During a previous engagement Securus Global was asked to review a desktop application that used a local SQLite3 database to store a list of blacklisted URLs. As expected the database file was encrypted and not much that could be done with the database.
Keep in mind that the same approach will work for libsqlite3.so. Also note that this has not been tested in a Windows environment.
Our goal at the time was to discover the SQL queries performed by the application and try to acquire some useful information, we started to look into two specific functions in libsqlite3.dylib:
The open function is defined as: Continue reading