Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application
Abstract
1. Introduction
Contributions
- We propose a method to identify wxSQLite3 databases. We present a method for determining whether an encrypted database is encrypted with wxSQLite3 from both a structural and code perspective. First, we present a framework for determining if a target database is encrypted using wxSQLite3 by analyzing the structure of the encrypted database. Furthermore, we propose an efficient method to find wxSQLite3’s encryption process in decompiled code while reverse engineering an instant messenger application. Based on the two perspectives we proposed, the time needed to analyze the encrypted database of any instant messenger can be reduced to constant time.
- We propose a detailed decryption method for the LINE instant messenger application. Here, the LINE messenger application is analyzed using the proposed method. Based on this analysis, we discovered that the LINE messenger encrypts its database, including user chat histories, using wxSQLite3. From the results of our analysis, we found that the encryption key generation element used for database encryption is received through communication with the LINE messenger’s server. Thus, we also propose a method to obtain an encryption key generation element from memory. Once the encryption key generation element is obtained, we demonstrate that the encrypted database of the LINE messenger can be decrypted using the proposed wxSQLite3 database decryption method.
2. Related Work
2.1. SQLite Database Research
2.2. Instance Messenger Research
2.3. Line Instance Messenger Research
3. Methodology
3.1. Application Operation Process Analysis
3.2. Reverse Engineering
3.3. Verification
4. Analysis of wxSQLite3
4.1. Structure of wxSQLite3 Database
4.2. wxSQLite3 Database Encryption and Decryption Process
4.2.1. Page IV Generation Process
| Algorithm 1: MODMULT | 
| 
 | 
| Algorithm 2: Page IV generation Process | 
| 
 | 
4.2.2. Base Key Generation Process
| Algorithm 3: Base key generation Process | 
| 
 | 
4.2.3. Database Encryption Process
| Algorithm 4: Page key generation process | 
| 
 | 
4.2.4. Database Decryption Process
4.3. wxSQLite3 Database Identification Method
4.3.1. Confirming wxSQLite3 Based on Encrypted Data
- (Case 1) Database encryption with the same passphrase- −
- The first 8-byte of the recreated database have the same ciphertext
 
- (Case 2) Database encryption with a the new passphrase- −
- The first 8-byte of the recreated database have a different ciphertext
 
4.3.2. Confirming wxSQLite3 Based on Reverse Engineering
5. Analysis of LINE Messenger
5.1. Data Structure and Main Data
5.2. Identification of wxSQLite3 Database in LINE Messenger
5.3. Memory Analysis and Data Decryption
5.3.1. Passphrase Acquisition through Memory Analysis
5.3.2. Database Decryption
5.4. User Artifact Analysis
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Data Availability Statement
Conflicts of Interest
References
- DB-Engines. Available online: https://db-engines.com/en/ranking (accessed on 10 April 2023).
- SQLCipher. Available online: https://www.zetetic.net/sqlcipher/ (accessed on 10 April 2023).
- SQLite Encryption Extension (SEE). Available online: https://www.SQLite.org/see/doc/release/www/index.wiki (accessed on 10 April 2023).
- wxSQLite3—A Lightweight Wrapper for SQLite. Available online: https://github.com/utelle/wxSQLite3 (accessed on 10 April 2023).
- Anglano, C.; Canonico, M.; Guazzone, M. Forensic analysis of the ChatSecure instant messaging application on android smartphones. Digit. Investig. 2016, 19, 44–59. [Google Scholar] [CrossRef]
- Zhang, L.; Yu, F.; Ji, Q. The forensic analysis of WeChat message. In Proceedings of the 2016 6th International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC), Harbin, China, 21–23 July 2016; pp. 500–503. [Google Scholar]
- Wu, S.; Zhang, Y.; Wang, X.; Xiong, X.; Du, L. Forensic analysis of WeChat on Android smartphones. Digit. Investig. 2017, 21, 3–10. [Google Scholar] [CrossRef]
- Rathi, K.; Karabiyik, U.; Aderibigbe, T.; Chi, H. Forensic analysis of encrypted instant messaging applications on Android. In Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, Turkey, 22–25 March 2018; pp. 1–6. [Google Scholar]
- Kim, G.; Park, M.; Lee, S.; Park, Y.; Lee, I.; Kim, J. A study on the decryption methods of telegram X and BBM-Enterprise databases in mobile and PC. Forensic Sci. Int. Digit. Investig. 2020, 35, 300998. [Google Scholar] [CrossRef]
- Shin, S.; Kang, S.; Kim, G.; Kim, J. Study on SNS Application Data Decryption and Artifact. J. Korea Inst. Inf. Secur. Cryptol. 2020, 30, 583–592. [Google Scholar]
- Kim, G.; Kim, S.; Park, M.; Park, Y.; Lee, I.; Kim, J. Forensic analysis of instant messaging apps: Decrypting Wickr and private text messaging data. Forensic Sci. Int. Digit. Investig. 2021, 37, 301138. [Google Scholar] [CrossRef]
- Anglano, C. Forensic analysis of WhatsApp Messenger on Android smartphones. Digit. Investig. 2014, 11, 201–213. [Google Scholar] [CrossRef]
- Choi, J.; Yu, J.; Hyun, S.; Kim, H. Digital forensic analysis of encrypted database files in instant messaging applications on Windows operating systems: Case study with KakaoTalk, NateOn and QQ messenger. Digit. Investig. 2019, 28, S50–S59. [Google Scholar] [CrossRef]
- Afzal, A.; Hussain, M.; Saleem, S.; Shahzad, M.K.; Ho, A.T.; Jung, K.H. Encrypted network traffic analysis of secure instant messaging application: A case study of signal messenger app. Appl. Sci. 2021, 11, 7789. [Google Scholar] [CrossRef]
- Jain, V.; Sahu, D.R.; Tomar, D.S. Evidence gathering of LINE messenger on iPhones. Int. J. Innov. Eng. Manag. 2015, 4, 1–9. [Google Scholar]
- Chang, M.S.; Chang, C.Y. Forensic analysis of LINE messenger on android. J. Comput. 2018, 29, 11–20. [Google Scholar]
- Riadi, I.; Fadlil, A.; Fauzan, A. Evidence gathering and identification of line messenger on android device. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 2018, 16, 201–205. [Google Scholar]
- IDA (Interactive DisAssembler). Available online: https://hex-rays.com/ida-free/ (accessed on 10 April 2023).
- L’ecuyer, P. Efficient and portable combined random number generators. Commun. ACM 1988, 31, 742–751. [Google Scholar] [CrossRef]








