dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and leveldb files.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

dfIndexeddb

dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and LevelDB files.

It parses LevelDB, IndexedDB and JavaScript structures from these files without requiring native libraries. (Note: only a subset of IndexedDB key types and JavaScript types for Firefox, Safari and Chromium-based browsers are currently supported).

The content of IndexedDB files is dependent on what a web application stores locally/offline using the web browser's IndexedDB API. Examples of content might include:

  • text from a text/source-code editor application,
  • emails and contact information from an e-mail application,
  • images and metadata from a photo gallery application

Installation

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev
  1. Create a virtual environment and install the package
    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install dfindexeddb

Optional plugins

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install 'dfindexeddb[plugins]'

Installation from source

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev

  1. Clone or download/unzip the repository to your local machine.

  2. Create a virtual environment and install the package

    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install .

Optional plugins

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install '.[plugins]'

Usage

Two CLI tools for parsing IndexedDB/LevelDB files are available after installation:

IndexedDB

$ dfindexeddb -h
usage: dfindexeddb [-h] {blink,gecko,db,ldb,log} ...

A cli tool for parsing IndexedDB files

positional arguments:
  {blink,gecko,db,ldb,log}
    blink               Parse a file as a blink-encoded value.
    gecko               Parse a file as a gecko-encoded value.
    db                  Parse a directory/file as IndexedDB.
    ldb                 Parse a ldb file as IndexedDB.
    log                 Parse a log file as IndexedDB.

options:
  -h, --help    show this help message and exit

Examples:

Platform / Source Format Command
Firefox (sqlite) JSON dfindexeddb db -s SOURCE --format firefox -o json
Safari (sqlite) JSON-L dfindexeddb db -s SOURCE --format safari -o jsonl
Chrome (LevelDB/sqlite) JSON dfindexeddb db -s SOURCE --format chrome
Chrome (.ldb) JSON-L dfindexeddb ldb -s SOURCE -o jsonl
Chrome (.log) Python repr dfindexeddb log -s SOURCE -o repr
Chrome (Blink) JSON dfindexeddb blink -s SOURCE

Options:

Option Description
--filter_key [term] Performs a substring match on the string representation of the record's key.
--filter_value [term] Performs a substring match on the string representation of the record's value. If --load_blobs is used, it also searches within any associated blob data.
--include_raw_data Include the raw key and value bytes in the record output.
--load_blobs For Firefox, Safari and Chromium-based browsers, attempt to find and read associated blob files.

Note: Refer to source to understand the structure of the records and how the filter options available in the CLI tool work. For more fine-grained control over filtering, it is preferable to use jq to filter and transform the JSON output.

LevelDB

$ dfleveldb -h
usage: dfleveldb [-h] {db,log,ldb,descriptor} ...

A cli tool for parsing leveldb files

positional arguments:
  {db,log,ldb,descriptor}
    db                  Parse a directory as leveldb.
    log                 Parse a leveldb log file.
    ldb                 Parse a leveldb table (.ldb) file.
    descriptor          Parse a leveldb descriptor (MANIFEST) file.

options:
  -h, --help            show this help message and exit

Examples

Source Type Command
LevelDB Folder Records dfleveldb db -s SOURCE
Log file (.log) Physical Records dfleveldb log -s SOURCE -t physical_records
Log file (.log) Blocks dfleveldb log -s SOURCE -t blocks
Log file (.log) Write Batches dfleveldb log -s SOURCE -t write_batches
Log file (.log) Internal Key Records dfleveldb log -s SOURCE -t parsed_internal_key
Table file (.ldb) Records dfleveldb ldb -s SOURCE -t record
Table file (.ldb) Blocks dfleveldb ldb -s SOURCE -t blocks
Descriptor (MANIFEST) Version Edits dfleveldb descriptor -s SOURCE -t versionedit

Optional Plugins

To apply a plugin parser for a leveldb file/folder, add the --plugin [Plugin Name] argument. Currently, there is support for the following artifacts:

Plugin Name Artifact Name
ChromeNotificationRecord Chrome/Chromium Notifications

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

This version

20260210

20260205

20251109

20241105

20241031

20240519

20240501

20240417

20240402

20240331

20240331a0 pre-release

20240324

20240305

20240301

20240229

20240225

20240224

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dfindexeddb-20260210.tar.gz (69.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dfindexeddb-20260210-py3-none-any.whl (91.2 kB view details)

Uploaded Python 3

File details

Details for the file dfindexeddb-20260210.tar.gz.

File metadata

  • Download URL: dfindexeddb-20260210.tar.gz
  • Upload date:
  • Size: 69.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20260210.tar.gz
Algorithm Hash digest
SHA256 e1a8447b82e9a21d28a8647a908ec9d471067ef295133bb7a90fb7ca480577f6
MD5 c1f76ece37932651029c26766df1cfa9
BLAKE2b-256 459f5010f380e5300083628321935737a6cb34c7a943bd65d1ab64efcdb0452e

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20260210.tar.gz:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dfindexeddb-20260210-py3-none-any.whl.

File metadata

  • Download URL: dfindexeddb-20260210-py3-none-any.whl
  • Upload date:
  • Size: 91.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20260210-py3-none-any.whl
Algorithm Hash digest
SHA256 c037eb764b8bc437e2052d9d54952de1ef97aec4c81d5676b490a2901fdf4290
MD5 939ff126586476d1bfb71d9d37a0ef05
BLAKE2b-256 c8102912124299c87e7184bcee47f3895d23d11571b877e3dface338f510bb8b

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20260210-py3-none-any.whl:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page