I got this idea awhile back when I wrote a tool called, BARFF - Browser Artifact Recovery Forensic Framework. It was more or less a glorified SQLite parser, which is again, more or less what SLARF is, but it uses a plugin based architecture similar to RegRipper, or my take on RegRipper, python-regparse (written in Python). BARFF was "complex" and not easy to add additional plugins too. It didn't scale well either so I found myself not using it much.
Why SLARF?
Why not? When I wrote python-regparse I wrote it in such a way that it can be extended and more or less copy/pasted to apply to multiple artifacts, not just the registry. Because of this SLARF took me about 1.5 hours to modify and now I have a completely different set of artifacts that are able to be parsed more or less the same way as my registry parser. It uses the same user generated output as well so I can have consistency among artifacts as well, which isn't easy to find with other tools.
On top of that, if you have looked at a cell phone these days it is pretty much just a device full of SQLite databases. Likewise with modern browsers and a whole bunch of other programs from Garmin GPS backups to everyday applications like Evernote. They all use SQLite DBs to store data in some form or fashion. So rather than writing a tool for each application I decided to just leverage what I already had with python-regparse and build SLARF.
So let's take a look and see how it works.
Help
python slarf.py -h
usage: slarf.py [-h] [--plugin PLUGIN] [--listplugins] [--plugindetails]
[--database DATABASE] [--format format]
[--format_file format_file]
Parses SQLite Databases.
optional arguments:
-h, --help show this help message and exit
--plugin PLUGIN Specify plugin to run.
--listplugins Lists all of the available plugins.
--plugindetails Lists details available plugins.
--database DATABASE SQLite Database.
--format format Custom output.
--format_file format_file
Custom output template.
Plugins Right now I do not have a lot of plugins written for SLARF, but I will be adding to them over the coming weeks. If there is one you want now let me know and I can write it for you, or you can simply pass me the query and I can build the Python shell for you to test out.
python slarf.py --listplugins
nuvi2757lm_rs (This was a test plugin. I'll write more soon.)
python slarf.py --plugindetails
NUVI2757LM_RS
Plugin: NUVI2757LM_RS
Author: Patrick Olsen
Version: 0.1
Reference: http://sysforensics.org
Print Fields: "{{ rank }}|{{ string }}"
Description: Parses the searches table from the recent_searches.db on the Garmin Nuvi 2757LM GPS.
Templates
The HTML output uses predefined templates. You can see an example of one here on my GitHub.
The output when using templates look like this:
python slarf.py --plugin nuvi2757lmrs --database recentsearches.db --formatfile templates/nuvi2757lmrs.html
User Defined Output
python slarf.py --plugin nuvi2757lmrs --database recentsearches.db --format '{{rank}}|{{string}}'
0|Nordstrom
1|Washington DC, DC
2|Starbucks
3|Kroger
4|Radisson Hotel-Nashville International
5|St Louis, MO
Summary
So yeah, there it is. I have to write a bunch more plugins, and to be quite honest I don't do much analysis of SQLite DBs so if you have some ideas, or common queries, etc. by all means let me know and I'll see what I can do to create some for you. I'll have some browser ones written hopefully in the next couple weeks. I find myself short on time these days.
One more point. It really doesn't have to be just SQLite DBs... You could write your plugins to process any kind of database really. You will just need to add the respective imports.
You can download SLARF on my GitHub.