A WAL file is a collection of frames with embedded B-tree pages that correspond to pages in the actual database. We aren't going to get into the nitty-gritty of how B-trees work. Instead, let's focus on some of the important byte offsets of various structures of interest, so that we can have a better understanding of the code and, in doing so, we'll further exemplify the forensic relevance of WAL files.
The main components of a WAL file include the following:
- WAL header (32 bytes)
- WAL frames (page size)
- Frame header (24 bytes)
- Page header (8 bytes)
- WAL cells (variable length)
Note that the WAL frame size is dictated by the page size, which can be extracted from the WAL header.
The following diagram shows the structure of a WAL file at a high level:
Let's take a look at each of the high-level categories of the WAL file. Some of these structures are described at https://www.sqlite.org/fileformat2.html.