Certified SQLite forensics training, full program
Everything you need to analyze mobile and app data on your own
advanced level | 24 cpe's | updated 2025
Learn SQLite Forensics through a certified, hands-on training course built for professionals investigating mobile app data. Updated for 2025, this course teaches you how to manually analyze and recover data that standard tools often miss, including deleted records, WAL files, and unallocated space.
Designed around real-world scenarios and new CTF challenges, the training focuses on deep forensic interpretation, page-level decoding, and practical skills for advanced digital investigations.
Certified SQLite Forensics Training
This advanced, 3-day course teaches professionals how to recover, decode, and interpret SQLite data from mobile apps and other digital sources. You'll learn to identify and analyze key forensic artifacts such as deleted records, WAL/SHM files, and page-level structures — even when standard tools fail.
Training is updated for 2025 and built around real cases, interactive CTF challenges, and unsupported apps. You'll use custom tools and datasets to develop deep forensic insight and practical recovery techniques.
Overview of what you will learn
- Understand the internal structure and behavior of SQLite databases
- Manually parse headers, freelists, overflow pages, and record structures
- Analyze WAL/SHM files and their role in forensic timelines
- Recover deleted data and rebuild full records from fragments
- Use Elusive Data's custom SQLite Visualizer to accelerate your workflow
Is this course for you?
This course is for forensic examiners, investigators, incident responders, and analysts who:
- Need to go beyond what tools show and uncover hidden or deleted SQLite evidence
- Work with app data from iOS, Android, or other platforms
- Regularly validate tool output or support legal reporting and court testimony
- Want a repeatable, hands-on approach to SQLite forensics
Why professionals choose this course
- Certified training — includes certificate and 24 CPE credits
- Real-world relevance — built for modern mobile investigations
- Custom tooling — exclusive access to the ED SQLite Visualizer
- Scenario-driven labs — work with complex cases and unsupported apps
- Flexible delivery — take it live or on-demand
Course Format & Pricing
Live Online: $2,290
What you'll learn
In this course, you'll learn to:
- Understand how SQLite stores data Get a clear picture of how mobile apps write, delete, and structure their data inside databases.
- Read raw database files with confidence Develop skills to explore SQLite files manually — no need to rely on black-box tools.
- Recover deleted or hidden data Learn how to extract freelist content, overflow records, and fragments others often miss.
- Use a proven forensic workflow Apply repeatable techniques to navigate unsupported databases and uncover answers.
- Explain findings that hold up Present what you found and how — clearly and defensibly, in reports or court.
- Train on real-world mobile data Work hands-on with realistic datasets from actual forensic scenarios.
Included in your training
- Forensics-first design Built specifically for professionals working with mobile app evidence.
- Authentic SQLite challenges Analyze databases with live, deleted, and fragmented content.
- Visual, no-code instruction Everything is explained step by step — no SQL or scripts required.
- Deep insight into SQLite internals Get comfortable with headers, pages, freelists, and overflow chains.
- Flexible delivery Train at your own pace on-demand, or join a guided live session.
- Certificate of completion Earn a downloadable certificate to show your training is verified.
Course Content
Expand All Sections- Understanding PLists and XML files
- Working with base64-encoded data
- Intro to SQLite databases
- Overview of Protocol Buffers
- Exploring the B-Tree format
- Quiz + Practical included
- The Database Header
- Page Headers
- Variable-Length Integers (VarInts)
- Manually Parsing Records
- Freeblocks and fragmentation
- Freelist Pages and deleted data
- Overflow Pages and large record chains
- Quiz + Practical included
- Creating Tables and Schema
- Inserting and Adding Records
- Running and Analyzing SQL Statements
- Deleting Records: Forensic Implications
- Quiz + Practical included
- Case Study Introduction
- Structural Analysis of SQLite Files
- Freeblock Recovery Techniques
- Rebuilding Freelist Trunk Pages
- Recreating Interior Table Leaf Pages
- Finalizing Reconstruction
- Quiz + Practical included
- Why SQLite uses WAL and SHM
- Dissecting the WAL File
- Understanding SHM and Page Frame Mapping
- Visualizing WAL Growth Over Time
- Forensic Application of WAL/SHM in Cases
- Quiz + Practical included
What Else Is Included
- Interactive CTF Challenges: Work through real-world forensic puzzles with mobile app data.
- Elusive Data Toolkit: Includes the ED SQLite Visualizer built for manual record tracing.
- Downloadable Labs: Explore databases with deleted, fragmented, and overflowed content.
- Instructor Access: Reach out with questions and get expert input.
- Lifetime Access: Return to the material as needed — anytime.
- Completion Certificate: Useful for internal records, audits, and court submission.
Who is this course for?
This course is designed for digital forensic professionals who need to go beyond what standard tools provide and interpret SQLite data with confidence and precision. Whether you're in law enforcement, incident response, or forensic consulting, this course gives you deep, hands-on skills with immediate impact.
It's especially valuable if you:
- Work with mobile app data from iOS or Android in real investigations
- Need to validate tool output or investigate unsupported apps
- Want to extract deleted records, overflow data, or unallocated content
- Handle forensic reporting, expert opinions, or testimony involving database artifacts
- Are transitioning into mobile or database forensics and want expert-led, structured training
- Are responsible for uncovering hidden evidence in cases where tools fall short
The course is designed for investigators — not developers. All techniques are visual, hands-on, and tool-agnostic.
What makes this course different?
This course is designed to build practical expertise, not just deliver content. You'll work hands-on with real data, solve realistic forensic challenges, and develop deep understanding of how SQLite works in actual investigations.
- CTF-style challenges – solve forensic puzzles, decode structures, and uncover data hidden inside real mobile apps
- Access to the ED SQLite Visualizer – examine raw database pages and headers visually, without scripting
- Step-by-step recovery labs – practice extracting deleted data from freelist pages, overflow chains, and WAL frames
- Realistic datasets – instructor-created examples based on modern mobile apps and typical investigative scenarios
- Works across all platforms – use your own tools (Magnet, Cellebrite, Oxygen, etc.) or follow along with provided tools
- Built around SQLite internals – master B-Tree layouts, VarInts, serial types, WAL/SHM parsing and page recovery
Every part of the course — including the OnDemand version — is immersive and practical. You'll gain techniques you can apply directly in your current and future cases.
Your Instructor
The course is taught by James Eichbaum — a seasoned digital forensics instructor and practitioner with deep expertise in mobile and database analysis. Over the past 15+ years, James has trained thousands of professionals in over 30 countries, with a consistent focus on practical skills and investigative accuracy.
He has led advanced forensic training programs for law enforcement, defense, and private sector teams worldwide, including national police agencies and forensic labs. With a background as both an instructor and an investigator, James brings a dual perspective that makes complex topics understandable and directly relevant to real-world casework.
In this full-length certified course, James guides you step-by-step through the forensic internals of SQLite — from page structures and WAL files to manual recovery methods — using structured labs, real app data, and realistic CTF-style challenges.
Connect with James on LinkedIn- 15+ years teaching digital and mobile forensics
- Global Training Manager at MSAB (former)
- California P.O.S.T. Certified Instructor
- Detective, Sacramento Valley High Tech Crimes Task Force
- Special Deputy U.S. Marshal, FBI Cyber Crimes Task Force
- Recipient of HTCIA "Case of the Year" award
Certification & CPE Credits
What You'll Gain from the Full SQLite Forensics Course
This is a deep, technical training designed for professionals who regularly work with mobile extractions, forensic tools, and complex databases. Over three packed days — or via our self-paced format — you'll learn how to read, interpret, and recover data directly from raw SQLite structures with precision and clarity.
The course includes extensive hands-on practice and walks you through live examples of deleted records, freelist page recovery, overflow handling, WAL/SHM interpretation, and much more. You'll not only understand the theory, but you'll also apply it in guided labs and real-world CTF-style scenarios built specifically for forensic use.
Whether you're analyzing encrypted apps, validating tool output, or supporting case work in law enforcement or private sector investigations — this course builds the confidence and skill set needed to handle SQLite-based data in depth.
The full course includes:
- Manual decoding of WAL and SHM files
- Recovery from freelist chains and unallocated pages
- Case-based exercises using realistic datasets
- Access to proprietary SQLite forensic tools
- CTF-style challenges designed by experienced instructors
- 24 CPE credits and a verifiable certificate
FAQ
Expand AllLive: Delivered over 3 full days with instructor-led sessions, labs, and interactive case studies.
On-Demand: Same content, but self-paced. You get 90 days access to all videos, labs, and datasets.
Yes — all content reflects the latest SQLite structures, current forensic tools, and challenges drawn from modern mobile apps and databases.
Yes. We provide group pricing and custom delivery for teams of 5 or more, including onboarding and support for labs and access management.
No prior database expertise is required. The course starts from the ground up, guiding you through SQLite internals using visual walkthroughs, labs, and practical exercises — all with forensic application in mind.
Every section includes hands-on exercises: parsing deleted records, rebuilding overflow chains, exploring WAL/SHM files, and solving scenario-based challenges based on real-world datasets.
The course is taught by James Eichbaum, a veteran digital forensics instructor with over 15 years of experience and global recognition in mobile and database forensics. He has trained law enforcement, DFIR consultants, and forensic examiners in over 30 countries.
Perfect — this course complements those tools. You'll learn how to validate their output, investigate unsupported apps, and recover records that often go unnoticed by automated parsing.
