Menu
SQLite Data Structures is a focused microcourse derived from our most popular training, the SQLite Forensics Course. It’s designed for professionals who need fast, targeted access to one of the most critical areas: understanding how SQLite organizes, manages, and retrieves data at a structural level.
The course is approximately 5 hours long and available on demand for self-paced learning or live online in scheduled sessions.
Course author: James Eichbaum
In this 5 hour micro-course, you’ll learn how SQLite databases are structured at the page level, and how to manually extract artifacts that commercial tools often overlook. Topics include page headers, freelist management, overflow chains, variable-length integers, and deleted record recovery, using real-world case data and unsupported apps.
This course is ideal for digital forensic professionals who need to quickly gain practical, tool-independent skills for interpreting SQLite internals and recovering hard-to-access evidence.
After the course, you’ll know how to:
Read how a SQLite file is structured, from header to page layout
Recognize different page types and what role each one plays
Find deleted records hiding in freeblocks and freelist pages
Decode SQLite’s compact number system (VarInts)
Rebuild records that span across multiple pages
Spot things tools might miss — and understand why they’re missed
By the end of this microcourse, participants will have:
Gained a foundational understanding of how SQLite databases are structured and stored at a low level
Developed confidence in navigating raw database files without relying on automated interpretation
Practiced identifying and interpreting database elements that are often overlooked, including freelist space and overflow chains
Learned a methodical approach to examining app databases, especially when no parsing tool is available
Strengthened their ability to explain and document database findings clearly, including how and where deleted data was recovered
Built practical skills through hands-on work with real SQLite datasets, including files containing deleted and fragmented records
This microcourse is designed for investigators, analysts, and technical professionals who need to go beyond what forensic tools show, and understand what SQLite databases actually contain.
It’s especially useful if you:
Work with mobile app data from iOS or Android devices
Encounter SQLite databases that your tools don’t fully parse
Need to validate or challenge automated tool output
Want to learn how to manually examine freelist pages, overflow records, and deleted data
Are responsible for reporting or presenting findings in a legal, regulatory, or incident response context
Prefer hands-on learning with real-world data over slide decks and theory
You don’t need to know SQL or be a developer. If you’re working with data and want a deeper understanding of how it’s stored and recovered, this course is for you.
Focus on SQLite internals
Learn how data is actually stored and organized across pages, blocks, and records.
Hands-on with real data
Work directly with SQLite files containing deleted, fragmented, and live records — not just theory or screenshots.
Forensics-first approach
Designed for investigators and analysts who need to understand what tools miss and why.
Covers freelists, freeblocks, and overflow pages
Learn where deleted records go, how to find them, and how large records are split across pages.
No coding required
Everything is explained clearly and visually. You don’t need SQL or scripting experience.
Flexible learning
Take the course on-demand at your own pace, or join a live session with instructor guidance.
Certificate of Completion
Downloadable proof of training when you finish the course.
By the end of this course, participants will be able to:
Describe the structure of a SQLite database file, including headers, page types, and page layout
Identify and differentiate between interior pages, leaf pages, overflow pages, and freelist pages
Decode and interpret VarInts used to store record sizes and offsets
Locate and recover deleted records from freeblocks and freelist pages through manual examination
Reconstruct records that span multiple pages, including BLOBs and text fragments
Analyze and interpret raw SQLite content from unsupported or custom mobile applications
Validate or challenge forensic tool output by referencing page-level data directly
Document and explain recovery steps clearly in reports or presentations
This course is created by James Eichbaum, a former law enforcement digital forensic examiner and one of the most experienced instructors in mobile forensics.
With over a decade of global training experience, including Global Training Manager at MSAB, he has trained thousands of professionals across 30+ countries, from local police units to national labs.
James has led real investigations and testified in court. His training reflects that experience: practical, structured, and focused on what actually works. Every lesson is designed to help you recover mobile app data manually, understand it, and explain it clearly. No matter if you’re writing a report, answering a QA review, or testifying on the stand.
Learn at your own pace with 5 hours of expert-led content. Flexible, self-guided learning.
Price per participant
Join instructor-led sessions remotely. Choose one of our scheduled classes or customize for your team.
Price per participant
We’ve trained thousands of professionals, and these are the most common questions we hear before they enroll, from what’s in the course to how it fits into busy caseloads.
On-Demand (coming in June): Access all 5 hours of content at your own pace. Ideal for working professionals who want flexibility to train between active cases.
Live Online: Instructor-led sessions conducted remotely. Timing can be customized for your team.
You should be comfortable navigating forensic tools and working with mobile artifacts, but you don’t need to be a developer. We’ll guide you through low-level concepts like freeblock parsing, varints, and freelist recovery with clear explanations and hands-on labs.
Yes. The course is certificate-based and designed by a former law enforcement examiner with real testimony experience. The workflows taught are courtroom-ready and built to hold up under review.
Yes. The course is built around real-world app data, not generic examples. You’ll learn practical workflows you can apply immediately — even when your tools fall short.
Great — this course is designed to work alongside them. You'll learn how to verify tool output, investigate unsupported apps, and recover evidence those tools often overlook. It's about going beyond what’s visible and understanding what’s really happening in the database.
This microcourse was designed to fill a crucial gap in forensic training: understanding how SQLite databases actually store, structure, and retain data.
In just a few focused hours, you'll learn how records are laid out across fixed-size pages, how deleted data can persist in freelists, and how large entries are spread across overflow chains. You’ll develop the ability to read what’s beneath the surface—adding depth to what your forensic tools already show you.
Through realistic examples and unsupported apps, you’ll work hands-on to decode headers, interpret VarInts, and trace records with precision. Whether you’re validating findings or uncovering what others overlook, this course gives you the structural insight to take your SQLite investigations further.
Continuously updated and built for working professionals, this course delivers fast, focused, and practical training without cutting corners.
SQLite remains the backbone of mobile app storage in 2025, powering everything from chat histories and location logs to app settings and cached media. While forensic tools handle basic extraction well, they often stop short of revealing what’s stored deeper in database internals: write-ahead logs, overflow chains, or custom schemas unique to each app.
As mobile software evolves rapidly, examiners increasingly face situations where data is only partially decoded or missed altogether. Understanding the inner workings of SQLite has become essential for reliable mobile analysis.
This microcourse was built with that reality in mind. You’ll learn how to break down SQLite at the structural level, recovering data manually, interpreting how records are organized, and spotting patterns or anomalies that tools alone may not explain. It’s the kind of practical expertise that gives you more control in complex or time-critical cases.
This practical walkthrough gives investigators the tools and methods to extract encrypted Apple Notes from iOS 16.x devices. You’ll learn step-by-step techniques that go beyond standard tools and help you tackle real-world cases with clarity and control.
Decoding VarInts manually can slow down forensic workflows—especially when working with unfamiliar or messy databases. This tool helps you interpret those values quickly, so you can stay focused on analysis. Free to use and built for investigators who work directly with SQLite internals.
Overflow pages are where large data, like images or media, get stored when a single SQLite page isn’t enough. This article shows how fragmented records can be recovered manually, helping you extract evidence that most automated carving methods miss.
Be the first to hear about new training opportunities, free tools, case-based blog posts, and practical insights. Our monthly newsletter is built to help you learn faster, solve cases smarter, and keep up in a field that never stands still.
Fill in your email to sign up.
Being able to look at raw pages and say ‘yes, this was deleted data’ without guessing. That’s what this gave me.