Recovering SQLite data from fragmented flash pages


As a small-sized database engine, SQLite is widely used in embedded devices, such as mobile phones and PDAs. Large amounts of sensitive personal data are stored in SQLite. Any unintentional data deletion or unexpected device damage can cause considerable loss to the owners of the data. Therefore, in these cases, it is necessary to be able to recover and extract SQLite data records from the flash memory of portable devices. However, most existing SQLite recovery studies take the database file as the research subject, while it is not possible to acquire an intact database file when the flash memory controller is damaged. This paper presents a new method to recover SQLite data records from fragmented flash pages. Instead of investigating the whole *.db file or the journal file, the suggested method focuses on the analysis of B-Tree leaf page structure, which is the basic storage unit, to locate and extract existing and deleted data records based on the structures of the page header and cells in the leaf page, and then uses the SQLite_master structure to translate hex data records into meaningful SQLite tables. The experimental results show that this new method is effective regardless of which file system is used.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13


  1. 1.

    Jiang T, Chen X, Li J, Wong DS, Ma J, Liu JK (2015) Towards secure and reliable cloud storage against data re-outsourcing. Futur Gener Comput Syst 52:86–94

    Article  Google Scholar 

  2. 2.

    Li T, Chen W, Tang Y, Yan H (2018) A homomorphic network coding signature scheme for multiple sources and its application in IoT. Secur Commun Netw 2018:1–6.

    Article  Google Scholar 

  3. 3.

    Meng W, Tischhauser E, Wang Q, Wang Y, Han J (2018) When intrusion detection meets Blockchain Technology: a review. IEEE Access 6:10179–10188

    Article  Google Scholar 

  4. 4.

    Yan H, Li X, Wang Y, Jia C (2018) Centralized duplicate removal video storage system with privacy preservation in IoT. Sensors 18(6):1814

    Article  Google Scholar 

  5. 5.

    Li J, Chen X, Li M, Li J, Lee P, Lou W (2014) Secure deduplication with efficient and reliable convergent key management. IEEE Trans Parallel Distrib Syst 25(6):1615–1625

    Article  Google Scholar 

  6. 6.

    Marcel B, Martien D (2007) Forensic data recovery from flash memory. Small Scale Digit Device Forensic J 1(1):1–17

    Google Scholar 

  7. 7.

    Klaver C (2010) Windows Mobile advanced forensics. Digit Investig 6(3–4):147–167

    Article  Google Scholar 

  8. 8.

    Xue Y, Tan Y-A, Liang C, Li Y, Zheng J, Zhang Q (2018) RootAgency: a digital signature-based root privilege management agency for cloud terminal devices. Inf Sci 444:36–50

    MathSciNet  Article  Google Scholar 

  9. 9.

    Darren Q, Mohammed A (2011) Forensic analysis of the android file system YAFFS2. In: Proceedings of the 9th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, pp 99–109

  10. 10.

    Ming X et al (2013) A metadata-based method for recovering files and file traces from YAFFS2. Digit Investig 10(1):62–72

    Article  Google Scholar 

  11. 11.

    Sun Z, Zhang Q, Li Y, Tan Y-A (2018) DPPDL: a dynamic partial-parallel data layout for green video surveillance storage. IEEE transactions on circuits and systems for video. Technology 28(1):193–205

    Google Scholar 

  12. 12.

    Yu X, Zhang C, Xue Y, Zhu H, Li Y, Tan Y-A (2018) An extra-parity energy saving data layout for video surveillance. Multimed Tools Appl 77:4563–4583

    Article  Google Scholar 

  13. 13.

    Noora AM et al (2012) Forensic analysis of social networking applications on mobile devices. Digit Investig 9:24–33

    Article  Google Scholar 

  14. 14.

    Peng S, Yang A, Cao L, Yu S, Xie D (2016) Social influence modelling using information theory in mobile social networks. Inf Sci 379:146–159

    Article  Google Scholar 

  15. 15.

    Yang W, Wang G, Bhuiyan MZA, Choo K-KR (2017) Hypergraph partitioning for social networks based on information entropy modularity. J Netw Comput Appl 86:59–71

    Article  Google Scholar 

  16. 16.

