In this chapter, we will revisit SQLite databases and examine a type of journaling file called a Write Ahead Log (WAL). Due to the complexity of the underlying structure, parsing a WAL file is a more difficult task than our previous work with SQLite databases. There are no existing modules that we can leverage to directly interact with the WAL file in the same way we used sqlite3 or peewee with SQLite databases. Instead, we'll rely on the struct library and our ability to understand binary files.
Once we've successfully parsed the WAL file, we will leverage the regular expression library, re, in Python to identify potentially relevant forensic artifacts. Lastly, we briefly introduce another method of creating progress bars using the third-party tqdm library. With a few lines of code, we'll have a functioning progress bar that can provide feedback of program execution to the user.
The WAL file can contain data that's no longer present or not yet been added to the SQLite database. It can also contain previous copies of altered records and give a forensic investigator an idea of how the database changed over time.
We will explore the following topics in this chapter:
- Parsing complex binary files
- Learning about and utilizing regular expressions to locate specified patterns of data
- Creating a simple progress bar in a few lines of code
- Using the built-in Python debugger, pdb, to troubleshoot code quickly