Searching SQLite databases using GRR and osquery
Introduction There are billions of billions of SQLite instances in the world (ref: https://www.sqlite.org/mostdeployed.html ), and many examples can be found on virtually every active phone, laptop or workstation. In this blog post we will discuss a method by which investigators can perform a search of SQLite database files using GRR Rapid Response (GRR), osquery and dfTimewolf. We assume the reader has an understanding of these tools. What is GRR? GRR is an incident response framework focused on remote live digital forensic analysis. GRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines concurrently. It achieves this through flows (asynchronous calls to execute client code and retrieve results from a single machine) and hunts (flows scheduled to run on many machines). What is Osquery? Osquery is an open source tool that exposes an operating system as a query-able interface like SQL for a relational d