Thank you for the quick response, Keith! As I understand it, the SQLite Backup API?s only work with an SQLite object. E.g.: sqlite3_backup_init() needs a pointer to the database to copy from. However, I do not have access to such a pointer, as the only thing I get is a raw binary dump of the main memory containing the database somewhere inside (think forensic dump). I believe the Backup API?s won?t be applicable. :-/
> On 28 Feb 2016, at 16:32, Keith Medcalf <kmedcalf at dessus.com> wrote: > > > Is there something wrong with using the backup api's? > >> -----Original Message----- >> From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users- >> bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny >> Sent: Sunday, 28 February, 2016 08:22 >> To: SQLite mailing list >> Subject: [sqlite] Database layout in memory >> >> Dear SQLite mailing list, >> >> after not finding anything on Google, I want to ask my question here: >> >> I am currently doing research on how to extract an SQLite inmemory- >> database from the image of a computer?s main memory and store it as a >> database file on disc. My previous attempts however failed, as the >> database is not in one place in memory, but seems to be fragmented. I only >> managed to extract the database file containing the sqlite_master table. >> Here is what I tried: >> >> 1. Dump the main memory using LiME [0] on a Debian Wheezy system. >> 2. Opened the dump in a hex-editor and searched for patterns that indicate >> an SQLite database. (according to [1]) >> 3. Extracted the database file starting at the database header and >> retrieving (page-size * page-amount) bytes. >> >> The result did not include the tables? content, but only the schema. The >> content is at a total different offset in the memory dump. >> >> So my questions are: Can you point me to a resource where SQLite in-memory >> database layout is documented or described in a detailed way? Any other >> resources I should check out? Did I miss something? Is there another way? >> >> Please note, that in my scenario I only have the memory dump and in theory >> can?t make use of the live system. >> I am very glad for every input you could give me. >> >> Best regards, >> Ren? Czerny >> >> [0] https://github.com/504ensicsLabs/LiME >> [1] https://www.sqlite.org/fileformat2.html >> _______________________________________________ >> sqlite-users mailing list >> sqlite-users at mailinglists.sqlite.org >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
