Skip to content

Fixing Database Related Error on [parsecdCache, photosDbexif, photosDbexif] Artifact Tested On IOS 13.4.1 #1393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Haalloobim wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fixing Database Related Error on [parsecdCache, photosDbexif, photosDbexif] Artifact Tested On IOS 13.4.1 #1393

Haalloobim wants to merge 3 commits into from

Conversation

@Haalloobim
Copy link

@Haalloobim Haalloobim commented Dec 8, 2025

Improve Exception Handling for SQLite Artifacts (ParsedCache, PhotosDBExif, TrustedPeers)

Summary

This pull request resolves multiple runtime errors encountered when parsing several iLEAPP artifacts where certain SQLite tables or columns may be missing depending on the iOS version or device configuration.

Previously, artifacts failed with errors such as:

  • no such column: engagement_date
  • no such table: ZASSET
  • no such table: ZSECUREBACKUPMETADATATIMESTAMP
  • Missing or malformed SQLite schemas

These issues caused crashes and incomplete reports.
This PR introduces safer try/except blocks to ensure graceful handling of malformed databases without interrupting the entire processing pipeline.

Changes Included

1. parsedCache Artifact

  • Added try/except around SQL queries.
  • Handles missing columns in completion_cache_engagement.
  • Logs errors and continues with an empty dataset.
  • Prevents pipeline crashes on unexpected database structure variations.

2. photosDBExif Artifact

  • Wrapped SQLite query in exception handling.
  • Addresses scenarios where ZASSET table is missing (common in older iOS builds).
  • Ensures report continuity even when EXIF tables are absent.

3. trustedPeers Artifact

  • Added robust exception handling around SQL operations.
  • Fixes failure related to missing ZSECUREBACKUPMETADATATIMESTAMP on iOS 13.4.1.
  • Provides clear logging while maintaining execution flow.

4. General Improvements

  • Standardized error messages:
    • Error reading <artifact> database: <exception>
  • All fixes are non-intrusive and do not alter existing parsing logic.
  • Enhances stability and maintainability of artifact handlers.

Testing Performed

All artifacts were tested using a real forensic image obtained from the Digital Corpora public repository.

Image / Device Specifications:

  • Make: iPhone SE
  • Model: A1662 (Rose Gold)
  • Order Number: MLXL2LL/2
  • RAM: 2 GB
  • Storage: 64 GB
  • Carrier: Google Fi
  • Phone Number: 919-579-4674
  • Serial: DX3T126VH2XV
  • Wi-Fi MAC: A0:D7:95:79:DD:A1
  • iOS Version: 13.4.1
  • Build: 17E262

Results:

  • All three artifacts now run successfully without raising unhandled exceptions.
  • Missing tables are handled gracefully with informative logs.
  • Full report generation completes without interruption.

Notes

These fixes significantly improve iLEAPP’s resilience when handling inconsistent or version-specific SQLite schemas commonly found in real forensic extractions.

Future improvements may include:

  • Centralizing SQLite error-handling logic.
  • Automatic schema detection and dynamic query adaptation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Haalloobim