Database Parsing

Database Parsing in Quin-C

Databases are everywhere. Every meaningful investigation involves a database in one way or another. Database are used to hold just about everything ranging from simple user preferences to detailed financial information. Their importance to forensics investigations cannot be underestimated. Generally if it is important enough to need to store in a database it is valuable information in one way or another. Often forensics applications extract the data directly from the database and presents it in a way that make things simple for the investor. When that happens all is good and the investigator doesn’t need to even know a DB was involved. But when that doesn’t happen, which is often given the number of applications that utilize DBs, the investigator needs another method for interacting with the DB and this in an area in which Quin-C shines. Quin-C introduced DB forensics as an offering about twelve months ago but that initial offering was limited in scope and capability. Those limitations, have been stripped away in the 20190218 release of Quin-C. This release of Quin-C supports advanced Database analysis that in our opinion rivals or exceeds the capabilities of competitive products.

At the core of Quin-Cs new DB parsing capability are three central features. The first is DB ingestion. This is the processing of the target database so that it is accessible to the investigator. To achieve this Quin-C has the ability to convert Postgress, Oracle, SQL, MS Access, and SQL Lite files into active SQL Lite databases. What this means is that Quin-C can effectively take the contents of a prostress database (as an example), and put that content into a SQL Lite database that can be accessed and manipulated by the investigator using simple or even complex SQL Queries. But Quin-C doesn’t just allow you to run SQL Queries. Even that is too complex for some investigators. To make this functionality usable by all skill levels Quin-C provides the ability to navigate the database in the viewer. With this capability an investigator can completely explore the contents of a DB by simply clicking around the tables stored in it. The figure below shows a user navigating the Safari history database. As you can see all tables are displayed on the left and the contents of each table can be seen on the right by simply clicking on the target table. 

 

Of course if the user does know SQL then they are fully able to take advantage of that. As the figure below shows, a user with knowledge of SQL and the target database is able to execute a fairly complex query that outputs all the critical information associated with the user’s web viewing history. 

That leads us directly to the second key capability of Quin-C’s DB parsing feature. Specifically the ability to parse the contents of a target Database into Quin-C’s analysis database so that it can be analyzed with all other evidence in the case. This is possible the most exciting new piece of functionality we have delivered. With this capability a user with knowledge of SQL can built their own custom DB parsers that expose the contents of any database to analysis. Once created the DB parser can be saved and used over and over again, and even shared with other users.  In the figure shown to the right a query has been run and the results of the query have been mapped directly to columns in the Quin-C DB. When there are no logical equivalent columns Quin-C maps the data to custom columns that are created on the fly, ensuring that all relevant data can be ingested and analyzed.

 

The last key capability offered by Quin-C is the ability to compare to DBs. This is a bit of specialized functionality but for anyone that deals in the world of financial crime like tax evasion this is manna from heaven. When a user has two versions of a given database, one real and one used to generate false tax information, Quin-C allows the user to quickly determine the difference between them with a simple click of the button. As the figure below shows, Quin-C was able to determine which rows in the two databases differed and in what way they differed. With this capability it is very easy to quickly what the suspect is up to and how much they have defrauded the government.

 By no means would I say we are done working on DB analysis. It is such a broad topic and so much can be done, so I expect to keep working full steam for the foreseeable future. That said the current capabilities offered by Quin-C are more than enough to do serious DB analysis and get tremendous value from the data found.

tleehealey Tuesday 16 April 2019 - 2:44 pm | | Default

No comments

(optional field)
(optional field)
Remember personal info?
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.