Best of


7 Best Database Forensics Software Tools [Recover Deleted]

Many of our data records are stored in database management systems (DBMS) and in the event of a mishap or data breach or theft incident, there is both a legal and technical requirement need to adopt a database forensics investigation process using specialized tools to carefully uncover what had happened.

Most of the common DBMS are;

  • MySQL
  • Oracle
  • PostgresSQL
  • Microsoft SQL Server
  • MongoDB

Before we look at Database Forensics, we have to understand what is Digital forensics. it is a scientific application of analysing digital evidence, mainly used in a court of law and has several sub-disciplines such as cloud forensics, mobile phone forensics, etc.

Digital forensics is not to be confused with the concept of data recovery, although both are similar in many ways. Forensics, as a whole, is used for investigation purposes.

What is Database Forensics?

Database forensics is a sub-field of the digital forensics discipline that deals with the preservation, extraction, analysis and presentation of digital evidence and findings.

With scientific forensics in mind, it is often used in litigation, criminal investigation and organisational inquiry purposes. However, it can also be used as a specialized database extraction skill to query the database and find out what happened.

Examiners using database forensics tools can expect to be looking more in-depth, such as analysing file metadata, record timestamps, database artefacts and system artefacts.

Which are the Best Database Forensics Software?

Here are the seven (7) BEST Database Forensics software tools that you can use to analyse and recover deleted database entries.

1. DB Browser for SQLite


Popular among users and developers who want to create, search and edit databases compatible with SQLite, DB Browser for SQLite is a free, lightweight open-source tool with a clean interface.

The database software supports Windows, macOS and Linux operating systems. One prominent feature of this tool is the ability to export multiple tables to CSV, all in a single group, to analyse together.

Suitable for database forensics, the program comes with a Windows portable app version that does not require installation. You can run this program from an external USB flash drive when examining computer systems.

Some of the useful features are;

  • Create and compact database files
  • Create, define, modify and delete tables
  • Import and export tables from/to CSV files
  • Import and export databases from/to SQL dump files
  • Examine a log of all SQL commands issued by the application
  • Plot simple graphs based on table or query data

2. Database Forensic Analysis System


Database Forensic Analysis System is a commercial software that supports multiple relational and non-relational databases such as Oracle, SQLite, MySQL, mongoDB, redis and Cassandra.

The database forensic software assist in resolving the problems about the deleted /corrupted/fragmented database files, false file system, restriction of application system accessibility, etc.

Some of the main features include;

  • Unrestricted Accessibility to the database files – no need for password or account info from the application system
  • Extraction and Recovery for the normal/deleted/damaged database files – e.g. tables, views, triggers
  • Multiple Analysis Functions – e.g. .keyword searching, SQL statement query, visual connection analysis
  • Patent File Craving Technology – extract, analyze and reorganize the fragmented database files

3. Forensic Toolkit for SQLite


This commercial forensic software suite is a must-have for any forensic investigators to make the tasks of recovering SQLite records from disk, image and database simpler.

The Forensic Toolkit for SQLite is a suite of three (3) comprehensive software tools namely;

  • The Forensic Browser for SQLite
  • Forensic Recovery for SQLite
  • SQLite Forensic Explorer

It is an investigative tool designed to show every single byte of an SQLite database, journal or WAL file along with its decoded data. It is also an forensic tool to aid in the recovery of databases, tables and records.

Some of the features include;

  • examining unused spaces in tables and indexes,
  • viewing how each record in encoded and stored in a table or index,
  • exploring the free list and every page within it
  • Overview of the type and content of the database, which can be SMS, passwords or any other valuable evidence

4. Log Analyzer for SQL


This commercial forensic tool was designed specifically for database administrators to analyze log files transactions of MySQL Server databases and recover deleted transaction logs.

Log Analyzer for SQL scans the forensic details of Redo, General, and Binary logs to identify abnormalities in the MySQL database.

The forensic tool helps you preview the type of transaction (insert, delete, and update), the time of the transaction, the name of the transaction, and the table name involved in the query.

