I am writing code to detect suspected SQLCipher database files. One thing I noticed about the file size was that the five test database files I have (downloaded from GitHub) all have a greatest common factor of 8 bytes. Will this be true of all SQLCipher database files? If not, is there another size comparison of this nature that can help in determining a suspected SQLCipher database?
You may not find that all SQLCipher database files align to the 8 bytes you are seeing. As the entire content of SQLCipher files are encrypted, there is not a specific heuristic that can be used to identify them.
If you are only filtering on either plain-text SQLite files, or SQLCipher files, you could attempt to disambiguate between the two by identifying the plain-text SQLite files by their magic string located in the first 16 bytes of the database file header. The bytes, encoded to UTF-8 contain a value of
SQLite format 3: