pythonsqlitehexdata-recovery

How can I determine the end of a SQLite db file from a hex view of the hard disk?

I have a HDD that may have deleted SQLite db files on it. I am reading the bytes of the disk and looking for the hex signature of SQLite files: 53514c69746520666f726d6174203300

My code tells me the offsets of these files on disk but I don't know what size they are.

e.g. offsets

Is it possible to determine the size of the dbs from the hex view? As far as I can tell, there is no common end characters for these files.

My code

from pathlib import Path
import logging

file_sig = '53514c69746520666f726d6174203300'
disk = Path('/dev/sde1')  # sde is old HDD
try:
    with disk.open(mode="rb") as drive:
        for block_no in range(0, 488281250):
            byte = drive.read(512)
            hexx = byte.hex()

            try:
                idx = hexx.index(file_sig)
                byte_nos.append(idx + block_no * 512)
            except ValueError as e:
                logging.debug(e)
                pass
except KeyboardInterrupt:
    pass

with Path('./results.csv').open(mode='w') as f:
    for item in byte_nos:
        f.write("%s\n" % item)
Solution

  • The file size can be determined by looking at the header in hex.

    I will use a section of the header from the incorrect answer that forgetso provided to demonstrate. We only need to examine the first 32 bytes, so this is the section we'll look at:

    53 51 4C 69 74 65 20 66
    6F 72 6D 61 74 20 33 00
    10 00 01 01 00 40 20 20
    00 00 CC 9B 00 00 03 2B

    The first 16 bytes are the file type identifier, so we really only are concerned with this section to determine file size:

    10 00 01 01 00 40 20 20
    00 00 CC 9B 00 00 03 2B

    The two byte section (offset 16 and 17) in bold above will tell us the size of each page contained in the database. In order to get that number we must convert the big endian hex representation into decimal form. This can be done quickly using a hex to decimal conversion tool.

    10 00

    becomes 4096, which means each page is 4096 bytes.

    The other part we need is the number of pages contained in the database.

    10 00 01 01 00 40 20 20
    00 00 CC 9B 00 00 03 2B

    Looking at the above hex again, the four byte section (offset 28-32) that is now bold is what we need to determine the total number of pages. Again, we simply need to convert into decimal form.

    00 00 03 2B

    becomes 811, which means there are 811 pages.

    Simply multiply these values to calculate the database file size.

    4096(bytes/page) * 811(pages) = 3321856

    So, the file size is 3,321,856 bytes.
    The end of the file would be found by adding this number to the offset where the header begins.