SQLite is one of the most commonly used database engine. Its source code is available in public domain which can be used for commercial or private purpose. Common data types used in SQLite are NULL, INTEGER, REAL, TEXT and BLOB. Unlike Blob, all other data types stores a particular type of data. Whereas BLOB data type stores binary data, which are typically images, videos, audio or even binary executable codes. This datatype is not only deals with SQLite, but also supported by most of other databases.

Why BLOB is so Important?

As talked above, BLOB data type contains binary data, which is not in readable form. Any type of data which is in binary form appears similar for human eyes. Even database managers, do not have idea what the blob data contains and how to deal with. From a forensic investigators point of view, these BLOB data contains crucial evidence regarding digital crime. The reason behind this is that most of the web browsers, Android devices, etc. uses SQLite files to store data.

Structure of BLOB Data

Each BLOB data contains two fields namely Type and Data.
create table table_name (..., Blob_type, Blob_data)
Each column in a Blob type are meant for different data. Below describes each column name and the type of data it holds.

• Text: Holds plain text of data. This excludes NULL values from the database.
• Data: Specially designed to hold encoded binary data contents. Here,it is used to represent NULL values, whereas %25 is to present a percent symbol.
• File: This file contains the filename that points to a particular file on disk.
• BLOB: This is a reference to a separate BLOB table in the database.

How to View Data from BLOB?

Since BLOB contains binary data, the viewing and analyzing of BLOB data is very difficult for human to understand. Simple SQL queries can be used to view and analyze BLOB data contents. Let’s see how it is possible.
Using Command line interface of SQLite:
Creating a table of BLOB type:
sqlite> create table blob_test (b_id blob);
sqlite> insert into blob_test values (x'01234234566789abcjghsjddef0123456789abcdef');
Viewing BLOB contents using SELECT query:
sqlite> select * from blob_test;

?#Egë½-n?#Egë½-n

sqlite> select ''||b_id from blob_test;

?#Egë½-n?#Egë½-n

Here, you can see that the contents are not in human readable format. SQLite provide another Query ‘quote’ to view the contents in Hex format. Lets see how this query works.
select quote(b_id) from blob_test;
This will give you result as follows:
x'01234234566789abcjghsjddef0123456789abcdef'
This is not a reliable method to view and analyze data from BLOB as it is not in a human readable format. Moreover, the investigator should be an expert in database management. To overcome this limitation investigator can use a smart tool to view and analyze SQLite BLOB data contents.

Suggested Solution- SQLite Forensics

Explore & Extract SQLite Database files using SQLite Forensic Tool.

Prominent Features of SQLite Forensics tool

Support for BLOB Data Type:
SQLite Forensic tool allows users to preview and analyze tables, structures, byte code, and the multimedia contents from BLOB data type.
Recovers Deleted Records:
The tool is capable to recover the deleted contents from the SQLite files. these deleted items are listed in separate tab so that investigator can analyze these contents easily.
Multiple Views of DB Contents:
User can view and analyze contents form the SQLite database in tabular form or in hexadecimal form. This helps the investigator in deeply analyzing the database file.
Recover Associated Journal Files:
The tool is capable to recover the associated journal files related to SQLite file. This is the backup file for the original data file so these can be the major residence of digital evidences.
Export contents to multiple formats:
The recovered artifacts can be exported and saved in different file formats. Various exporting formats supported by the tool are CSV, PDF and HTML. This enables user to access the collected artifacts in various platforms.