There may be times when you're reviewing a SQLite database and identify certain fields contain data you wish to export. This data could be anything, including raw text and binary/hex. I recently saw a question regarding the Unarchiver application on iOS, where an analyst had 160+ photographs stored as blob data within certain fields. It would be a trivial task to copy/paste a few fields and save them as photographs/images, but that wouldn't work with 160+, it's time consuming, prone to error, and not as easy to document.

To test my proposed process, I created a database 'testdb.db' which contained a single table called 'photo', and two fields named 'photodata' and 'key'. I imported hex data of a dog as key 1, and hex data of a cat as key 2.

Install sqlite command line tools (can be used on a standalone virtual machine, or WSL/WSL2)

$ sudo apt install sqlite3

The following one-liner will use sqlite command line tools to query all key values, pipe that into while, read it as an ID value, then use writefile (a command within sqlite tools), and write each corresponding binary blob as a unique file.

sqlite3 testdb.db "SELECT key from photo" | while read id; do echo SELECT writefile\(\'export-key-$id.jpg\', photodata\) FROM photo WHERE key = $id\;; done | sqlite3 testdb.db

This will allow you to recursively export all blob data for each field, and save it as a unique file. The added advantage of this is that the file names will contain a corresponding key value, it is easier to document and explain to your audience, and is of course programmatic and saves time.