Yes. You'll receive a verifiable certificate with unique ID and instructor signature. It qualifies for 24 CPE credits and meets documentation needs for legal, audit, or regulatory review.
Yes. Live participants can ask questions in-session. On-Demand participants get instructor email support and access to a curated resource library throughout their access period.
Yes. The course is built around real app data and typical case scenarios — not theory or synthetic examples. Everything you learn is applicable to your current and future cases.
Yes. You'll work through realistic CTF-style investigations designed to reinforce technical concepts with real-world data. These challenges are based on actual mobile app behavior and common investigation scenarios.
Yes — you'll receive access to the Elusive Data SQLite Visualizer, a custom-built forensic tool for visual inspection of database structures like freelist pages, B-Trees, WAL records, and overflow chains.
Yes. All live sessions are recorded, and participants receive on-demand access to rewatch the material for up to 90 days — including walkthroughs and lab demos.
This is a deep dive — but it's built to be accessible. You'll go into low-level SQLite internals (WAL, B-Tree, VarInts, freelist) but everything is broken down visually and reinforced with labs and casework examples.
The labs are based on real-world app databases including messaging apps, location platforms, and social media. These are curated to simulate live case conditions, with edge cases and recoverable deleted records.
Yes. Many experienced examiners, tool developers, and agency trainers take this course to sharpen their knowledge of SQLite internals. While beginner-friendly, the material scales well for seasoned professionals looking to go deeper.
Absolutely. You'll learn to manually parse WAL and SHM files to identify hidden or deleted data not found in the main DB — and you'll see how rollback works across multiple scenarios.
Yes. The course is tool-agnostic and focuses on methods that work regardless of what forensic platform you use. You'll learn to validate tool output and go deeper when tools don't support a specific app or artifact.
You should have some experience in digital forensics, mobile analysis, or DFIR — but you don't need to know how to code or have prior database training. This course teaches what you need, as you go.
Yes. SQLite is used in desktop apps, IoT devices, browsers, and cloud sync platforms. The skills you learn here apply anywhere SQLite appears, including non-mobile cases.
What professionals say about this course
Akira H.
Renata S.
Jeroen V.
ED SQLite Visualizer.
Visualize, Decode, Explore. All in One SQLite Analysis Suite.
ED SQLite Visualizer was developed to enhance the way forensic professionals interact with SQLite data, both during training and in real investigations. This forensic suite was designed specifically for this course to complement the techniques you’ll learn and make advanced database analysis more accessible and efficient.
The suite brings together decoding, visualization, and interpretation in one interface. It simplifies the process of working with WAL files, varints, overflow pages, and structured records, helping you gain clearer insights into complex mobile app data.
In the SQLite Forensics course, you’ll use the tool throughout the course in labs and real-world scenarios, and you’ll keep it afterwards. It’s a resource you can rely on when examining app data, recovering deleted records, or validating findings with precision.
ED SQLite Visualizer reflects our belief that effective training should leave you with practical skills, and the tools and methods to apply them right away.
SQLITE forensics
SQLite remains the backbone of mobile app storage in 2025, powering everything from chat histories and location logs to app settings and cached media. While forensic tools handle basic extraction well, they often stop short of revealing what’s stored deeper in database internals: write-ahead logs, overflow chains, or custom schemas unique to each app.
As mobile software evolves rapidly, examiners increasingly face situations where data is only partially decoded or missed altogether. Understanding the inner workings of SQLite has become essential for reliable mobile analysis.
This microcourse was built with that reality in mind. You’ll learn how to break down SQLite at the structural level, recovering data manually, interpreting how records are organized, and spotting patterns or anomalies that tools alone may not explain. It’s the kind of practical expertise that gives you more control in complex or time-critical cases.
Articles you might like
This focused walkthrough equips investigators with clear, hands-on techniques for extracting encrypted Apple Notes from iOS 16.x devices. You’ll follow a practical, step-by-step process designed to go beyond default tool output, giving you the insight and confidence to handle complex cases effectively.
Manually decoding VarInts can bottleneck your forensic process, especially when navigating inconsistent or unfamiliar databases. This tool speeds up interpretation, helping you stay focused on deeper analysis. It’s free to use and purpose-built for investigators working hands-on with SQLite internals.
When a single SQLite page can’t hold large content like images or media, that data spills into overflow pages. This guide walks you through how to manually recover fragmented records, revealing evidence that typical carving tools often overlook.
stay updated
Stay in the loop. Sign up for our monthly newsletter.
Be the first to hear about new training opportunities, free tools, case-based blog posts, and practical insights. Our monthly newsletter is built to help you learn faster, solve cases smarter, and keep up in a field that never stands still.
Fill in your email to sign up.
Request Live Session
This request is completely non-binding. Let us know what dates might work for you and how many participants you’d like to include. We’ll get back to you promptly to discuss the best options together.