[sqlite] Database layout in memory

2016-03-27 Thread René Czerny 
Sorry for the late reply?
So from the connection object you can find the PCache? Do you have any hints as 
to how I could find the db connection object in memory? Is there some typical 
pattern that I could find?

Best,
Ren?

> On 28 Feb 2016, at 17:09, Keith Medcalf  wrote:
> 
> You would have to find the db (connection) object in memory, and trace that 
> through to the PCache to find all the database pages in memory -- 
> equivalently to what the backup api does when sequentially accessing pages.  
> The PCache must have an in-memory structure pointing to where each page is in 
> memory.  The database data pages themselves will not have that information.
> 
> On Sunday, 28 February, 2016 08:46, Ren? Czerny  > said"
> 
>> Thank you for the quick response, Keith!
>> As I understand it, the SQLite Backup API?s only work with an SQLite
>> object. E.g.: sqlite3_backup_init() needs a pointer to the database to
>> copy from. However, I do not have access to such a pointer, as the only
>> thing I get is a raw binary dump of the main memory containing the
>> database somewhere inside (think forensic dump).
>> I believe the Backup API?s won?t be applicable. :-/
> 
>>> On 28 Feb 2016, at 16:32, Keith Medcalf  wrote:
>>> 
>>> 
>>> Is there something wrong with using the backup api's?
>>> 
 -Original Message-
 From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-
>> users-
 bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny
 Sent: Sunday, 28 February, 2016 08:22
 To: SQLite mailing list
 Subject: [sqlite] Database layout in memory
 
 Dear SQLite mailing list,
 
 after not finding anything on Google, I want to ask my question here:
 
 I am currently doing research on how to extract an SQLite inmemory-
 database from the image of a computer?s main memory and store it as a
 database file on disc. My previous attempts however failed, as the
 database is not in one place in memory, but seems to be fragmented. I
>> only
 managed to extract the database file containing the sqlite_master
>> table.
 Here is what I tried:
 
 1. Dump the main memory using LiME [0] on a Debian Wheezy system.
 2. Opened the dump in a hex-editor and searched for patterns that
>> indicate
 an SQLite database. (according to [1])
 3. Extracted the database file starting at the database header and
 retrieving (page-size * page-amount) bytes.
 
 The result did not include the tables? content, but only the schema.
>> The
 content is at a total different offset in the memory dump.
 
 So my questions are: Can you point me to a resource where SQLite in-
>> memory
 database layout is documented or described in a detailed way? Any other
 resources I should check out? Did I miss something? Is there another
>> way?
 
 Please note, that in my scenario I only have the memory dump and in
>> theory
 can?t make use of the live system.
 I am very glad for every input you could give me.
 
 Best regards,
 Ren? Czerny
 
 [0] https://github.com/504ensicsLabs/LiME
 [1] https://www.sqlite.org/fileformat2.html
 ___
 sqlite-users mailing list
 sqlite-users at mailinglists.sqlite.org
 http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>> 
>>> 
>>> 
>>> ___
>>> sqlite-users mailing list
>>> sqlite-users at mailinglists.sqlite.org
>>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>> 
>> ___
>> sqlite-users mailing list
>> sqlite-users at mailinglists.sqlite.org > mailinglists.sqlite.org>
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
>> 
> 
> 
> 
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org  mailinglists.sqlite.org>
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
>

[sqlite] Database layout in memory

2016-02-28 Thread René Czerny 
Thank you for the quick response, Keith!
As I understand it, the SQLite Backup API?s only work with an SQLite object. 
E.g.: sqlite3_backup_init() needs a pointer to the database to copy from. 
However, I do not have access to such a pointer, as the only thing I get is a 
raw binary dump of the main memory containing the database somewhere inside 
(think forensic dump).
I believe the Backup API?s won?t be applicable. :-/

> On 28 Feb 2016, at 16:32, Keith Medcalf  wrote:
> 
> 
> Is there something wrong with using the backup api's?
> 
>> -Original Message-
>> From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users-
>> bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny
>> Sent: Sunday, 28 February, 2016 08:22
>> To: SQLite mailing list
>> Subject: [sqlite] Database layout in memory
>> 
>> Dear SQLite mailing list,
>> 
>> after not finding anything on Google, I want to ask my question here:
>> 
>> I am currently doing research on how to extract an SQLite inmemory-
>> database from the image of a computer?s main memory and store it as a
>> database file on disc. My previous attempts however failed, as the
>> database is not in one place in memory, but seems to be fragmented. I only
>> managed to extract the database file containing the sqlite_master table.
>> Here is what I tried:
>> 
>> 1. Dump the main memory using LiME [0] on a Debian Wheezy system.
>> 2. Opened the dump in a hex-editor and searched for patterns that indicate
>> an SQLite database. (according to [1])
>> 3. Extracted the database file starting at the database header and
>> retrieving (page-size * page-amount) bytes.
>> 
>> The result did not include the tables? content, but only the schema. The
>> content is at a total different offset in the memory dump.
>> 
>> So my questions are: Can you point me to a resource where SQLite in-memory
>> database layout is documented or described in a detailed way? Any other
>> resources I should check out? Did I miss something? Is there another way?
>> 
>> Please note, that in my scenario I only have the memory dump and in theory
>> can?t make use of the live system.
>> I am very glad for every input you could give me.
>> 
>> Best regards,
>> Ren? Czerny
>> 
>> [0] https://github.com/504ensicsLabs/LiME
>> [1] https://www.sqlite.org/fileformat2.html
>> ___
>> sqlite-users mailing list
>> sqlite-users at mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
> 
> 
> 
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Database layout in memory

2016-02-28 Thread René Czerny 
Dear SQLite mailing list,

after not finding anything on Google, I want to ask my question here:

I am currently doing research on how to extract an SQLite inmemory-database 
from the image of a computer?s main memory and store it as a database file on 
disc. My previous attempts however failed, as the database is not in one place 
in memory, but seems to be fragmented. I only managed to extract the database 
file containing the sqlite_master table.
Here is what I tried:

1. Dump the main memory using LiME [0] on a Debian Wheezy system.
2. Opened the dump in a hex-editor and searched for patterns that indicate an 
SQLite database. (according to [1])
3. Extracted the database file starting at the database header and retrieving 
(page-size * page-amount) bytes.

The result did not include the tables? content, but only the schema. The 
content is at a total different offset in the memory dump.

So my questions are: Can you point me to a resource where SQLite in-memory 
database layout is documented or described in a detailed way? Any other 
resources I should check out? Did I miss something? Is there another way?

Please note, that in my scenario I only have the memory dump and in theory 
can?t make use of the live system.
I am very glad for every input you could give me.

Best regards,
Ren? Czerny

[0] https://github.com/504ensicsLabs/LiME
[1] https://www.sqlite.org/fileformat2.html