Some of the features include;

  • Saving of logs in multiple formats, such as MySQL, CSV, HTML, and XLS format.
  • Date filters on log transactions and log transaction data to analyze the data for a particular time period
  • Option to save log report of the MySQL log file analysis process

5. SQLite Forensics Explorer


SQLite forensics explorer is designed for investigators and administrators to restore lost and deleted databases and exporting these entries in different formats.

The forensic tool reveals the intention of the user who deletes the database records by not only recovering the deleted data but also highlights the data which is deleted or secure deleted.

Some of the main features are;

  • Sort data with colour schema – different colours for normal data, deleted data, unallocated data, etc
  • Manage multiple custodians
  • Recover associated journal files
  • Indexing of SQLite databases for further investigation or judicial proceeding
  • Mutiple options for export, e.g. csv/pdf

6. SQLite Viewer


Foxton forensics has a free tool called SQLite Viewer that is used for inspecting the contents of SQLite databases.

The forensic software has a database searcher that automatically load all SQLite databases from folder and subfolders. Images are stored in the database are also automatically extracted and viewable by examiners in the built-in gallery interface.

SQLite Viewer has a hex viewer to examine BLOBs and export them to a file for further analysis.

7. dbResponder


dbResponder is a free, SQL Server forensics tool that is capable of automated preservation and advanced analysis of database artefacts.

The forensic tool is useful for data breaches preparation & response and is developed by Kevvie Fowler who is a partner and National Cyber Response leader for KPMG.

The software can acquire database artefacts from a single or multiple SQL servers. All artefacts collected are forensically preserved with timestamps, metadata and hashes.

7 Best Database Forensics Software Tools [Recover Deleted] Read More »


5 BEST Cloud Forensics & Social Media Extraction Tools

Data in the cloud (e.g. Google Drive, iTunes, webpages, social media sites) are constantly prone to changes or deletion. Therefore, cloud forensics is often referred to as taking a snapshot of the data at that moment in time.

Therefore it is important to use proper cloud forensic software to collect and preserve this digital evidence.

Cloud forensics tools are especially important if you use them for law enforcement cases (criminal offences) or corporate crime investigations, e.g. checks into employee misconduct, data leaks, etc.

Cloud data can be very useful where evidence no longer resides on local storage, e.g. computers & mobile phones, due to deletion or overwriting.

Sub-disciplines of digital forensics include mobile forensics, memory forensics and many more.

What do I need to perform cloud forensics and social media extraction?

You will still need the following;

  • The correct login credentials and authentication token for the software to gain access to the account and begin cloud extraction.
  • A clean computer, preferably with a wired connection (stable connection) and enough storage space (for the extracted cloud data)

What are the Best Cloud Forensics and Social Media Extraction Tools?

These are the five (5) cloud forensics and social media extraction that collect cloud data in a forensically-sound manner and can be used in a court of law as digital evidence.

1. Oxygen Forensic® Cloud Extractor


Founded in 2000, Oxygen Forensics is a Russian company headquartered in Alexandria, Virginia and provides mobile forensics capabilities to law enforcement, federal agencies and enterprises.

The digital forensic tool has had a built-in feature called Cloud Extractor since 2014, which acquires data from popular cloud storage and cloud email providers. Gmail, Google Drive, OneDrive, iTunes, Facebook, Instagram, Twitter and many more are some of them.

With the extracted cloud data, Cloud Extractor provides additional analytic features, e.g. Timeline (data in a chronological manner), Social Links (frequently communicated parties) and Image Categorization (sorting of images using built-in AI).

Cloud Support & Features

  • Supports over 100+ cloud services
  • Acquisition from Google, iCloud, Microsoft cloud services, popular SaaS offerings like Dropbox & Box and social media sites like Facebook, Instagram, etc
  • Cloud access via various authorization methods, support 2FA and data decryption
  • Allow users to configure proxy settings for each cloud service

2. X1 Social Discovery


XI Social Discovery is a case-centric workflow platform that enables users to correctly capture web content while maintaining data preservation and retaining metadata values.

The social media extraction tool collects and searches data from social networks and online web pages.

Unlike the traditional method of manual webpage exporting and taking screenshots, XI Social Discovery collects the web data, allows users to search & analyse them and aggregates all these data into a single user interface.

Cloud Support & Features

  • Support data types from Facebook, Instagram, Twitter, Youtube, Tumblr, LinkedIn, Webpages, Gmail and many more
  • Reporting feature based on filter and data extraction
  • Data is forensically-sound in the process of cloud extraction
  • Patented web page authentication

3. Magnet AXIOM: Cloud Forensics

Magnet AXIOM offers a comprehensive solution for lawfully recovering and analyzing cloud-based evidence in various ways from suspects, victims, witnesses, and publicly available cloud sources, e.g. social media and webpages.

The social media and cloud extraction tool allow users to extract, recover, analyze and report on their cloud evidence and open-source intelligence (OSINT) data in one single case interface.

Cloud Support & Features

  • Support cloud extraction from over 50+ cloud services
  • Ability to import Warrant Returns formats from Internet Service Providers (ISPs)
  • Support ingestion of user-generated archive files from Facebook and Google (e.g. Google Takeout)
  • Gain access to cloud account via login credentials and 3rd party tokens and keychains

4. Cellebrite UFED Cloud


Since entering the mobile forensics industry in 2007, Cellebrite UFED has been the major player in this field for many years.

Cellebrite is an Israeli digital intelligence company focusing mainly on extracting data from mobile devices. The company has several offices across the world, including Washington D.C, Germany and Singapore.

One of Cellebrite’s product, the UFED Cloud, allow users to collect, preserve and analyze popular cloud services, social media data, instant messaging apps, web pages and many more.

Cloud Support & Features

  • Support over 50+ popular cloud services and social media sites
  • Lawful access to time-sensitive online evidence using cloud forensics methodology
  • Ability to import extracted cloud data into the UFED Digital Intelligence platform for further review and analysis
  • Ability to visualise data in a unified format, e.g. timeline format and maps format

5. MSAB XRY Cloud


MSAB is a Swedish company that specialises in using forensic technology for mobile device examination and analysis. The company’s main product is the XRY, their flagship mobile forensics software for extracting mobile data.

The company has a separate component product called the XRY Cloud, which is used to perform cloud forensics. XRY cloud can be used as a standalone tool or as part of the complete MSAB ecosystem suite of tools.

XRY Cloud offers two (2) modes of cloud extraction. First is the automatic mode, which requires the device to have online access to extract the app token, e.g. Facebook token. The second mode uses the usual login credentials (ID/password) and does not require the device’s presence.

Cloud Support & Features

  • Support over 50+ cloud services
  • Cloud extraction from Whatsapp, Snapchat, iCloud, Facebook, Google services, etc
  • Use of Cloud Tokens to gain access if login credentials cannot be obtained

5 BEST Cloud Forensics & Social Media Extraction Tools Read More »


5 BEST Mobile Phone Forensics Tools [Evidence Extraction]

Digital Forensics is an application of science to collecting, preserving, analysing, and presenting digital data. Mobile Forensics is a sub-branch under the scope of digital forensics, and it specializes solely in the forensic extraction of mobile devices (smartphones).

There are other sub-disciplines as well, such as cloud forensics, memory forensics and many more.

To examine a mobile device, one needs to overcome and understand the various types of chipsets used (e.g. MTK, Exynos, Snapdragon), the operating system (Android, iOS), the connectivity ports (e.g. USB Type-C), software security version, encryption used, etc.

Commercial tools largely dominate most of the mobile forensics software used in this industry. However, these companies invested heavily into the research & development (R&D) of gaining access to modern-day phones, developing support for thousands of mobile apps and parsing them nicely in an intuitive interface for their users.

What are the Best Mobile Forensics Tools?

Here are the five (5) best mobile forensics software tools used by law enforcement and private organisations worldwide.

