Dear SQLite mailing list, after not finding anything on Google, I want to ask my question here:
I am currently doing research on how to extract an SQLite inmemory-database from the image of a computer?s main memory and store it as a database file on disc. My previous attempts however failed, as the database is not in one place in memory, but seems to be fragmented. I only managed to extract the database file containing the sqlite_master table. Here is what I tried: 1. Dump the main memory using LiME [0] on a Debian Wheezy system. 2. Opened the dump in a hex-editor and searched for patterns that indicate an SQLite database. (according to [1]) 3. Extracted the database file starting at the database header and retrieving (page-size * page-amount) bytes. The result did not include the tables? content, but only the schema. The content is at a total different offset in the memory dump. So my questions are: Can you point me to a resource where SQLite in-memory database layout is documented or described in a detailed way? Any other resources I should check out? Did I miss something? Is there another way? Please note, that in my scenario I only have the memory dump and in theory can?t make use of the live system. I am very glad for every input you could give me. Best regards, Ren? Czerny [0] https://github.com/504ensicsLabs/LiME [1] https://www.sqlite.org/fileformat2.html
