\2021.8.17.1300\ _metadata\1632163092534.NONE	2
2	480855723014605.null.2.-1.2018237097_ 4239776882741420_3881221114952873430_ n.688823.1624790219145.v2.exo	\app_chrome\default\databases\000005.ldb \oat\arm	4
3	70670139-0adf-431c-82f6-8d8a954bc677	\app_chrome\default\Download Services\Files	10
4	Heavy_ad_intervention_opt_out.db	\app_chrome\default	2
5	Lite_video_opt_out.db	\app_chrome\default	2
6	Databases.db	\app\app_chrome\default\databases	3
7	OfflinePages.db	\app_chrome\default\offline Pages\metadata	3
8	RequestQueue.db	\app_chrome\default\offline Pages\request_queue	1
9	000007.dbtmp	\app_chrome\Default\databases	4
10	1635830744675.NONE	\app_chrome\optimizationHints\318_metadata	3
11	Account Web Data	\app_chrome\default	23
12	Cookies	\app\app_chrome\default	2
13	Favicons	\app_chrome\default	4
14	History	\app_chrome\default	14
15	Login Data	app_chrome\default	7
16	Network Action Predictor	\app_chrome\default	4
17	QuotaManager	\app_chrome\default	4
18	Reporting and NEL	\app_chrome\default	4
19	Shortcuts	\app_chrome\default	2
20	Top Sites	\app_chrome\default	2
21	Trust Tokens	\app_chrome\default	3
22	Web Data	\app_chrome\default	24
23	https_mail.google.com_0/1	\app_chrome\default\databases	10
24	https_mail.google.com_0/1	\app_chrome\default\databases	10

.

Notably, FORC uncovered files No.1 and No.18, which had eluded even commonly used forensic tools like Belkasoft, FINALMobile, and MAGNET AXZIOM. While FINALMobile merely discerned the files’ locations, both MAGNET AXZIOM and Belkasoft were unable to locate either the files or their paths.

The FORC tool’s capabilities extend beyond mere file recovery. It autonomously unearthed (see Figure 25 and Figure 26) a trove of additional data previously inaccessible to the Belkasoft, MAGNET AXZIOM, and FINALMobileForensic tools. These data were stored within the SQLite database file named “Reporting and NEL”, specifically, within the “nel_policies” table. This newfound information, including details such as origin_host, origin_port, and received_ip_address, can be instrumental in comprehending the sequence of events under investigation. It not only bolsters the evidential strength but also aids investigators in constructing a more comprehensive and compelling narrative for presentation in a court of law. These revelations illuminate the transformative potential of the FORC tool in the realm of digital forensics. It offers a streamlined, efficient, and error-resilient alternative to traditional manual extraction methods, significantly reducing the risk of crucial evidence slipping through the cracks. By enabling investigators to uncover hidden data with ease and precision, the FORC tool empowers them to make more informed decisions, advance investigations, and ultimately contribute to a more just and equitable legal system.

A comparison between BelkaSoft, MAGNET AXZIOM, FINALMobile, and FORC is shown in

Table 5. Comparison between mobile forensics tools.

Tool	Includes SQLite Viewer	Automatic Retrieval of All SQLite Files	Select Evidence from SQLite	Add All Selected Evidence to One Report	Physical Acquisition	ADB Backup
BelkaSoft	Yes	No	Yes	No	Yes	Yes
MAGNET AXZIOM	Yes	No	No	No	Yes	Yes
FINALMobile	Yes	No	No	No	Yes	Yes
FORC	Yes	Yes	Yes	Yes	Yes	Yes

. The table evaluates the capabilities of four forensic tools: FORC, BelkaSoft, MAGNET AXIOM, and FINALMobile. These tools are assessed based on various criteria important for SQLite data forensics.

FORC stands out as a comprehensive solution, offering a range of essential features. It includes a SQLite viewer, enabling examiners to interactively explore SQLite databases. Moreover, FORC automates the retrieval of all SQLite files, streamlining the data collection process. Its functionality extends to the selection of evidence from SQLite databases, making it convenient for investigators to pinpoint relevant data. FORC also excels in generating reports by adding all selected evidence to a single, cohesive report, simplifying the presentation of findings. In contrast, BelkaSoft, MAGNET AXIOM, and FINALMobile exhibit some limitations. While they all provide a SQLite viewer for examination purposes, none of these tools offer automatic retrieval of all SQLite files, potentially requiring manual intervention to collect data comprehensively. Additionally, when it comes to selectively choosing evidence from SQLite databases, only BelkaSoft and FORC offer this feature. However, unlike FORC, the other tools do not consolidate all selected evidence into one report, potentially making the analysis and presentation of findings less efficient.

Regarding physical acquisition methods, all four tools support ADB (Android Debug Bridge) for obtaining data from Android devices. This demonstrates their versatility in acquiring digital evidence from various sources.

As a conclusion from these results, the FORC tool emerges as a robust choice for SQLite data forensics, offering a combination of features that streamlines the entire investigative process, from data retrieval to evidence presentation. It stands out as a comprehensive solution in the field of digital forensics.

Limitations of FORC

This section discusses the constraints and potential challenges associated with using FORC for mobile forensic data acquisition and SQLite evidence extraction. Key limitations include:

• Device and Platform Dependencies: FORC’s effectiveness may vary depending on the specific mobile device and operating system versions. It is essential to acknowledge that different devices and platforms may have unique SQLite database structures and security measures, potentially affecting evidence extraction.
• Encrypted Data: While FORC is designed to streamline evidence extraction, it may encounter difficulties when dealing with strongly encrypted data. Advanced encryption methods can pose challenges in retrieving certain types of data from mobile devices.
• Performance Variability: The performance of FORC in extracting SQLite evidence may depend on factors such as the size and complexity of databases. Extremely large or highly fragmented databases could impact the tool’s efficiency.
• Privacy and Legal Considerations: When using FORC, investigators must adhere to legal and privacy regulations governing digital evidence acquisition. The tool’s usage should be consistent with applicable laws and regulations, and proper authorization should be obtained.
• Automation Limitations: While FORC offers automation benefits, it may not fully replace the expertise of forensic analysts. Human oversight and interpretation remain crucial to ensuring the accuracy and relevance of extracted evidence.

6. Conclusions and Future Work

In the current era, a variety of proprietary and commercial mobile forensic tools are readily available for the purposes of data acquisition and forensic analysis. This study explores the use of Belkasoft, Magnet AXIOM, and FINALMobile tools to extract SQLite files from the Chrome App running on Android smartphones. However, a limitation of these tools is the need for manual searches for SQLite files, which can be further compounded by the storage of some files without extensions. Such omissions could result in the neglect of crucial evidence. To address this issue, this research proposes the development of a digital forensic tool, FORC, which facilitates the automatic extraction of SQLite files. The tool employs a file-extension-based approach in addition to examining the file header for extraction. Moreover, FORC enables automated report generation.

Future work will focus on expanding the tool’s functionality to include other operating systems such as iOS and Windows Phone. Acknowledging the significance of extending this technique to iOS devices, this avenue holds great potential for advancing digital forensics capabilities. It could revolutionize the way investigators extract and analyze data from a broader range of mobile platforms, offering enhanced insights and efficiency in forensic investigations. Additionally, the tool may incorporate advanced features, such as visual reporting that leverages graphics, evidence classification, tabulation, and a timeline, further contributing to the field of digital forensics.