SQLite WAL files

When analyzing SQLite databases, the examiner might come across additional temporary files. There are nine types of temporary SQLite files:

• Rollback journals 
• Master journals 
• Statement journals
• WAL
• Shared-memory files
• TEMP databases
• Views and subqueries materializations
• Transient indices 
• Transient databases

For more details on these files, refer to https://www.sqlite.org/tempfiles.html, which describes these files in greater detail. The WAL is one of these temporary files and is involved in the atomic commit and rollback scenarios. Only databases that have set their journaling mode to WAL will use the write ahead log method. The following SQLite command is required to configure a database to use WAL journaling:

PRAGMA journal_mode=WAL; 

The WAL file is created in the same directory as the SQLite database with -wal appended to the original SQLite database filename. When a connection is made to the SQLite database, a WAL file is temporarily created. This WAL file will contain any changes made to the database while leaving the original SQLite database unaffected. Advantages of using WAL files include concurrent and speedier read/write operations. Specifics on the WAL file can be read at https://www.sqlite.org/wal.html:

By default, records within the WAL file are committed to the original database when either the WAL file reaches 1,000 pages or the last connection to the database closes.

WAL files are forensically relevant for two reasons:

• Reviewing database activity overtime
• Recovering deleted or altered records

The creators of Epilog, an advanced SQLite carving tool, have a well-written article detailing the specific forensic implications of WAL files at https://digitalinvestigation.wordpress.com/2012/05/04/the-forensic-implications-of-sqlites-write-ahead-log/. With an understanding of what makes WAL files important, why they are used, and their forensic relevance, let's examine their underlying structure.