Extraction Techniques
The state the phone is in after it is powered up and a password has been entered to unlock it, allowing for encryption keys to be loaded into memory and allowing for data to be extracted.
What is AFU?
A tool used for viewing PList files from iPhones.
What is PList Editor Pro?
In a database, these contain records and are often named according to the type of records they contain.
What are tables?
These are areas on a page in the database when records are deleted that tell the database they are available to be reused when needed.
What are freeblocks?
Its the number of entries required in the WAL to trigger a "commit" of data to the actual database.
What is 1000?
An advanced extraction method that instead of using test access points to write data to devices, data is read from memory chips instead.
What is JTAG
A tool used to convert timestamps to something a human can understand?
What is Tempus or DCode?
A record field that stores binary data such as pictures and video.
What is a BLOB or Binary Large Object?
Its the file signature for a SQLite database.
What is SQLITE FORMAT 3?
What are lists?
An extraction technique that requires the use of heat such as IR or a head gun to melt solder for removing memory chips from mobile phones.
What is Chip Off
A tool used for viewing databases, don't take it too personal.
What is SQLite Expert Personal?
What is MAC Absolute time?
This file acts as an index identifying the most recent pages in the WAL that will end up in the final database.
What is the SHM file?
These allow for the expansion of Python capability, bringing additional functions in to use with your scripts.
What are modules?
A method of extracting data from memory chips where wires are soldered to small pads on the phones circuit board and data is read directly from the memory chip without having to remove it.
What is ISP?
The tool one would use to view the raw contents of any file including databases.
What is HxD or a hex viewer/editor?
This value represents an empty field for a database record. It contains absolutely nothing.
What is Null?
These are created when large amounts of records are deleted at once, providing a great source of potential evidence.
A type of loop used to iterate through collections of data such as lists when parsing data from databases and PLists.
The state a phone is in when powered on but the password has not yet been entered, making it difficult to extract data due to encryption keys not being loaded into the device memory.
What is BFU?
A tool used to decode base64 encoded data?
What is Cyber Chef?
The length of a VarInt (Variable Length Integer) can be identified by looking at the most significant bit of each byte which is called this.
What is the marker bit?
In some cases, new records that are created or modified are stored in this file first before eventually making their way into the actual database. It can serve as historical snapshots of the database over time.
What is the WAL file?
These are removed when a record is deleted so that the database no longer "sees" the record as being live.
What are pointers?