On Sunday, 28 February, 2016 08:46, Ren? Czerny <rene at czerny.pro> said"
> Thank you for the quick response, Keith! > As I understand it, the SQLite Backup API?s only work with an SQLite > object. E.g.: sqlite3_backup_init() needs a pointer to the database to > copy from. However, I do not have access to such a pointer, as the only > thing I get is a raw binary dump of the main memory containing the > database somewhere inside (think forensic dump). > I believe the Backup API?s won?t be applicable. :-/ You would have to find the db (connection) object in memory, and trace that through to the PCache to find all the database pages in memory -- equivalently to what the backup api does when sequentially accessing pages. The PCache must have an in-memory structure pointing to where each page is in memory. The database data pages themselves will not have that information. > > On 28 Feb 2016, at 16:32, Keith Medcalf <kmedcalf at dessus.com> wrote: > > > > > > Is there something wrong with using the backup api's? > > > >> -----Original Message----- > >> From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite- > users- > >> bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny > >> Sent: Sunday, 28 February, 2016 08:22 > >> To: SQLite mailing list > >> Subject: [sqlite] Database layout in memory > >> > >> Dear SQLite mailing list, > >> > >> after not finding anything on Google, I want to ask my question here: > >> > >> I am currently doing research on how to extract an SQLite inmemory- > >> database from the image of a computer?s main memory and store it as a > >> database file on disc. My previous attempts however failed, as the > >> database is not in one place in memory, but seems to be fragmented. I > only > >> managed to extract the database file containing the sqlite_master > table. > >> Here is what I tried: > >> > >> 1. Dump the main memory using LiME [0] on a Debian Wheezy system. > >> 2. Opened the dump in a hex-editor and searched for patterns that > indicate > >> an SQLite database. (according to [1]) > >> 3. Extracted the database file starting at the database header and > >> retrieving (page-size * page-amount) bytes. > >> > >> The result did not include the tables? content, but only the schema. > The > >> content is at a total different offset in the memory dump. > >> > >> So my questions are: Can you point me to a resource where SQLite in- > memory > >> database layout is documented or described in a detailed way? Any other > >> resources I should check out? Did I miss something? Is there another > way? > >> > >> Please note, that in my scenario I only have the memory dump and in > theory > >> can?t make use of the live system. > >> I am very glad for every input you could give me. > >> > >> Best regards, > >> Ren? Czerny > >> > >> [0] https://github.com/504ensicsLabs/LiME > >> [1] https://www.sqlite.org/fileformat2.html > >> _______________________________________________ > >> sqlite-users mailing list > >> sqlite-users at mailinglists.sqlite.org > >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > > > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users at mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
