SQLite Write-Ahead Log (WAL) in MOBILedit Forensic
What is the Write-Ahead Log (WAL) in SQLite?
SQLite databases use a Write-Ahead Log (WAL) to temporarily store recent write transactions before committing them to the main database file. This process ensures data integrity and efficient database management.
What are the different SQLite files?
messages.db – The main SQLite database file containing structured data.
messages.db-wal – The WAL file that temporarily holds recent write transactions before they are merged into
messages.db
.messages.db-shm – The shared memory file used to manage multi-threaded access to the database.
Why do I see messages.db-wal in some extractions but not others?
If the application using the SQLite database was closed properly before extraction, SQLite finalizes the writes by merging the messages.db-wal
contents into messages.db
, then deleting the WAL file. However, if the app was still running or had not fully closed at the time of extraction, messages.db-wal
remains because uncommitted transactions are still inside it.
Why does messages.db-wal disappear when I open messages.db?
When you open messages.db
in an SQLite viewer or certain tools, SQLite automatically merges the messages.db-wal
file into messages.db
, causing the messages.db-wal
file to disappear. This is an intended SQLite feature to ensure all transactions are committed when the database is accessed.
How does this affect forensic analysis?
If messages.db-wal
was present at the time of extraction but disappears later, some records may have been stored only in the WAL file and not yet committed to messages.db
. Before opening messages.db
, it is best practice to extract both messages.db
and messages.db-wal
for separate analysis using appropriate forensic tools.
This is also why you may see messages.db-wal
referenced in the forensic report but not in the file output if the main messages.db
has been opened after extraction.
Impact of Actions on the “acquired_data” Directory, Reports and MOBILedit Backup
MOBILedit Forensic creates an XML-based backup file that references data stored in the “acquired_data” output directory. Any actions affecting files in this directory can have two major consequences:
Backup Import Issues: The backup may fail to import if modifications cause discrepancies between the XML and the actual file structure (e.g., opening a database file that merges the WAL, thereby removing it).
Discrepancies in Reports vs. File Output: If a WAL file is referenced in the forensic report, but the investigator opens the corresponding database file, SQLite will merge the WAL into the database, making the WAL file disappear from the
RAW0
directory. This means subsequent attempts to verify the extraction may not match the originally generated forensic report.
For more information on MOBILedit output structures, refer to the Outputs, Reports, Exports, and Backups section.