Understanding Write Ahead Logging in SQLite

Write Ahead Logging (WAL) is a mechanism used by SQLite databases to manage pending changes to their contents; such pending changes are stored initially in files with the suffix -wal. WAL files represent a potential source of key evidence as they can contain app data (e.g. messages, browser history etc.) which is not live within the main database file and therefore may be missed by some forensic software tools. Understanding WAL files and how to recover evidence from them is a key part of investigating pre-installed and 3rd party apps.

In our 4½ day Smartphone App Forensics course we teach delegates techniques for preserving the contents of WAL files and ensuring that those contents can be viewed, interpreted and presented in evidence. Get in touch to check availability on our next course.