Menu
This targeted micro-course reveals the untapped forensic value of SQLite’s Write-Ahead Log (WAL) and Shared Memory (SHM) files, internal mechanisms that preserve the timeline of database activity. While the main SQLite file only shows what’s current, WAL and SHM files tell you what changed, when, and how, often surfacing deleted records that forensic tools miss.
Go beyond static snapshots. This course teaches you how to examine WAL frames as a time machine, uncovering everything from erased messages and overwritten records to precise transaction timing. Using real-world case data and hands-on labs, you’ll learn to extract critical evidence from these often-ignored files before they’re flushed away forever.
The course is approximately 2 hours long and available on demand for self-paced learning or live online in scheduled sessions.
Course author: James Eichbaum
In this 2-hour micro-course, you’ll learn how to examine SQLite’s Write-Ahead Log (WAL) and Shared Memory (SHM) files to uncover deleted, modified, or overwritten data, often invisible to standard forensic tools. Topics include WAL frame structure, SHM indexing, uncommitted transactions, and timeline reconstruction, using real-world forensic scenarios and datasets.
This course is ideal for digital forensic professionals who need to extract evidence from SQLite’s volatile change-tracking system and understand what happened before the current state of the database.
After the course, you’ll know how to:
Interpret the structure of WAL files and what each frame represents
Use SHM index pages to efficiently navigate WAL contents
Recover deleted records from uncheckpointed WAL segments
Analyze overwritten values and transaction history
Reconstruct timelines of database modifications
Detect tampering by correlating changes across WAL and SHM
Validate forensic tools by verifying changes at the frame level
By the end of this microcourse, participants will have:
Gained a clear understanding of how WAL and SHM files track database changes over time
Developed the ability to interpret individual WAL frames and identify uncommitted or deleted data
Learned how to navigate and leverage SHM index structures to locate and reconstruct specific page versions
Practiced extracting evidence from real-world WAL and SHM files, including deleted messages and overwritten records
Strengthened their ability to correlate changes with timestamps and reconstruct database modification timelines
Gained confidence in validating or challenging tool output by analyzing volatile change logs directly
Built hands-on skills for identifying and recovering critical evidence that may be absent from the main SQLite database file
This micro-course is designed for forensic analysts, investigators, and technical professionals who need to look beyond the static contents of SQLite databases and understand how changes unfold over time.
It’s especially valuable if you:
Work with mobile app data where critical changes may not be visible in the main database
Need to recover deleted or modified content from volatile SQLite journal files
Are tasked with timeline reconstruction or verifying evidence tampering in legal or internal cases
Frequently validate or challenge automated tool results in court or reporting contexts
Want to master WAL and SHM analysis to uncover what happened before data was committed or removed
You don’t need to be a developer or SQL expert — this course is made for digital forensic professionals who prefer learning by doing, and who want clear, practical techniques for uncovering what tools might miss.
By the end of this course, participants will be able to:
Explain the role of Write-Ahead Logs (WAL) and Shared Memory (SHM) files in SQLite’s change-tracking mechanism
Decode and interpret individual WAL frames to identify database modifications over time
Navigate SHM index structures to locate specific frames and track data version history
Recover deleted or modified content from WAL files — even when missing from the main database
Reconstruct chronological timelines of database activity for investigative or legal reporting
Identify signs of tampering or incomplete deletions by comparing frame data with final database states
Validate tool output by examining raw WAL and SHM contents manually
Document findings clearly, with technical explanations and visual evidence suitable for court or incident reports
This course is created by James Eichbaum, a former law enforcement digital forensic examiner and one of the most experienced instructors in mobile forensics.
With over a decade of global training experience, including Global Training Manager at MSAB, he has trained thousands of professionals across 30+ countries, from local police units to national labs.
James has led real investigations and testified in court. His training reflects that experience: practical, structured, and focused on what actually works. Every lesson is designed to help you recover mobile app data manually, understand it, and explain it clearly. No matter if you’re writing a report, answering a QA review, or testifying on the stand.
Learn at your own pace with 5 hours of expert-led content. Flexible, self-guided learning.
Price per participant
Join instructor-led sessions remotely. Choose one of our scheduled classes or customize for your team.
Price per participant
We’ve trained thousands of professionals, and these are the most common questions we hear before they enroll, from what’s in the course to how it fits into busy caseloads.
On-Demand (coming in June): Access all 5 hours of content at your own pace. Ideal for working professionals who want flexibility to train between active cases.
Live Online: Instructor-led sessions conducted remotely. Timing can be customized for your team.
You should be comfortable navigating forensic tools and working with mobile artifacts, but you don’t need to be a developer. We’ll guide you through low-level concepts like freeblock parsing, varints, and freelist recovery with clear explanations and hands-on labs.
Yes. The course is certificate-based and designed by a former law enforcement examiner with real testimony experience. The workflows taught are courtroom-ready and built to hold up under review.
Yes. The course is built around real-world app data, not generic examples. You’ll learn practical workflows you can apply immediately — even when your tools fall short.
Great — this course is designed to work alongside them. You'll learn how to verify tool output, investigate unsupported apps, and recover evidence those tools often overlook. It's about going beyond what’s visible and understanding what’s really happening in the database.
This microcourse was designed to fill a crucial gap in forensic training: understanding how SQLite databases actually store, structure, and retain data.
In just a few focused hours, you'll learn how records are laid out across fixed-size pages, how deleted data can persist in freelists, and how large entries are spread across overflow chains. You’ll develop the ability to read what’s beneath the surface—adding depth to what your forensic tools already show you.
Through realistic examples and unsupported apps, you’ll work hands-on to decode headers, interpret VarInts, and trace records with precision. Whether you’re validating findings or uncovering what others overlook, this course gives you the structural insight to take your SQLite investigations further.
Continuously updated and built for working professionals, this course delivers fast, focused, and practical training without cutting corners.
SQLite remains the backbone of mobile app storage in 2025, powering everything from chat histories and location logs to app settings and cached media. While forensic tools handle basic extraction well, they often stop short of revealing what’s stored deeper in database internals: write-ahead logs, overflow chains, or custom schemas unique to each app.
As mobile software evolves rapidly, examiners increasingly face situations where data is only partially decoded or missed altogether. Understanding the inner workings of SQLite has become essential for reliable mobile analysis.
This microcourse was built with that reality in mind. You’ll learn how to break down SQLite at the structural level, recovering data manually, interpreting how records are organized, and spotting patterns or anomalies that tools alone may not explain. It’s the kind of practical expertise that gives you more control in complex or time-critical cases.
This practical walkthrough gives investigators the tools and methods to extract encrypted Apple Notes from iOS 16.x devices. You’ll learn step-by-step techniques that go beyond standard tools and help you tackle real-world cases with clarity and control.
Decoding VarInts manually can slow down forensic workflows—especially when working with unfamiliar or messy databases. This tool helps you interpret those values quickly, so you can stay focused on analysis. Free to use and built for investigators who work directly with SQLite internals.
Overflow pages are where large data, like images or media, get stored when a single SQLite page isn’t enough. This article shows how fragmented records can be recovered manually, helping you extract evidence that most automated carving methods miss.
Be the first to hear about new training opportunities, free tools, case-based blog posts, and practical insights. Our monthly newsletter is built to help you learn faster, solve cases smarter, and keep up in a field that never stands still.
Fill in your email to sign up.
Being able to look at raw pages and say ‘yes, this was deleted data’ without guessing. That’s what this gave me.