Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all articles
Browse latest Browse all 20112

General Discussion: Unexpected SQLite field data in WhatsApp databases

$
0
0
Remember that SQLite declared types are more of a suggestion than a rule, if the underlying code is forecably putting an "int" into a "blob" field, there's nothing in SQLite to stop that from happening. Also it might depend on where in the API (and which layer on top) you're coming from, bare in mind that many (most?) API's won't just be hard coding statements, there'll be paramatised queries to think about so there'll be some mapping of that language's types into SQLite types. I have python to hand so let's try: Code:: import sqlite3 conn = sqlite3.connect("test.sqlite") cur = conn.cursor() cur.execute("CREATE TABLE t1 (c1 TEXT, c2, INTEGER, c3 BLOB, c4 FLOAT);") cur.execute("INSERT INTO t1 VALUES(?, ?, ?, ?, ?)", (1, 2, 3, 4, 5)) # all "ints" in Python conn.commit() conn.close() This code creates a record where all of the columns save for the first contain an actual integer type; the first contains a a string. The record looks like this: Code:: 0B 01 06 0F 01 01 01 01 31 02 03 04 05 No errors or warnings from doing this. The text column has coerced the integer to a string (as it should) with serial type 15 (1 byte string), but the blob column is quite happy to receive and store an integer actually as an integer. Let's try putting Python's "bytes" objects in: Code:: import sqlite3 conn = sqlite3.connect("test.sqlite") cur = conn.cursor() cur.execute("CREATE TABLE t1 (c1 TEXT, c2, INTEGER, c3 BLOB, c4 FLOAT);") cur.execute("INSERT INTO t1 VALUES(?, ?, ?, ?, ?)", (b"\x00", b"\x00", b"\x00", b"\x00", b"\x00")) # bytes objects conn.commit() conn.close() I'd expect SQLite to store blob fields here, and looking at the record: Code:: 0B 01 06 0E 0E 0E 0E 0E 00 00 00 00 00 All five columns have the serial type 14 (1 byte blob) - again, despite any declared types. Let's try strings: Code:: import sqlite3 conn = sqlite3.connect("test.sqlite") cur = conn.cursor() cur.execute("CREATE TABLE t1 (c1 TEXT, c2, INTEGER, c3 BLOB, c4 FLOAT);") cur.execute("INSERT INTO t1 VALUES(?, ?, ?, ?, ?)", ("1", "2", "3", "4", "5")) # strings conn.commit() conn.close() The record looks like this: Code:: 0B 01 06 0F 0F 0F 0F 01 31 32 33 34 05 Which is weird, because only the FLOAT declared column actually coerced the data, and even then it was coerced to an integer (that's normal behavior for SQLite though, it'll chose a more compact numeric encoding if it can) I'm not sure if this helps, but I think it's interesting at least, and I suspect that if you came in from a different level, or with a different API you might not find that everything still goes this way.

Viewing all articles
Browse latest Browse all 20112

Trending Articles