How deleted data recovery works
There are three files associated with database which may contain deleted records.
- The database file - <database name> (https://www.sqlite.org/fileformat2.html#section_1)
- The rollback journal - <database name>-journal (https://www.sqlite.org/fileformat2.html#section_3)
- The write-ahead log - <database name>-wal (https://www.sqlite.org/fileformat2.html#section_4)
How the recovery works
Basic recovery method
The basic approach is described in many documents. Sqlite B-Tree is parsed and Freeblocks and Unallocated blocks are detected.
We
know which table blocks belong to, so we know the data types of item
columns that should be recovered. Data in each block (Freeblocks and
Unallocated blocks) is read sequentially.
Each potential item found in the database, has header where there are data types and lengths of incoming data,
so we read the whole block of data as if it could be considered a header. If
it fits the table data types it is probably a deleted item.
Example of getting deleted record
Source database: orca2.db
- Find number of first freelist trunk page and number of freelist pages in header (https://www.sqlite.org/fileformat2.html#section_1_2)
- Get address of freelist trunk page ( (pageNumber - 1) * pageSize) and parse header (https://www.sqlite.org/fileformat2.html#section_1_4)
- Process all freelist pages (get addresses and parse headers) (https://www.sqlite.org/fileformat2.html#section_1_5)
- Parse record header to get values (https://www.sqlite.org/fileformat2.html#section_2_1)
All values are in Varint(Variable-Length Integer) format (https://sqlite.org/src4/doc/trunk/www/varint.wiki) - 87h 3Ch - Record size (956)
- 81h 03h - Row ID (131)
- 06h - Header size
- 55h - Text, size = (85 - 13) / 2 = 36
- 2Bh - Text, size = (43 - 13) / 2 = 15
- 05h - BigInt (48-bit)
- 8Eh 06h - Blob, size = (1798 - 12) / 2 = 893
Recovered records may be corrupted, incomplete or duplicate of existing record.
Recovery filtering
We are trying to filter all duplicate or incomplete records. It does not currently have a success rate of 100% but we are always looking at ways to improve features. So expect an increased success rate in future updates.
How it works???
- For each processed table in database is defined set of columns.
- Each recovered record is compared (according to set of columns) with all valid records and all previous recovered records.
- Depending on result of comparison the record is processed (duplicates are thrown away).
Deleted files
Deleted files can be extracted from physical dump (Android only).
Related Articles
Data - Deleted data
We do offer more ways to recover deleted data. The first one is recovering the data from SQLite databases, the second one is recovering the files and folders from physical images. SQL databases allow you to recover the data which were marked as ...Flash phone with recovery image (TWRP)
Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools by third-party recovery tools such ...Android recovery data acquisition
Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools by third-party recovery tools such as ...iPhone data recovery
Advanced iPhone Data Recovery MOBILedit is able to recover your data from a lost or damaged iPhone! Most iPhone users are using iTunes, especially for managing music. Almost all have connected their iPhone to iTunes at least once. Now, just log on to ...Data - data extraction log
Following tab displays information about ongoing extraction: if you select the Data Extraction Log option in the Specific selection, you will get a brief resume of the extraction tab in your report as well: