±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 1 Visitors: 180

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

search_db.h2.db - FrostWire H2 Database

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Chris55728
Senior Member
 

search_db.h2.db - FrostWire H2 Database

Post Posted: Feb 18, 13 20:00

I have a case where the 'search_db.h2.db' file contains references to indecent keywords and from reading the article

forensicartifacts.com/...frostwire/

it appears that the file contains the following.

"This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following:

i. URL Details, where the .torrent file is residing.
ii. The search term searched.
iii. The magnet link and corresponding SHA-1 hash value.
iv. The creation date in Unix that .torrent tracker was created."

From checking the raw data myself there appear to be fields such as size, relativePath, fileName, creationTime, vendor, hash, torrentURI for example.

The file itself is a Java SQL database

However, I have not been able to find a program (I've tried a couple) that will allow me to actually read the data let alone export it into a viewable format.

I can see the tables but I can't see the data in the tables.

I have a funny feeling I'm doing something a bit daft so would appreciate a bit of guidance if anyone has any ideas!

Cheers.  
 
  

jaclaz
Senior Member
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Feb 18, 13 20:48

- Chris55728

The file itself is a Java SQL database

However, I have not been able to find a program (I've tried a couple) that will allow me to actually read the data let alone export it into a viewable format.

I am not getting it. Question

If the file is "ok", you can install Frostwire and attempt reading it.

The database should be an H2 one however:
www.h2database.com/html/main.html

It is well possible that either that database you found is corrupted or more simply it is empty.

Would simply installing FrostWire (and never running it) create such an empty search_db.h2.db file?

How have you found the "indecent" reference if you cannot see the contents of the fields?
By plain text carving?


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Chris55728
Senior Member
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Feb 18, 13 21:36

If the file is "ok", you can install Frostwire and attempt reading it.


FrostWire installed, the 'search_db.h2.db' file is located in the 'C:\Users\<userid>\.frostwire5\search_db' directory.

Fired up FrostWire, closed it down, replaced with my 'search_db.h2.db' and fired FrostWire up again.

I can't find any option in the FrostWire program that allows me to view previous searches. If I go into the options and select the search option, this appears to reset the size of the 'search_db.h2.db' file and clears it out (putting a blank one there instead). I tried doing a few searches, which got results, then exiting. The 'search_db.h2.db' was still empty.

The database should be an H2 one however:
www.h2database.com/html/main.html


I'm aware of that and the Java program from that website is one of the programs I downloaded in an attempt to view the file.

It is well possible that either that database you found is corrupted or more simply it is empty.


I guess it is possible that the database is corrupted (although it's a live file and the header looks the same as the header of the blank file created by FrostWire) but it is certainly not empty because, as I said, I have indecent keyword hits in the file itself that have been viewed using EnCase in plain text. Below is a snippet of some of the non-indecent data that is in the file:

Funny Thing Happened Forum - 1996\Forum - 08 - Everybody ought to have a maid.mp3·t{"size":2908160,"relativePath":"Funny Thing Happened Forum - 1996\\Forum - 08 - Everybody ought to have a maid.mp3"}·KFunny Thing Happened Forum 1996 Forum 08 Everybody ought to have a maid mp3·Ù····HFunny Thing Happened Forum - 1996\Forum - 07 - Pretty Little Picture.mp3·k{"size":2113360,"relativePath":"Funny Thing Happene d Forum - 1996\\Forum - 07 - Pretty Little Picture.mp3"}·BFunny Thing Happened Forum 1996 Forum 07 Pretty Little Picture mp3·Ø····3other torrents\WALS model Lea videos 1-33.1.torrent·T{"size":15089,"relativePath":"other torrents\\WALS model Lea videos 1-33.1.torrent"}·3ot her torrents WALS model Lea videos 1 33 1 torrent·×·····other torrents\360.torrent·;{"size":15119,"relativePath":"other torrents\\360.to rrent"}··other torrents 360 torrent·Ö····9Funny Thing Happened Forum - 1996\Forum - 06 - Lovely.mp3·\{"size":1894768,"relativePath":"Fun ny Thing Happened Forum - 1996\\Forum - 06 - Lovely.mp3"}·3Funny Thing Happened Forum 1996 Forum 06 Lovely mp3·Õ·····other torrents\360. 1.torrent·={"size":15119,"relativePath":"other torrents\\360.1.

I have two of these 'search_db.h2.db' files on separate exhibits and a colleague also has one with one of his jobs. All 3 of the files have the same structure.

It could be that the version of FrostWire has been updated and that update includes changes to the structure of the 'search_db.h2.db' file.  
 
  

jaclaz
Senior Member
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Feb 18, 13 22:13

The snippet you posted seems like "parsable" with a generic "plain text" data editor.

These have been useful to me in more than a few occasions:
record-editor.sourcefo...cord02.htm
recsveditor.sourceforge.net/

Another approach could be to try using a converter program to convert the h2 to another format, you may want to try this thingy here (which BTW also includes a H2 database "browser"):
www.razorsql.com/featu...tures.html


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Ali-B
Member
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Apr 11, 13 22:04

Just wondering if anyone had any luck with the suggestions in this topic in particular finding something to convert the h2 file to another format.  
 
  

Bruce_Martin
Newbie
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Jun 27, 13 16:42

- Ali-B
Just wondering if anyone had any luck with the suggestions in this topic in particular finding something to convert the h2 file to another format.


If it is a H2 Database, you can download the database manager from http://www.h2database.com/html/main.html.

H2 comes with a builtin SQL-execution manager. It should be possible to connect to the DB in either embedded or mixed mode with a parameter something like:

jdbc:h2:FileName;AUTO_SERVER=TRUE

Check the h2 documentation.

If the tables are small, it should be possible to run SQL against them (and copy the results to a text editor or Excell etc). If the Tables are large or contain blobs (binary data) you may need a seperate unload utility  
 
  

Ali-B
Member
 

Re: search_db.h2.db - FrostWire H2 Database

Post Posted: Jun 28, 13 20:14

Thanks,
I was able to eventually connect to the database using the H2 console and run some SQL queries to view the files of interest.  
 

Page 1 of 1