Introducing SQUID: Don’t miss evidence because the app updated! (an OSDFCon presentation)


Blog

This week we continue our blog series covering the speakers and topics we’re offering at OSDFCon in Herndon this coming October. Ryan Benson, a digital forensic examiner at Stroz Friedberg’s San Francisco office, took the time to talk with us a little bit about his open source utility SQLite Unknown Identifier (or SQUID), which he’ll be presenting Oct. 28:

BT: Your talk topic this year is “Introducing SQUID: A tool to ‘fuzzy match’ SQLite databases.” What drove you to develop this tool?

RB: I’ve done a lot of work in Chrome forensics and Chrome uses SQLite heavily. I needed to develop a good way to determine what version of Chrome I was looking at based on just the database files. After I had a working solution, I realized I could build on the method and make a standalone tool to compare unknown SQLite databases against a wide range of applications, not just Chrome. I also had started experimenting in mobile forensics, and the large number of SQLite databases I ran into made me think that a tool for identifying SQLite files based on content, not name or other metadata, would be a good tool to have in the arsenal.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn?

RB: SQLite databases are growing in popularity and are increasing valuable in investigations. This talk introduces SQUID, a tool to find exact and near matches of SQLite databases based on database structure. Practitioners will learn how to triage a large number of SQLite database and quickly identify the ones that may be relevant to their case.

BT: What brought you into the digital forensics domain?

RB: I studied computer engineering in college, not knowing exactly what career I wanted afterward. During school, I interviewed for an internship with a small computer forensic company and was intrigued by the work they did. I ended up taking the internship and getting hooked on forensics. I’ve been working in the field ever since.

BT: What is your favorite aspect of digital forensics?

RB: I love that in many cases I work on it’s me against another person. Whether the case involves an attacker that has compromised a system or a user that took corporate data and then tried to cover his or her tracks, I enjoy that I’m trying to figure out what that person did and how he or she did it. It makes the work more interesting to me.

BT: How do open source digital forensics tools make your research and/or your investigative work easier?

RB: I love open source tools because I can see what’s going on behind the scenes. I get disappointed when I find a tool that does something really interesting, but I can’t take a look at how it works and possibly leverage it myself in a different way.

On the other side of that, if I get a result from a tool that I didn’t expect or don’t quite fully understand, if the tool is open source I can look into how it got that result until I’m satisfied. If the tool is closed source, my validation of the tool’s findings can be a lot more complicated and time consuming.

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

RB: Attending the other talks. The agenda looks amazing and I’m really looking forward to several of the presentations. I’m excited that most of the talks are on new approaches to better solve the problems we often face in the DFIR field. I expect that I will be able to leverage some of the things I learn in the presentations immediately after returning to work after the conference.

BT: What’s next for SQUID?

RB: I would love to be able to incorporate support for other databases beyond SQLite, especially the ESE databases used in many Microsoft products. I also want to keep adding new applications (and new versions) to SQUID’s catalog of known databases.

Learn more about SQUID and the wealth of other research being presented at OSDFCon — register to attend here. We look forward to seeing you October 28!