Now that we’ve shown you how to complete a simple SQLite query on a database, why is this so important to examiners?

1) Smartphones are almost exclusively using SQLite databases to store data.

2) New features are added to applications constantly: Applications are updated constantly. Sometimes the update may fix an existing bug or security flaw or sometimes the update may change or add to the functionality of an application.

3) Database schemas can change: If even a small change is made to the database schema, like a change in a COLUMN or TABLE name, this will break a query. An overall change to the file path will also break the query if the tool no longer knows where to look to find the data.

4) All data is not always parsed: As noted earlier, the applications that have the most users or may garner the biggest payloads are often the apps that are built into commercial tools. If only a handful of the population is using an application, it may not make sense to invest engineering dollars on parsing out the contents.

5) Not every bit of information is always extracted: You may notice that there is often only a subset of the data presented to you when a commercial tool parses an application. This may help prevent information overload for the examiner, but what other data is stored in those applications that may be of interest to your analysis?

6) These methods are the same way that the commercial tools are dissecting and parsing these databases: Commercial vendors realize that they don’t have time to parse out every single application available in the app stores these days, so some have even offered easy point-and-click alternatives for creating SQLite queries that are easier than the method you just learned.

These tips will make it possible to parse even those applications that your tool cannot handle.