or
Request a Live Session
This advanced micro-course teaches you how to extract evidence from WAL and SHM files, volatile layers where critical changes often reside. Learn to verify data integrity, track modifications, and uncover what traditional tools miss.
Start On-Demand Course
Book Live Session
This advanced micro-course teaches you how to extract evidence from WAL and SHM files, volatile layers where critical changes often reside. Learn to verify data integrity, track modifications, and uncover what traditional tools miss.
● Understand how WAL and SHM files track SQLite database changes over time
● Decode WAL frames and SHM index structures to locate deleted or overwritten data
● Recover evidence that’s missed by common forensic tools
● Reconstruct timelines of app activity
● Validate tool output and spot tampering or anomalies
This course is ideal for forensic professionals who:
● Need to trace the sequence of events from mobile app activity
● Want to analyze deleted or uncommitted SQLite records manually
● Are working on high-stakes or time-critical investigations
● Prefer focused, practical training with immediate takeaways
● Page-level change tracking — follow the flow of data between versions and edits
● Real-world WAL and SHM data — work with live forensic samples
● No scripting needed — clear, step-by-step instruction
● 2 hours total — concise and focused
● Flexible delivery — on-demand or live online
● Certificate included — proof of training and skills
⏱️
Duration
Live Online: approx. 2 hours
On-Demand: paced at your convenience
🎓
Certificate
Issued upon successful completion
💲
Pricing
On-Demand: €299
Live Online: €349
Final price shown at checkout in your currency, depending on your country.
Start OnDemand
Book Live Session
🌐
Language
English
📬
Contact
contact@elusivedata.io
Need group pricing?
Contact us for a quote
Expand All Sections
01 – WAL and SHM Basics
02 – WAL Frame Structure
03 – SHM Indexing
04 – Recovering Deleted Records
05 – Timeline Reconstruction
06 – Tool Validation and Tamper Detection
This course is for digital forensic professionals, incident responders, and analysts who need to extract evidence from the often-overlooked WAL and SHM files in SQLite databases. It’s ideal when deleted or modified content isn’t available in the main database file — and your tools don’t go far enough.
It’s especially useful if you:
No SQL or programming required.
Whether you’re working in law enforcement, corporate investigations, or digital forensics labs — this course gives you the skills to uncover critical evidence in WAL and SHM files.
Start Learning Now
or
Request a Live Session
📱
Dig beyond the database file to extract deleted or overwritten content from WAL and SHM files.
🔍
Test the limits of your forensic tools by comparing decoded output with raw transaction-layer evidence.
🧠
Understand how SQLite tracks changes using WAL frames and SHM index pages — and how to parse them manually.
📄
Explain how and when data changed, not just what was recovered — with clarity that stands up in court.
🧰
No fluff. Work with real forensic WAL/SHM samples in a guided, lab-driven format designed for deep retention.
👩⚖️
Need evidence that shows what changed and when? Learn techniques that hold up under scrutiny.
This course is taught by James Eichbaum,
a leading expert in digital forensics and one of the most experienced instructors in mobile and database analysis. With over 15 years of experience teaching SQLite forensics, James has trained professionals across 30+ countries.
He previously served as Global Training Manager at MSAB and has led advanced training for hundreds of organizations worldwide including national police agencies, governments, and private DFIR labs. His instruction combines deep technical skill with extensive field experience from real investigations.
In this micro-course, James guides you through the internal workings of SQLite databases, including deleted records, freelist pages, and overflow structures, using a practical, tool-independent approach designed to give you skills you can apply right away.
Connect with James on LinkedIn
Career Highlights
Start Learning Now
or
Request a Live Session
Learn at your own pace with 2 hours of expert-led content. Flexible, self-guided learning.
€299
Price per participant
Join instructor-led sessions remotely. Choose a scheduled class or request a private team session.
€349
Price per participant
Get in Touch for Details
Need to train a group? We offer discounts for 5+ participants and can customize delivery for teams.
Contact us for group pricing ⟶
🎓
Professional Certificate
Participants who complete this training receive a signed, verifiable certificate of completion from Elusive Data — recognized by digital forensics professionals across public and private sectors.
📚
Earn 2 CPE Credits
This course qualifies for Continuing Professional Education (CPE) credits. Submit your certificate toward your annual training requirements for certifications such as CCE, EnCE, or CISSP.
🔒
Individually Issued & Secure
Every certificate includes a unique ID, issuance date, and instructor signature, enabling easy verification and audit-proof documentation.
🌍
Internationally Applicable
Whether you’re in law enforcement, a private lab, or corporate DFIR — this certification supports your continuing education goals globally.
This focused micro-course is a standalone module designed for fast, targeted learning. It’s built to help digital investigators understand how SQLite tracks changes through WAL and SHM files — especially when you need to recover deleted data or reconstruct database activity that standard tools miss. In just 2 hours, you’ll gain expertise in WAL frame analysis, SHM index interpretation, and timeline reconstruction.
This micro-course is part of our broader training strategy and has been carefully selected from the full Advanced SQLite Forensics Course. That larger course spans three full days (or on-demand equivalent) and offers advanced labs, certification, and up to 24 CPE credits.
In the full version of the course, you’ll also learn:
Expand All
01 –How long does it take to complete the course?
On-Demand: Access all 2 hours of content at your own pace. Ideal for working professionals who want flexibility to train between active cases.
Live Online: Instructor-led sessions conducted remotely. Timing can be customized for your team.
02 –Is the course content updated for 2025?
Yes — this course has been completely redesigned and updated for 2025. It reflects the latest findings, updated SQLite behavior, and modern forensic challenges based on real-world casework.
03 –Can this course be delivered to teams or agencies?
Yes! We offer flexible group training options — including discounted rates for teams of 5 or more. Agencies, labs, and organizations can request custom scheduling and onboarding support tailored to their needs.
04 –Can I get help if I get stuck during the OnDemand course?
Absolutely. We provide instructor email support so you can keep progressing confidently at your own pace.
05 –What if I’ve already taken a mobile forensics training?
Perfect. This course complements those skills by going deeper into WAL and SHM file analysis. You’ll learn what automated tools often overlook — like reconstructing timeline data from WAL frames and recovering deleted activity from SHM indexes.
06 –Who teaches this course, and what’s their background?
The course is led by Elusive Data’s senior instructor, James Eichbaum, a forensic specialist who has trained professionals from national police forces, federal, state and local law enforcement, government and military agencies, and global DFIR teams. You’ll learn from someone with deep, practical experience in real investigations. James has been teaching database forensics for over 15 years.
07 –Do I get access to lab files and hands-on practice?
Yes. Every module includes interactive labs using real WAL and SHM files. You’ll apply your learning immediately through guided exercises analyzing timeline reconstruction and deleted data recovery.
08 –Why should I choose this course over others?
This microcourse was designed to fill a crucial gap in forensic training: understanding how SQLite WAL and SHM files track database changes and store recoverable data.
In just 2 focused hours, you’ll learn how WAL frames capture transaction history, how SHM indexes track page modifications, and how to reconstruct activity timelines that standard tools miss.
Through realistic examples and unsupported apps, you’ll work hands-on to parse WAL headers, interpret checkpoint data, and recover deleted transactions with precision.
Continuously updated and built for working professionals, this course delivers fast, focused, and practical training without cutting corners.
09 –Do I need programming or advanced SQL skills?
You should be comfortable navigating forensic tools and working with mobile artifacts, but you don’t need to be a developer. We’ll guide you through low-level concepts like WAL frame parsing, checkpoint analysis, and SHM index interpretation with clear explanations and hands-on labs.
10 –Is the course recognized or court-admissible?
Yes. The course is certificate-based and designed by a former law enforcement examiner with real testimony experience. The workflows taught are courtroom-ready and built to hold up under review.
11 –Will I actually be able to use this on my current cases?
Yes. The course is built around real-world app data, not generic examples. You’ll learn practical workflows you can apply immediately — even when your tools fall short.
12 –What if I use tools like Cellebrite, MSAB, Magnet, or Oxygen?
Great — this course is designed to work alongside them. You’ll learn how to verify tool output, investigate unsupported apps, and recover evidence those tools often overlook.
13 –Do you offer scheduled courses I can join?
Yes! We regularly schedule live online sessions that you can join alongside other professionals. These scheduled courses offer the same comprehensive content with real-time interaction and Q&A sessions.
Check our course calendar to see upcoming scheduled dates and register for available sessions.
14 –Can I book a private live session for a custom date?
Absolutely! If the scheduled course dates don’t work for you, we’re happy to arrange a private live session at a time that fits your schedule.
Simply submit a booking request with your preferred dates and times, and we’ll work with you to find a convenient slot. This is perfect for teams or organizations with specific timing requirements.
15 –If I take this microcourse now, do I have to pay full price for the complete course later?
No — if you later decide to enroll in the complete SQLite Forensics course, we’ll deduct the full cost of this microcourse from your total. Just reach out to us before enrolling in the full course.
This advanced micro-course teaches you how to extract evidence from WAL and SHM files, volatile layers where critical changes often reside. Learn to verify data integrity, track modifications, and uncover what traditional tools miss.
● Understand how WAL and SHM files track SQLite database changes over time
● Decode WAL frames and SHM index structures to locate deleted or overwritten data
● Recover evidence that’s missed by common forensic tools
● Reconstruct timelines of app activity
● Validate tool output and spot tampering or anomalies
This course is ideal for forensic professionals who:
● Need to trace the sequence of events from mobile app activity
● Want to analyze deleted or uncommitted SQLite records manually
● Are working on high-stakes or time-critical investigations
● Prefer focused, practical training with immediate takeaways
● Page-level change tracking — follow the flow of data between versions and edits
● Real-world WAL and SHM data — work with live forensic samples
● No scripting needed — clear, step-by-step instruction
● 2 hours total — concise and focused
● Flexible delivery — on-demand or live online
● Certificate included — proof of training and skills
⏱️
Duration
Live Online: approx. 2 hours
On-Demand: paced at your convenience
🎓
Certificate
Issued upon successful completion
💲
Pricing
On-Demand: €299
Live Online: €349
Final price shown at checkout in your currency, depending on your country.
Start OnDemand
Book Live Session
🌐
Language
English
📬
Contact
contact@elusivedata.io
Need group pricing?
Contact us for a quote
Expand All Sections
01 – WAL and SHM Basics
02 – WAL Frame Structure
03 – SHM Indexing
04 – Recovering Deleted Records
05 – Timeline Reconstruction
06 – Tool Validation and Tamper Detection
This course is for digital forensic professionals, incident responders, and analysts who need to extract evidence from the often-overlooked WAL and SHM files in SQLite databases. It’s ideal when deleted or modified content isn’t available in the main database file — and your tools don’t go far enough.
It’s especially useful if you:
No SQL or programming required.
Whether you’re working in law enforcement, corporate investigations, or digital forensics labs — this course gives you the skills to uncover critical evidence in WAL and SHM files.
Start Learning Now
or
Request a Live Session
📱
Dig beyond the database file to extract deleted or overwritten content from WAL and SHM files.
🔍
Test the limits of your forensic tools by comparing decoded output with raw transaction-layer evidence.
🧠
Understand how SQLite tracks changes using WAL frames and SHM index pages — and how to parse them manually.
📄
Explain how and when data changed, not just what was recovered — with clarity that stands up in court.
🧰
No fluff. Work with real forensic WAL/SHM samples in a guided, lab-driven format designed for deep retention.
👩⚖️
Need evidence that shows what changed and when? Learn techniques that hold up under scrutiny.
This course is taught by James Eichbaum,
a leading expert in digital forensics and one of the most experienced instructors in mobile and database analysis. With over 15 years of experience teaching SQLite forensics, James has trained professionals across 30+ countries.
He previously served as Global Training Manager at MSAB and has led advanced training for hundreds of organizations worldwide including national police agencies, governments, and private DFIR labs. His instruction combines deep technical skill with extensive field experience from real investigations.
In this micro-course, James guides you through the internal workings of SQLite databases, including deleted records, freelist pages, and overflow structures, using a practical, tool-independent approach designed to give you skills you can apply right away.
Connect with James on LinkedIn
Career Highlights
Start Learning Now
or
Request a Live Session
Learn at your own pace with 2 hours of expert-led content. Flexible, self-guided learning.
€299
Price per participant
Join instructor-led sessions remotely. Choose a scheduled class or request a private team session.
€349
Price per participant
Get in Touch for Details
Need to train a group? We offer discounts for 5+ participants and can customize delivery for teams.
Contact us for group pricing ⟶
🎓
Professional Certificate
Participants who complete this training receive a signed, verifiable certificate of completion from Elusive Data — recognized by digital forensics professionals across public and private sectors.
📚
Earn 2 CPE Credits
This course qualifies for Continuing Professional Education (CPE) credits. Submit your certificate toward your annual training requirements for certifications such as CCE, EnCE, or CISSP.
🔒
Individually Issued & Secure
Every certificate includes a unique ID, issuance date, and instructor signature, enabling easy verification and audit-proof documentation.
🌍
Internationally Applicable
Whether you’re in law enforcement, a private lab, or corporate DFIR — this certification supports your continuing education goals globally.
This focused micro-course is a standalone module designed for fast, targeted learning. It’s built to help digital investigators understand how SQLite tracks changes through WAL and SHM files — especially when you need to recover deleted data or reconstruct database activity that standard tools miss. In just 2 hours, you’ll gain expertise in WAL frame analysis, SHM index interpretation, and timeline reconstruction.
This micro-course is part of our broader training strategy and has been carefully selected from the full Advanced SQLite Forensics Course. That larger course spans three full days (or on-demand equivalent) and offers advanced labs, certification, and up to 24 CPE credits.
In the full version of the course, you’ll also learn:
Expand All
01 –How long does it take to complete the course?
On-Demand: Access all 2 hours of content at your own pace. Ideal for working professionals who want flexibility to train between active cases.
Live Online: Instructor-led sessions conducted remotely. Timing can be customized for your team.
02 –Is the course content updated for 2025?
Yes — this course has been completely redesigned and updated for 2025. It reflects the latest findings, updated SQLite behavior, and modern forensic challenges based on real-world casework.
03 –Can this course be delivered to teams or agencies?
Yes! We offer flexible group training options — including discounted rates for teams of 5 or more. Agencies, labs, and organizations can request custom scheduling and onboarding support tailored to their needs.
04 –Can I get help if I get stuck during the OnDemand course?
Absolutely. We provide instructor email support so you can keep progressing confidently at your own pace.
05 –What if I’ve already taken a mobile forensics training?
Perfect. This course complements those skills by going deeper into WAL and SHM file analysis. You’ll learn what automated tools often overlook — like reconstructing timeline data from WAL frames and recovering deleted activity from SHM indexes.
06 –Who teaches this course, and what’s their background?
The course is led by Elusive Data’s senior instructor, James Eichbaum, a forensic specialist who has trained professionals from national police forces, federal, state and local law enforcement, government and military agencies, and global DFIR teams. You’ll learn from someone with deep, practical experience in real investigations. James has been teaching database forensics for over 15 years.
07 –Do I get access to lab files and hands-on practice?
Yes. Every module includes interactive labs using real WAL and SHM files. You’ll apply your learning immediately through guided exercises analyzing timeline reconstruction and deleted data recovery.
08 –Why should I choose this course over others?
This microcourse was designed to fill a crucial gap in forensic training: understanding how SQLite WAL and SHM files track database changes and store recoverable data.
In just 2 focused hours, you’ll learn how WAL frames capture transaction history, how SHM indexes track page modifications, and how to reconstruct activity timelines that standard tools miss.
Through realistic examples and unsupported apps, you’ll work hands-on to parse WAL headers, interpret checkpoint data, and recover deleted transactions with precision.
Continuously updated and built for working professionals, this course delivers fast, focused, and practical training without cutting corners.
09 –Do I need programming or advanced SQL skills?
You should be comfortable navigating forensic tools and working with mobile artifacts, but you don’t need to be a developer. We’ll guide you through low-level concepts like WAL frame parsing, checkpoint analysis, and SHM index interpretation with clear explanations and hands-on labs.
10 –Is the course recognized or court-admissible?
Yes. The course is certificate-based and designed by a former law enforcement examiner with real testimony experience. The workflows taught are courtroom-ready and built to hold up under review.
11 –Will I actually be able to use this on my current cases?
Yes. The course is built around real-world app data, not generic examples. You’ll learn practical workflows you can apply immediately — even when your tools fall short.
12 –What if I use tools like Cellebrite, MSAB, Magnet, or Oxygen?
Great — this course is designed to work alongside them. You’ll learn how to verify tool output, investigate unsupported apps, and recover evidence those tools often overlook.
13 –Do you offer scheduled courses I can join?
Yes! We regularly schedule live online sessions that you can join alongside other professionals. These scheduled courses offer the same comprehensive content with real-time interaction and Q&A sessions.
Check our course calendar to see upcoming scheduled dates and register for available sessions.
14 –Can I book a private live session for a custom date?
Absolutely! If the scheduled course dates don’t work for you, we’re happy to arrange a private live session at a time that fits your schedule.
Simply submit a booking request with your preferred dates and times, and we’ll work with you to find a convenient slot. This is perfect for teams or organizations with specific timing requirements.
15 –If I take this microcourse now, do I have to pay full price for the complete course later?
No — if you later decide to enroll in the complete SQLite Forensics course, we’ll deduct the full cost of this microcourse from your total. Just reach out to us before enrolling in the full course.
Digital Forensic Examiner
★★★★★
I’ve always relied on tools, but this course showed me that things are hiding between the lines. Seeing deleted messages come back from the WAL blew my mind.
Incident Response Consultant
★★★★★
I used to skip over WAL files because I didn’t know what to do with them. Now I can pull out overwritten records, rebuild actions, and explain every change in a timeline.
Mobile Forensics Analyst
★★★★★
Turns out the timeline I needed was already there. WAL and SHM gave me what the tools missed. Honestly, this training changed how I work on every case.
Master SQLite Forensics with our 2025-certified training, tailored for professionals examining mobile app data. Learn to uncover deleted records, interpret WAL files, and recover hidden artifacts beyond the reach of standard tools.
Built around real-world casework and fresh CTFs, this hands-on course emphasizes page-level decoding, deep forensic insight, and practical techniques for advanced investigations.
Learn More
Start On-Demand Course
Decoding VarInts manually can slow down forensic workflows, especially when working with unfamiliar or messy databases. This tool helps you interpret those values quickly, so you can stay focused on analysis. Free to use and built for investigators who work directly with SQLite internals.
This focused micro-course helps you go beyond tool limitations by showing exactly how SQLite stores and removes data. In just a few hours, you’ll learn to recover deleted records, interpret raw structures, and confidently analyze app databases, even when tools give you nothing.
Learn More
Start On-Demand Course
SQLite remains the backbone of mobile app storage in 2025, powering everything from chat histories and location logs to app settings and cached media. While forensic tools handle basic extraction well, they often stop short of revealing what’s stored deeper in database internals: write-ahead logs, overflow chains, or custom schemas unique to each app.
As mobile software evolves rapidly, examiners increasingly face situations where data is only partially decoded or missed altogether. Understanding the inner workings of SQLite has become essential for reliable mobile analysis.
This microcourse was built with that reality in mind. You’ll learn how to break down SQLite at the structural level, recovering data manually, interpreting how records are organized, and spotting patterns or anomalies that tools alone may not explain. It’s the kind of practical expertise that gives you more control in complex or time-critical cases.
This request is completely non-binding. Let us know what dates might work for you and how many participants you’d like to include. We’ll get back to you promptly to discuss the best options together.
Be the first to hear about new training opportunities, free tools, case-based blog posts, and practical insights. Our monthly newsletter is built to help you learn faster, solve cases smarter, and keep up in a field that never stands still.
Fill in your email to sign up.