1. Cellebrite UFED


Since entering the mobile forensics industry in 2007, Cellebrite UFED has been the market leader in this space for many years.

Cellebrite is an Israeli digital intelligence company focusing mainly on extracting data from mobile devices. The company has several offices across the world, including Washington D.C, Germany and Singapore.

The UFED capability is available on desktop computers (UFED4PC) and a standalone handheld console (UFED Touch2).

Cellebrite UFED – Key Features

  • Unlocking of mobile devices via pattern bypass and PIN locks
  • Perform logical, file system and physical extractions
  • Use of bootloaders, automatic EDL capability, smart ADB connection and more
  • Wide range of supported mobile devices across many different brands
  • Extract evidence from mobile phones, SIM cards, drones, SD cards, GPS devices and more

2. Oxygen Forensics


Like Cellebrite UFED, Oxygen Forensics is a Russian company headquartered in Alexandria, Virginia and provides mobile forensics capabilities to law enforcement, federal agencies and enterprises.

The forensic software is an all-in-one platform that can extract mobile forensic images, decode them and parse them in its interface for investigators to analyse quickly. Furthermore, multiple extractions can be investigated in a single Oxygen Forensic interface to have a complete picture of all the acquired data.

Oxygen Forensics – Key Features

  • File system level extraction on most mobile devices
  • Drone forensics possible
  • Bypass screen lock on popular Android devices
  • Cloud extraction – Acquire data from cloud services and storage
  • Support import of call data records



MSAB is a Swedish company that specialises in using forensic technology for mobile device examination and analysis. It offers frontline extraction support (i.e. rugged forensic kit model) and forensic lab solution (i.e. software, kiosk or tablet form).

The company’s product is designed to recover and analyze the contents of a digital device in a forensically secure manner and offers three (3) different products, namely;

MSAB ProductFunction
XRYThe extraction of the mobile device and the decoding & indexing of the mobile data
XAMNThe analysis, reporting and filtering of the extracted data
XECThe digital forensics management solution for seamless data distribution between users, locations, departments and other agencies.

MSAB XRY – Key Features

  • Logical and Physical examinations of over 40,000+ mobile devices and app profiles
  • GPS & Memory card examination
  • File Signature Analysis
  • Support for Chinese chipsets

4. Hancom MD-NEXT


Hancom has been a Korean company specialising in forensic mobile device extraction since 2005. It offers an integrated digital and mobile forensic solution that supports over 15,000+ mobile phones, particularly Korean-made brands such as Samsung and LG.

The company offers three (3) mobile forensics software, namely;

MD-NEXTThe data extraction software for mobile devices, wearables, drones, IoT devices, etc
MD-REDThe analysis software for data recovery, examination and reporting of the extracted data
MD-LIVEThe first responder software for live data extraction and analysis from mobile devices

Hancom MD-NEXT – Key Features

  • Supports data acquisition for various global smartphone manufacturers (Samsung/Apple/LG/HTC/ZTE etc.) model
  • ADB Pro extraction: Supports data acquisition using vulnerability attacks from Android-based devices
  • Supports Android Live, MTP, iOS full filesystem Backup, Vendor backup protocol, Local backup, USIM
  • Supports Bootloader, Fastboot, MTK, QEDL, etc

5. MOBILedit Forensic


MOBILedit is an all-in-one solution for data extraction from mobile devices, smartwatches and cloud services. It has built-in security bypassing feature that allows users to acquire supported phone models without needing a pattern or pattern unlock.

Another valuable and unique feature is their open database of supported mobile apps. Users can quickly check against this database to see if MOBILedit current supports a particular app. If it doesn’t, there is a request button to ask the company to research that new app.

MOBILedit – Key Features

  • Physical and Logical data acquisition
  • Automated deleted data recovery
  • Cloud forensics acquisition, e.g. Google Drive, OneDrive, Instagram and many others
  • Integrates with camera ballistics technology to scientifically analyze photo origins
  • Concurrent extractions with the new 64-bit engine

5 BEST Mobile Phone Forensics Tools [Evidence Extraction] Read More »