    Bhuiyan MZA, Wang G, Wu J, Cao J, Liu X, Wang T (2017) Dependable structural health monitoring using wireless sensor networks. IEEE Trans Dependable Secure Comput 14(4):363–376

    Article  Google Scholar 

  17. 17.

    Dohyun K et al (2013) File carving for Ext4 file system on android OS. J Korea Inst Inf Secur Cryptol 23(3):417–429

    Article  Google Scholar 

  18. 18.

    Tang Y, Fang J, Chow KP, Yiu SM, Xu J, Feng B, Li Q, Han Q (2016) Recovery of heavily fragmented JPEG files. Digit Investig 18:108–116

    Article  Google Scholar 

  19. 19.

    Bhuiyan MZA, Wu J, Wang G, Chen Z, Chen J, Wang T (2017) Quality-guaranteed event-sensitive data collection and monitoring in vibration sensor networks. IEEE Trans Ind Inf 13(2):572–583

    Article  Google Scholar 

  20. 20.

    Tan Y-A, Xu X, Liang C, Zhang X, Zhang Q, Li Y (2018) An end-to-end covert channel via packet dropout for mobile networks. Int J Distrib Sens Netw 14(5):1–14

    Article  Google Scholar 

  21. 21.

    Chen X, Li J, Ma J, Weng J, Lou W (2016) Verifiable computation over large database with incremental updates. IEEE Trans Comput 65(10):3184–3195

    MathSciNet  Article  MATH  Google Scholar 

  22. 22.

    Chen X, Li J, Huang X, Ma J, Lou W (2015) New publicly verifiable databases with efficient updates. IEEE Trans Dependable Secure Comput 12(5):546–556

    Article  Google Scholar 

  23. 23.

    Kim D, Park J, Lee K, Lee S (2012) Forensic analysis of android phone using Ext4 file system journal log. In: Hyuk JJ, Park J, Leung V, Wang CL, Shon T (eds) Future information technology, application, and service, application, and service. Springer, Dordrecht, pp 435–446

    Google Scholar 

  24. 24.

    Frühwirt P, Kieseberg P, Schrittwieser S, Huber M, Weippl E (2013) Innodb database forensics: enhanced reconstruction of data manipulation queries from redo logs. Inf Secur Tech Rep 17(4):227–238

    Article  Google Scholar 

  25. 25.

    Jeon S, Bang J, Byun K, Lee S (2012) A recovery method of deleted record for SQLite3 database. Pers Ubiquit Comput 16(6):707–715

    Article  Google Scholar 

  26. 26.

    Liu XP, Fu X, Sun G (2016) Recovery of deleted record for SQLite3 database. In: International conference on intelligent human-machine system & cybernetics. IEEEXplore, pp 183–187

  27. 27.

    Pereira M (2009) Forensic analysis of the Firefox 3 internet history and recovery of deleted SQLite3 records. Digit Investig 5(3–4):93–103

    Article  Google Scholar 

  28. 28.

    Tan Y-A, Xue Y, Liang C, Zheng J, Zhang Q, Zheng J, Li Y (2018) A root privilege management scheme with revocable authorization for android devices. J Netw Comput Appl 107(4):69–82

    Article  Google Scholar 

  29. 29.

    Zhang X, Tan Y-A, Zhang C, Xue Y, Li Y, Zheng J (2018) A code protection scheme by process memory relocation for android devices. Multimed Tools Appl 77(9):11137–11157

    Article  Google Scholar 

  30. 30.

    DFRWS. DFRWS-2011-challenge (2011) Accessed 5 May 2013

Download references


This work is supported by the National Natural Science Foundation of China (No. 61802210) and the Young Scholar Program of He’nan Education Department of China (No. 2014GGJS-111) and the key scientific research Program of He’nan Education Department of China (No. 17A520048).

Author information



Corresponding author

Correspondence to Quanxin Zhang.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zhang, L., Hao, S. & Zhang, Q. Recovering SQLite data from fragmented flash pages. Ann. Telecommun. 74, 451–460 (2019).

Download citation


  • Data recovery
  • SQLite database
  • Fragmented flash pages
  • B-Tree leaf page
  • SQLite_master