search_db.h2.db - F...
 
Notifications
Clear all

search_db.h2.db - FrostWire H2 Database

7 Posts
4 Users
0 Likes
440 Views
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

I have a case where the 'search_db.h2.db' file contains references to indecent keywords and from reading the article

http//forensicartifacts.com/2012/07/forensic-artefacts-frostwire/

it appears that the file contains the following.

"This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following

i. URL Details, where the .torrent file is residing.
ii. The search term searched.
iii. The magnet link and corresponding SHA-1 hash value.
iv. The creation date in Unix that .torrent tracker was created."

From checking the raw data myself there appear to be fields such as size, relativePath, fileName, creationTime, vendor, hash, torrentURI for example.

The file itself is a Java SQL database

However, I have not been able to find a program (I've tried a couple) that will allow me to actually read the data let alone export it into a viewable format.

I can see the tables but I can't see the data in the tables.

I have a funny feeling I'm doing something a bit daft so would appreciate a bit of guidance if anyone has any ideas!

Cheers.

 
Posted : 18/02/2013 7:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The file itself is a Java SQL database

However, I have not been able to find a program (I've tried a couple) that will allow me to actually read the data let alone export it into a viewable format.

I am not getting it. ?

If the file is "ok", you can install Frostwire and attempt reading it.

The database should be an H2 one however
http//www.h2database.com/html/main.html

It is well possible that either that database you found is corrupted or more simply it is empty.

Would simply installing FrostWire (and never running it) create such an empty search_db.h2.db file?

How have you found the "indecent" reference if you cannot see the contents of the fields?
By plain text carving?

jaclaz

 
Posted : 18/02/2013 7:48 pm
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

If the file is "ok", you can install Frostwire and attempt reading it.

FrostWire installed, the 'search_db.h2.db' file is located in the 'C\Users\<userid>\.frostwire5\search_db' directory.

Fired up FrostWire, closed it down, replaced with my 'search_db.h2.db' and fired FrostWire up again.

I can't find any option in the FrostWire program that allows me to view previous searches. If I go into the options and select the search option, this appears to reset the size of the 'search_db.h2.db' file and clears it out (putting a blank one there instead). I tried doing a few searches, which got results, then exiting. The 'search_db.h2.db' was still empty.

The database should be an H2 one however
www.h2database.com/html/main.html

I'm aware of that and the Java program from that website is one of the programs I downloaded in an attempt to view the file.

It is well possible that either that database you found is corrupted or more simply it is empty.

I guess it is possible that the database is corrupted (although it's a live file and the header looks the same as the header of the blank file created by FrostWire) but it is certainly not empty because, as I said, I have indecent keyword hits in the file itself that have been viewed using EnCase in plain text. Below is a snippet of some of the non-indecent data that is in the file

Funny Thing Happened Forum - 1996\Forum - 08 - Everybody ought to have a maid.mp3·t{"size"2908160,"relativePath""Funny Thing Happened Forum - 1996\\Forum - 08 - Everybody ought to have a maid.mp3"}·KFunny Thing Happened Forum 1996 Forum 08 Everybody ought to have a maid mp3·Ù····HFunny Thing Happened Forum - 1996\Forum - 07 - Pretty Little Picture.mp3·k{"size"2113360,"relativePath""Funny Thing Happene d Forum - 1996\\Forum - 07 - Pretty Little Picture.mp3"}·BFunny Thing Happened Forum 1996 Forum 07 Pretty Little Picture mp3·Ø····3other torrents\WALS model Lea videos 1-33.1.torrent·T{"size"15089,"relativePath""other torrents\\WALS model Lea videos 1-33.1.torrent"}·3ot her torrents WALS model Lea videos 1 33 1 torrent·×·····other torrents\360.torrent·;{"size"15119,"relativePath""other torrents\\360.to rrent"}··other torrents 360 torrent·Ö····9Funny Thing Happened Forum - 1996\Forum - 06 - Lovely.mp3·\{"size"1894768,"relativePath""Fun ny Thing Happened Forum - 1996\\Forum - 06 - Lovely.mp3"}·3Funny Thing Happened Forum 1996 Forum 06 Lovely mp3·Õ·····other torrents\360. 1.torrent·={"size"15119,"relativePath""other torrents\\360.1.

I have two of these 'search_db.h2.db' files on separate exhibits and a colleague also has one with one of his jobs. All 3 of the files have the same structure.

It could be that the version of FrostWire has been updated and that update includes changes to the structure of the 'search_db.h2.db' file.

 
Posted : 18/02/2013 8:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The snippet you posted seems like "parsable" with a generic "plain text" data editor.

These have been useful to me in more than a few occasions
http//record-editor.sourceforge.net/Record02.htm
http//recsveditor.sourceforge.net/

Another approach could be to try using a converter program to convert the h2 to another format, you may want to try this thingy here (which BTW also includes a H2 database "browser")
http//www.razorsql.com/features/h2_features.html

jaclaz

 
Posted : 18/02/2013 9:13 pm
(@ali-b)
Posts: 16
Active Member
 

Just wondering if anyone had any luck with the suggestions in this topic in particular finding something to convert the h2 file to another format.

 
Posted : 11/04/2013 10:04 pm
(@bruce_martin)
Posts: 1
New Member
 

Just wondering if anyone had any luck with the suggestions in this topic in particular finding something to convert the h2 file to another format.

If it is a H2 Database, you can download the database manager from http//www.h2database.com/html/main.html.

H2 comes with a builtin SQL-execution manager. It should be possible to connect to the DB in either embedded or mixed mode with a parameter something like

jdbch2FileName;AUTO_SERVER=TRUE

Check the h2 documentation.

If the tables are small, it should be possible to run SQL against them (and copy the results to a text editor or Excell etc). If the Tables are large or contain blobs (binary data) you may need a seperate unload utility

 
Posted : 27/06/2013 4:42 pm
(@ali-b)
Posts: 16
Active Member
 

Thanks,
I was able to eventually connect to the database using the H2 console and run some SQL queries to view the files of interest.

 
Posted : 28/06/2013 8:14 pm
Share: