I got this idea awhile back when I wrote a tool called, BARFF - Browser Artifact Recovery Forensic Framework. It was more or less a glorified SQLite parser, which is again, more or less what SLARF is, but it uses a plugin based architecture similar to the code I wrote for, python-regparse (written in Python).
Why SLARF?
It is extensible. If you come across a new SQLite database artifact all you need to do is copy a bit of plugin code and in 10 - 15 mins you have a new plugin to pull the data out.
Cell phones more or less equates to running various queries against a range of SQLite databases. Likewise with modern browsers and a whole bunch of other programs from Garmin GPS backups to everyday applications like Evernote, they all use SQLite databases to store information relevant to an investigation.
So rather than writing a tool for each application, or keeping a bunch of SQL queries pasted in a notebook for later use, it is much easier to have a set of ready to use plugins.
So let's take a look and see how it works.
Help
python slarf.py -h
usage: slarf.py [-h] [--plugin PLUGIN] [--listplugins] [--plugindetails]
[--database DATABASE] [--format format]
[--format_file format_file]
Parses SQLite Databases.
optional arguments:
-h, --help show this help message and exit
--plugin PLUGIN Specify plugin to run.
--listplugins Lists all of the available plugins.
--plugindetails Lists details available plugins.
--database DATABASE SQLite Database.
--format format Custom output.
--format_file format_file
Custom output template.
Plugins
Right now I do not have a lot of plugins written for SLARF, but I will be adding to them over time. If there is one you want now let me know and I can write it for you, or you can simply pass me the SQL query and I can build the Python plugin for you.
The following plugins were some sample ones that I did to test out the tools effectiveness.
- dbinfo - prints information about the database
- nuvi2757lm_rs (see image below)
- safari_histody_db - parses safari history database
- unallocated - recovers data from unallocated space within the sqlite database
python slarf.py --listplugins
dbinfo
nuvi2757lm_rs
safari_history_db
unallocated
python slarf.py --plugindetails
NUVI2757LM_RS
Plugin: NUVI2757LM_RS
Author: Patrick Olsen
Version: 0.1
Reference: http://sysforensics.org
Print Fields: "{{ rank }}|{{ string }}"
Description: Parses the searches table from the recent_searches.db on the Garmin Nuvi 2757LM GPS.
Templates
The HTML output uses predefined templates. You can see an example of one here on my GitHub.
The output when using templates look like this:
python slarf.py --plugin nuvi2757lm_rs --database recent_searches.db --format_file templates/nuvi2757lm_rs.html
User Defined Output
python slarf.py --plugin nuvi2757lm_rs --database recent_searches.db --format '{{rank}}|{{string}}'
0|Nordstrom
1|Washington DC, DC
2|Starbucks
3|Kroger
4|Radisson Hotel-Nashville International
5|St Louis, MO
Summary
So yeah, there it is. I have to write a bunch more plugins, and to be quite honest I don't do much analysis of SQLite DBs so if you have some ideas, or common queries, etc. by all means let me know and I'll see what I can do to create some for you.
I find myself short on time these days.
One more point. It really doesn't have to be just SQLite DBs... You could write your plugins to process any kind of database really. You will just need to add the respective imports.
You can download SLARF on my GitHub.