SQLite Forensics Micro-course: Data Structures
advanced level | 5 HouRS | 5 cpe credits | updated 2025
Struggling to find deleted data that your forensic tools miss? This hands-on micro-course shows you how to go deeper by understanding how SQLite stores and removes data. In just a few hours, you’ll learn how to recover deleted records, interpret raw structures, and confidently analyze app databases, even when tools give you nothing.
SQLite Forensics: Data Structures (Micro-course)
This focused 5-hour course helps digital forensic professionals understand how SQLite stores, deletes, and spreads data across its internal structure. Ideal when tool output is incomplete, or deeper answers are needed for reports or court.
Instead of theory, you’ll work hands-on with real app data and learn practical methods to examine freelist pages, overflow records, and fragmented content — with no need for scripting or SQL expertise.
Overview of what you will learn
- This course shows you how SQLite files are structured — from file headers to page types and record formats
- You’ll learn how to find and recover deleted records from freelist pages and unallocated space
- We walk you through how to follow overflow chains and rebuild fragmented records across multiple pages
- You’ll get comfortable decoding variable-length integers (VarInts) to manually interpret database records
- Throughout the course, you’ll apply reliable, tool-independent techniques that work in real cases
Is this course for you?
This course is designed for forensic examiners, analysts, lab specialists, and investigators who:
- Work with iOS/Android app data in mobile investigations
- Need to validate or explain SQLite evidence beyond tool output
- Are tasked with presenting solid findings in reports or court
- Want practical skills — fast — with zero filler
Why investigators choose this course
- Deep-dive training — distilled from our full SQLite Forensics course
- Full course credit included — if you later enroll in the complete SQLite Forensics course, we’ll deduct the full price of this micro-course — just contact us before enrolling
- Hands-on, realistic data — real-world scenarios using specially engineered samples
- No scripting needed — clear, visual, and practical methods
- 5 hours total — focused and efficient
- Flexible delivery — take it on-demand or join a live session
- Certificate included — for court, audits, or internal tracking
Inside the Course (Video)
Course Format & Pricing
On-Demand: paced at your convenience
Live Online: $349
What you'll learn
In this course, you’ll learn to:
- Understand how SQLite stores data Discover how app data is saved, deleted, and structured inside actual databases.
- Read raw database files with confidence Build the skills to explore SQLite files directly — without relying on tool output.
- Find deleted and inactive data Learn how to locate freelist pages, overflow records, and fragmented entries that tools often miss.
- Follow a forensic method Use a repeatable, proven process to examine app databases, even when tools offer no support.
- Communicate findings clearly Be able to explain what you found and how — in reports, audits, or court.
- Practice on real mobile data Work hands-on with actual database files and realistic investigative scenarios.
Included in your training
- Built for forensic needs A course tailored specifically for investigators working with mobile app data.
- Works with real-world SQLite files Practice on live, deleted, and fragmented data — exactly what you'll encounter in real cases.
- Visual, no-code instruction Learn through clear, visual explanations — no SQL or scripting required.
- Clear focus on SQLite internals Understand pages, freelists, overflow areas, and how data is structured across the file.
- Flexible format Learn at your own pace on-demand, or join a live session with an instructor.
- Completion certificate Download a certificate upon completing the course to verify your training.
Course Content
Expand All Sections- Learn what SQLite headers reveal about structure and data format
- Extract and interpret key values manually
- Understand how pages are organized in SQLite
- Identify and interpret key page-level structures
- Decode SQLite’s compact number system
- Apply VarInt logic to manually parse database records
- Reconstruct complete rows manually
- Understand serial types and payload structures
- Locate deleted records in freeblocks
- Understand fragmentation and record remnants
- Recover data from freelist structures
- Track page reuse and deleted record flow
- Rebuild large records stored across multiple pages
- Recover images, files, or messages missed by tools
Who is this course for?
