Forensic Recovery of Deleted Data


#1

Provided the encryption key is not known to the analyst, SQLCipher should be quite secure against forensic analysis because the entire database is encrypted. The following points provide additional detail.

It is quite different if you are trying to ensure that deleted data is not recoverable by a trusted party who knows the key to the database. In that case, even though they can’t access the deleted data through the query interface, one could theoretically construct a special program to strip the encryption from the database file to examine the freed pages and recover data.

To protect against this, as of version 2.0.5, SQLCipher now enables SQLite’s PRAGMA secure_delete=ON option. This causes causes the freed pages to be zeroed out on delete to hinder recovery. As before, they remain encrypted. Note that this doesn’t imply that the pages are removed from the database file, just that their content is wiped when they are marked free.

To actually remove the pages you’d need to run a vacuum, or enable PRAGMA auto_vacuum=FULL.

PRAGMA auto_vacuum=FULL will move free pages to the end of the database on each commit and then truncate the free pages from the database. This is similar to running a vacuum command, in that it actually removes free pages from the database file.

Additional information on these pragmas can be found in the pragma documentation, so you can review the details of vacuum, auto_vacuum, and secure delete in detail