Every meaningful investigation involves a database in one way or another. They hold everything from basic user preferences to detailed financial information. Their importance to forensics investigations cannot be underestimated. If it is important enough to need to store in a database, it is valuable information.
DB investigation in a perfect world
Ideally, forensics applications extract the data directly from the database and present it in a way that make things simple for the investigator. When that happens, all is good. The investigator doesn’t need to even know a DB was involved. But when that doesn’t happen, which is often, given the number of applications that utilize DBs, the investigator needs another method for interacting with the DB. This is where Quin-C shines.
Quin-C DB capabilities unbound
When Quin-C introduced DB forensics as an offering a year ago, it was limited in scope and functionality. Today those limitations have been stripped away. With the 20190218 release, Quin-C supports advanced Database analysis that rivals or exceeds the capabilities of competitive products.
Central to Quin-Cs new DB parsing capability are three key features:
The first is DB ingestion: This is the processing of the target database so that it is accessible to the investigator.
To achieve this, Quin-C converts Postgres, Oracle, SQL, MS Access, and SQLite files into active SQL Lite databases. What this means is that Quin-C can effectively take the contents of a Postgres database (as an example), and put that content into a SQLite database. That database can then be easily accessed and manipulated by the investigator using simple or even complex SQL queries.
No SQL skills. No problem.
Quin-C doesn’t just enable you to run SQL queries. Even that can be too complex for some investigators. To make this functionality usable by all skill levels, Quin-C provides the ability to navigate the database in the viewer. This allows an investigator to explore the contents of a DB by simply clicking around the tables stored in it. The figure below shows a user navigating the Safari history database.
As you can see, all tables are displayed on the left, and the contents of each table can be seen on the right by simply clicking on the target table.
Of course, if the user does know SQL, they are fully able to take advantage of those skills. As the figure below illustrates, a user with knowledge of SQL and the target database can execute a fairly complex query that outputs all the critical information associated with the user’s web viewing history.
That leads us to the second key capability of Quin-C’s DB parsing feature:
The ability to parse the contents of a target Database into Quin-C’s analysis database so that it can be analyzed with all other evidence in the case.
Possibly the most exciting new piece of functionality, this capability allows a user with knowledge of SQL to build custom DB parsers that expose the contents of any database to analysis. Once created, the DB parser can be saved and used over and over, and even shared with other users.
In the figure, a query has been run and the results of the query have been mapped directly to columns in the Quin-C DB. When there are no logical equivalent columns, Quin-C maps the data to custom columns that are created on the fly, ensuring that all relevant data can be ingested and analyzed.
The final key Quin-C capability: the ability to compare two DBs.
This is a bit of specialized functionality but for anyone that deals in the world of financial crime like tax evasion this is manna from heaven. When a user has two versions of a given database, one real and one used to generate false tax information, Quin-C allows the user to quickly determine the difference between them with a simple click of the button.
As the figure below shows, Quin-C was able to determine precisely where (which rows) and how the two databases differed. With this capability, it is very easy to quickly see what the suspect is up to, and how much they have defrauded the government.
And that’s only the beginning.
We are by no means done working on DB analysis. It is such a broad topic and so much can be done. We expect to keep working full steam for the foreseeable future. That said, the current capabilities offered by Quin-C are more than enough to do serious DB analysis and get tremendous value from the data found.