Enhanced SQLite Viewer Introduced in AXIOM 3.1

In many types of investigations, examiners are forced to analyze and dig into SQLite databases on a regular basis. Whether to validate findings from a forensic tool, or to examine artifacts from an application that may not yet be supported, it is crucial for an examiner to have easy access to the data found within these databases. With Magnet AXIOM 3.1, we are excited to implement our enhanced SQLite Viewer to give examiners more flexibility and capability when performing these investigations.

What’s New?

In previous versions of AXIOM, we allowed you to see the data within the SQLite databases within your case, but interacting with the data was limited.

Now, we’ve added the ability for examiners to truly be able to dig deep and present their findings in a useful manner. This includes the ability to hide and filter on columns, search tables, and perform custom SQL queries. You can even export directly from these tables into both .csv and Excel formats.

Using the Viewer

To utilize the new features in AXIOM Examine, first select any SQLite database file in the File System view, regardless of file extension. The SQLite Viewer will open on the right side of the user interface.

As you can see in the screen above, many options are now available for you to utilize when reviewing the database file. Using the dropdown, you can browse different tables within the database. The number of lines that are found in each table will be in parenthesis next to the table name in the dropdown menu.

The Show/Hide button will give the ability to toggle columns on and off, so you can choose narrow down the fields to be shown. Just by unchecking the unwanted columns, they will disappear from your view, helping to avoid too much clutter. You can easily recheck the columns at any time if you wish to see them again.

Using the Find button, you can perform a string search within the table that is open. The string will be highlighted where it is found within the table. Simply hit Clear next to the string search text box to remove the search hit view and return to all rows being displayed.

Each column in the table has filtering functionality. When the funnel icon is clicked in the header of the column, a menu will appear allowing the examiner to choose to display certain rows based on the criteria entered by the user.

In this enhanced SQLite Viewer, examiners even have the ability to run SQL queries on the open database using the Build Query function right within the AXIOM interface. The queries are run just like you would normally see in any SQLite browsing environment. For example, you can run a simple SELECT statement such as “SELECT column FROM table”. Or even join information from multiple tables in a query such as “SELECT column2, column3 FROM table1 INNER JOIN table2 ON table1. column1 = table2. column1” (example seen below).

Finally, creating a report from the displayed table is exceptionally easy in this version of AXIOM. Just select the Export function in the SQLite Viewer, and the current table you have displayed can be exported into Excel or .csv formats. This can be especially useful after applying string searches, filters, or SQLite queries and you need a quick way to report on the information shown.

Additional functionally that is included in the new SQLite Viewer includes freezing columns and opening images directly from cells with supporting data types.

Additional Updates in Magnet AXIOM 3.2

New in AXIOM 3.2 are even more features integrated into the SQLite Viewer! Now when examining SQLite databases in your case, we’ve added the ability to decode data within the table. As seen below, right clicking the column header gives the examiner options to convert the data in the column to ASCII, hex, Unicode, etc. You can also choose to display the data as Boolean values, various date/time formats, or as a picture inside the SQLite Viewer. Notice in the image below that after choosing the correct date/time format, all the data in that column was converted to the selection.

Examiners can now also open embedded plists, in addition to pictures, with our own internal viewer within AXIOM Examine. Just right click the cell in which you want to view, and a new window will open with your selection.

Finally, in cells that contain BLOB data, the ability to open and view that data with an external program is now available. BLOB, short for Binary Large Object, is a datatype found in databases to store binary objects such as image, music, or video files. As seen in the sample below, when right clicking the cell containing BLOB data, the examiner can make the “Open with” selection and view the object in an external program outside of AXIOM Examine.

Examiners can now also open embedded plists, in addition to pictures, with our own internal viewer within AXIOM Examine. Just right click the cell in which you want to view, and a new window will open with your selection.

Want to try the new SQLite Viewer for yourself? The latest version of Magnet AXIOM is now available for customers to download—either upgrade within AXIOM or head over to the Customer Portal.

If you’re not already using AXIOM, you can request a free 30-day trial today.

Please don’t hesitate to reach out to me at tarah.melton@magnetforensics.com with any questions or feedback!