| Offset | Size | Data | Note | 
|---|---|---|---|
| 0–15 | 16 | Encrypted SQLite 3.x database headers | |
| 16–17 | 2 | Database page size | |
| 18 | 1 | File format write version | 1: Legacy 2: WAL | 
| 19 | 1 | File format read version | 1: Legacy 2: WAL | 
| 20 | 1 | Amount of unused ‘reserved’ space at the end of each page | usually 0 | 
| 21 | 1 | Maximum embedded payload fraction | fixed at 64 | 
| 22 | 1 | Minimum embedded payload fraction | fixed at 32 | 
| 23 | 1 | Leaf payload fraction | fixed at 32 | 
| 24– | N | Database encrypted except for headers | 
| Table Name | Column Name | Data | Remarks | 
|---|---|---|---|
| _id | Uhat room unique value | 33 random alphanumeric characters | |
| _chats | _lastMessage | Conversations and information about them at the end of a chat room | JSON format | 
| _lastUpdatedTime | When the last chat room conversation was sent | 13-digit Unix Time | |
| _chatMid | Group chat room unique values | 33 random alphanumeric characters | |
| _groupchat | _createdTime | Group chat room creation time | 13-digit Unix Time | 
| _chatName | Group chat room title | ||
| _mid | User unique values | 33 random alphanumeric characters | |
| _createdTime | Add friend time | 13-digit Unix Time | |
| _contact | _displayName | User name | |
| _statusMessage | User profile status message | ||
| _favoriteTime | Favorite add time | 13-digit Unix Time | |
| _profile | _mid | User unique values | 33 random alphanumeric characters | 
| _from | Message sending user unique values | Same as _mid in the _contact table and _profile table | |
| _to | Message receiving user unique values | Same as _mid in the _contact table and _profile table | |
| _message | _createdTime | Message sent time | 13-digit Unix Time | 
| _text | Message content | For attachments, the filename | |
| _chatId | Chat room unique values | Same as _id in the _chats table | |
| _contentInfo | Image thumbnail information | JSON format | 
| Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. | 
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kang, S.; Kim, G.; Hur, U.; Kim, J. Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application. Electronics 2024, 13, 1325. https://doi.org/10.3390/electronics13071325
Kang S, Kim G, Hur U, Kim J. Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application. Electronics. 2024; 13(7):1325. https://doi.org/10.3390/electronics13071325
Chicago/Turabian StyleKang, Soojin, Giyoon Kim, Uk Hur, and Jongsung Kim. 2024. "Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application" Electronics 13, no. 7: 1325. https://doi.org/10.3390/electronics13071325
APA StyleKang, S., Kim, G., Hur, U., & Kim, J. (2024). Forensic Analysis of wxSQLite3-Encrypted Databases and Its Application. Electronics, 13(7), 1325. https://doi.org/10.3390/electronics13071325
 
        


 
       