Abstract:This study focuses on digital forensic investigations of the databases used in an instant messenger application. Instant messengers store and manage user data in databases, which can be encrypted for privacy protection. We proposed a method to identify and decrypt an SQLite version 3.40.0 database encrypted using wxSQLite3 version 4.9.1, and then we examined the LINE instant messenger application to validate the proposed method. As a result, we successfully acquired the wxSQLite3 passphrase, which was used to decrypt the database of the LINE messenger application. We also performed artifact analysis to enumerate the data from a digital forensics perspective. To the best of our knowledge, this study is the first to propose a method to identify and decrypt of wxSQLite3-encrypted database and its applications.

Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application