[guardian-dev] Fwd: Re: How protective is SQLCipher from data Forensic tools

Nathan of Guardian nathan at guardianproject.info
Fri Jan 13 17:26:24 EST 2012

Great post on SQLCipher and forenscis.

-------- Original Message --------
Subject: 	Re: How protective is SQLCipher from data Forensic tools
Date: 	Fri, 13 Jan 2012 08:54:54 -0500
From: 	Stephen Lombardo <sjlombardo at zetetic.net>
Reply-To: 	sqlcipher at googlegroups.com
To: 	sqlcipher at googlegroups.com

Hi Sze,

The short answer is that, provided the cipher key is not known to the
analyst, SQLCipher should be quite secure against forensic analysis
because the entire database is encrypted. However, if you need to ensure
that deleted data is not recoverable by someone with knowledge of the
secret key there are a few additional protective steps you can take. The
following points provide additional detail.

When the key is not known:

By default, data is not removed from the database when it is deleted.
Instead, pages are marked as free and can be reused by the system. So,
if a delete caused a number of pages of the database to become unused,
the deleted data is still stored in free pages in the database (i.e. you
would notice that the database size does not change). However, even free
pages are encrypted by SQLCipher, so if the analyst doesn't know the
key, they can't access that deleted data. In order to eliminate freed
pages from the database manually you can run the vacuum command, which
will rebuild the database, eliminating free pages and compressing it to
the minimal size possible.

When the key is known by the analyst:

It is quite different if you are trying to ensure that deleted data is
not recoverable by a trusted party who knows the key to the database. In
that case, even though they can't access the deleted data through the
query interface, one could construct a special program to strip
the encryption from the database file to examine the freed pages and
recover data. If you need to protect against that sort of analysis you
could consider using some combinations of the following pragmas:

PRAGMA secure_delete=ON will overwrite freed page data with zeros to
hinder recovery. Note that this doesn't imply that the pages are removed
from the database file, just that their content is wiped when they are
marked free. To actually remove the pages you'd need to run a vacuum, or
enable the next pragma.

PRAGMA auto_vacuum=FULL will move free pages to the end of the database
on each commit and then truncate the free pages from the database. This
is similar to running a vacuum command, in that it actually removes free
pages from the database file, but it does not

Additional information on these pragmas can be found in the pragma
documentation (http://www.sqlite.org/pragma.html), so you can review the
details of vacuum, auto_vacuum, and secure delete in detail if you have
a need to protect against the latter case.


On Wed, Jan 11, 2012 at 4:32 PM, Sze <szewong at gmail.com
<mailto:szewong at gmail.com>> wrote:

    Hi all,

    Got a question from a client about if data deleted from the SQLCipher
    database can be "recovered" with a data forensic tool. I couldn't find
    any information online. I see a post from the GradianProject that says
    the Android version is highly resistant to data forensic. Can I say
    the same with the iOS version? If so why?

    Thanks a lot!


More information about the Guardian-dev mailing list