Start interactive tutorial

← Back to Projects

SQLite Forensics Recovery

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

  • linux

    • cybersecurity

    blue-team

  • forensics

  • sqlite

  • data-recovery

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

SQLite Forensics Recovery
📄 Instructions

SQLite Forensics Recovery

In this lab, you will face a digital forensics scenario after a security incident. A server was compromised, and an analyst managed to extract a damaged copy of a critical database.

Your mission as a cybersecurity analyst is to partially recover the SQLite database, find any sensitive information still available… and discover the hidden flag inside.

In this lab you will learn:

  • Analysis of corrupted files
  • Use of basic forensic tools for data extraction
  • Binary exploration with Python and system commands
  • First steps with databases in cybersecurity

🌱 How to start this lab

👉 This challenge uses a dedicated virtual machine for forensic recovery of damaged files.

  1. If you don't have it yet, download the virtual machine from this link:
We are sorry, you don't have enough privileges to access this block of content, please signup or upgrade your plan to access it.
1https://storage.googleapis.com/cybersecurity-machines/brokendb-lab.ova
  1. Import the virtual machine into VirtualBox or VMware.
  2. Start the VM and log in as the default user. You will see a lightweight Linux environment with all the necessary tools.

📄 Instructions

You have accessed a forensic copy of a database extracted from a compromised system. Records indicate it may contain highly sensitive information. However, the file is corrupted and cannot be opened conventionally.

Your task is to recover as much as you can from the database using system tools and binary analysis techniques. If you manage to find the flag, you can validate that important data has not been completely lost.

Your mission: recover the flag from a damaged SQLite database

  1. Go to the lab folder /student and start inspecting.

  2. Examine the file broken-database.db. Can you open it directly with sqlite3? If it fails, try to recover content.

  3. If sqlite3 doesn't give you useful results, try other approaches such as: strings or grep

  4. You can also use the script partial-recovery.py, designed to search for interesting content inside binary files, by running:

1python3 /brokendb/partial-recovery.py

Modify or extend this script if you need to.

  1. Once you find a string in the format 4GEEKS{...}, validate it with the validator:
1validate-flag '4GEEKS{what_you_found}'

Make sure to use this command exactly as shown above, since the flag must be inside single quotes ''

  1. If the flag is correct, you will see the following message:
1✅ Correct flag!
2🎁 Flag: 4GEEKS{EXAMPLE_FLAG}

Now it's your turn to think like a real forensic analyst. This is not a typical investigation: no logs, no network… just you and a damaged file that could contain crucial secrets.

Will you be able to reconstruct enough to obtain the vital information?

Good luck, Analyst!

Sign up and get access to solution files and videos for free

We will use it to give you access to your account.
Already have an account? Login here.

By signing up, you agree to the Terms and conditions and Privacy policy.

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Sign up and get access to solution files and videos for free

We will use it to give you access to your account.
Already have an account? Login here.

By signing up, you agree to the Terms and conditions and Privacy policy.

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies