sqlite-records

Parses a SQLite database file and retrieves records from the specified table. Use this command during forensic analysis to directly query data from SQLite-based artifacts such as Chrome browser history or Firefox databases.

Command properties

Syntax

Options

table=STR

Name of the table to retrieve

Target

FILE_PATH

Path to the SQLite database file to query

Output fields

Output fields are determined dynamically based on the schema of the specified table. Each column defined in the table is assigned as an output field. The id column is placed first, followed by the remaining columns in schema definition order.

Column values are converted based on SQLite serial types as follows:

Error codes

Parse errors

N/A

Runtime errors

Description

The sqlite-records command directly parses the specified SQLite database file at the binary level to retrieve table records. Because it does not rely on the SQLite library, it can query locked database files as well.

Specify the table name using the table option. To check the column names and types of a table in advance, use the sqlite-tables command.

Examples

1. Retrieve table records from a SQLite database

   sqlite-records table=urls /opt/logpresso/evidence/History
   

   Retrieves all records from the urls table in Chrome's History file.

2. Filter records by a specific condition

   sqlite-records table=visits /opt/logpresso/evidence/History
   | search visit_duration > 0
   

   Filters records from the visits table where visit_duration is greater than 0.

3. Limit the number of records

   sqlite-records table=moz_places /opt/logpresso/evidence/places.sqlite
   | limit 100
   

   Retrieves up to 100 records from the moz_places table in Firefox's places.sqlite file.