This micro-course is designed for investigators, analysts, and technical professionals who need to go beyond what forensic tools show, and understand what SQLite databases actually contain. It's ideal for forensic analysts, incident responders, and investigators who need fast, tool-independent insight into SQLite internals — and want techniques they can apply immediately in live cases.
It’s especially useful if you:
- Work with mobile app data from iOS or Android devices
- Encounter SQLite databases that your tools don’t fully parse
- Need to validate or challenge automated tool output
- Want to learn how to manually examine freelist pages, overflow records, and deleted data
- Are responsible for reporting or presenting findings in a legal, regulatory, or incident response context
- Prefer hands-on learning with real-world data over slide decks and theory
If you’re working with data and want a deeper understanding of how it’s stored and recovered, this course is for you.
Who This Course Helps
Mobile App Investigators
Analyze SQLite databases from Android/iOS apps and recover hidden or deleted data manually.
Tool Validators
Evaluate the accuracy of automated forensic tools by comparing with raw SQLite structures.
Technical Analysts
Gain deep understanding of freelist pages, overflow records, and how data fragments are stored.
Report Writers
Strengthen your ability to explain how deleted or fragmented records were located and recovered.
Hands-on Learners
Prefer real-world data and labs over theory? This course is built for direct, immersive practice.
Legal & Compliance Teams
Need reliable, court-defensible analysis? Learn techniques that stand up to scrutiny.
Your Instructor
This course is taught by James Eichbaum, a leading expert in digital forensics and one of the most experienced instructors in mobile and database analysis. With over 15 years of experience teaching SQLite forensics, James has trained professionals across 30+ countries.
He previously served as Global Training Manager at MSAB and has led advanced training for hundreds of organizations worldwide including national police agencies, governments, and private DFIR labs. His instruction combines deep technical skill with extensive field experience from real investigations.
In this micro-course, James guides you through the internal workings of SQLite databases, including deleted records, freelist pages, and overflow structures, using a practical, tool-independent approach designed to give you skills you can apply right away.
Connect with James on LinkedIn- 15+ years teaching digital and mobile forensics
- Former Global Training Manager at MSAB
- Former California P.O.S.T. Instructor
- Detective with Sacramento Valley High Tech Crimes Task Force
- Special Deputy U.S. Marshal on FBI Cyber Crimes Task Force
- HTCIA Case of the Year award recipient (2011)
Choose Your Training Format
OnDemand
Learn at your own pace with 5 hours of expert-led content. Flexible, self-guided learning.
- Start anytime
- 90 days of full access
- Work at your own pace
- Certification included
- Email support & resource library
Live Online
Join instructor-led sessions remotely. Choose a scheduled class or request a private team session.
- Scheduled virtual sessions
- Live instruction & Q&A
- Interactive labs
- Certification included
- Email support & resource library
Contact us for group pricing ⟶
Certification & CPE Credits
This Micro-course and the Full SQLite Forensics Track
This focused micro-course is a standalone module designed for fast, targeted learning. It's built to help digital investigators understand how SQLite stores, organizes, and deletes data — especially when forensic tools fall short. In just a few hours, you’ll gain a clear, structured understanding of SQLite internals, including freelist pages, overflow records, and variable-length integers (VarInts).
This micro-course is part of our broader training strategy and has been carefully selected from the full Advanced SQLite Forensics Course. That larger course spans three full days (or on-demand equivalent) and offers advanced labs, certification, and up to 24 CPE credits.
In the full version of the course, you’ll also learn:
- Manual parsing and interpretation of WAL and SHM files
- How to investigate and recover from unallocated space
- Custom app parsing and B-Tree navigation
- Use of Elusive Data’s exclusive SQLite forensic tools
- Scenario-based CTF challenges to test and reinforce skills
FAQ
Expand AllOn-Demand: Access all 5 hours of content at your own pace. Ideal for working professionals who want flexibility to train between active cases.
Live Online: Instructor-led sessions conducted remotely. Timing can be customized for your team.
Yes — this course has been completely redesigned and updated for 2025. It reflects the latest findings, updated SQLite behavior, and modern forensic challenges based on real-world casework.
Yes! We offer flexible group training options — including discounted rates for teams of 5 or more. Agencies, labs, and organizations can request custom scheduling and onboarding support tailored to their needs.
Absolutely. We provide instructor email support so you can keep progressing confidently at your own pace.
Perfect. This course complements those skills by going deeper into database structures. You’ll learn what automated tools often overlook — like deleted records, freelist pages, and raw data reconstruction.
The course is led by Elusive Data’s senior instructor, James Eichbaum, a forensic specialist who has trained professionals from national police forces, federal, state and local law enforcement, government and military agencies, and global DFIR teams. You’ll learn from someone with deep, practical experience in real investigations. James has been teaching database forensics for over 15 years.
Yes. Every module includes interactive labs using real SQLite data. You’ll apply your learning immediately through guided exercises and downloadable datasets.
This microcourse was designed to fill a crucial gap in forensic training: understanding how SQLite databases actually store, structure, and retain data.
In just a few focused hours, you'll learn how records are laid out across fixed-size pages, how deleted data can persist in freelists, and how large entries are spread across overflow chains.
Through realistic examples and unsupported apps, you’ll work hands-on to decode headers, interpret VarInts, and trace records with precision.
Continuously updated and built for working professionals, this course delivers fast, focused, and practical training without cutting corners.
You should be comfortable navigating forensic tools and working with mobile artifacts, but you don’t need to be a developer. We’ll guide you through low-level concepts like freeblock parsing, varints, and freelist recovery with clear explanations and hands-on labs.
Yes. The course is certificate-based and designed by a former law enforcement examiner with real testimony experience. The workflows taught are courtroom-ready and built to hold up under review.
Yes. The course is built around real-world app data, not generic examples. You’ll learn practical workflows you can apply immediately — even when your tools fall short.
Great — this course is designed to work alongside them. You'll learn how to verify tool output, investigate unsupported apps, and recover evidence those tools often overlook.
No — if you later decide to enroll in the complete SQLite Forensics course, we’ll deduct the full cost of this microcourse from your total. Just reach out to us before enrolling in the full course.
Trusted by investigators worldwide
SQLITE forensics
SQLite remains the backbone of mobile app storage in 2025, powering everything from chat histories and location logs to app settings and cached media. While forensic tools handle basic extraction well, they often stop short of revealing what’s stored deeper in database internals: write-ahead logs, overflow chains, or custom schemas unique to each app.
As mobile software evolves rapidly, examiners increasingly face situations where data is only partially decoded or missed altogether. Understanding the inner workings of SQLite has become essential for reliable mobile analysis.
This microcourse was built with that reality in mind. You’ll learn how to break down SQLite at the structural level, recovering data manually, interpreting how records are organized, and spotting patterns or anomalies that tools alone may not explain. It’s the kind of practical expertise that gives you more control in complex or time-critical cases.
Articles you might like
This practical walkthrough gives investigators the tools and methods to extract encrypted Apple Notes from iOS 16.x devices. You’ll learn step-by-step techniques that go beyond standard tools and help you tackle real-world cases with clarity and control.
Decoding VarInts manually can slow down forensic workflows—especially when working with unfamiliar or messy databases. This tool helps you interpret those values quickly, so you can stay focused on analysis. Free to use and built for investigators who work directly with SQLite internals.
Overflow pages are where large data, like images or media, get stored when a single SQLite page isn’t enough. This article shows how fragmented records can be recovered manually, helping you extract evidence that most automated carving methods miss.
stay updated
Stay in the loop. Sign up for our monthly newsletter.
Be the first to hear about new training opportunities, free tools, case-based blog posts, and practical insights. Our monthly newsletter is built to help you learn faster, solve cases smarter, and keep up in a field that never stands still.
Fill in your email to sign up.
It was a small group, and James made everything easy to follow. He explained things in a way that just clicked, especially freelist pages. Solid five hours.