dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and leveldb files.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

dfIndexeddb

dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and LevelDB files.

It parses LevelDB, IndexedDB and JavaScript structures from these files without requiring native libraries. (Note: only a subset of IndexedDB key types and JavaScript types for Firefox, Safari and Chromium-based browsers are currently supported).

The content of IndexedDB files is dependent on what a web application stores locally/offline using the web browser's IndexedDB API. Examples of content might include:

  • text from a text/source-code editor application,
  • emails and contact information from an e-mail application,
  • images and metadata from a photo gallery application

Installation

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev
  1. Create a virtual environment and install the package
    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install dfindexeddb

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install 'dfindexeddb[plugins]'

Installation from source

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev

  1. Clone or download/unzip the repository to your local machine.

  2. Create a virtual environment and install the package

    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install .

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install '.[plugins]'

Usage

Two CLI tools for parsing IndexedDB/LevelDB files are available after installation:

IndexedDB

$ dfindexeddb -h
usage: dfindexeddb [-h] {db,ldb,log} ...

A cli tool for parsing indexeddb files

positional arguments:
  {db,ldb,log}
    db          Parse a directory as indexeddb.
    ldb         Parse a ldb file as indexeddb.
    log         Parse a log file as indexeddb.

options:
  -h, --help    show this help message and exit

Examples:

To parse IndexedDB records from an sqlite file for Firefox and output the results as JSON, use the following command:

dfindexeddb db -s SOURCE --format firefox -o json

To parse IndexedDB records from an sqlite file for Safari and output the results as JSON-L, use the following command:

dfindexeddb db -s SOURCE --format safari -o jsonl

To parse IndexedDB records from a LevelDB folder for Chrome/Chromium, using the manifest file to determine recovered records and output as JSON, use the following command:

dfindexeddb db -s SOURCE --format chrome --use_manifest

To parse IndexedDB records from a LevelDB ldb (.ldb) file and output the results as JSON-L, use the following command:

dfindexeddb ldb -s SOURCE -o jsonl

To parse IndexedDB records from a LevelDB log (.log) file and output the results as the Python printable representation, use the following command:

dfindexeddb log -s SOURCE -o repr

To parse a file as a Chrome/Chromium IndexedDB blink value and output the results as JSON:

dfindexeddb blink -s SOURCE

LevelDB

$ dfleveldb -h
usage: dfleveldb [-h] {db,log,ldb,descriptor} ...

A cli tool for parsing leveldb files

positional arguments:
  {db,log,ldb,descriptor}
    db                  Parse a directory as leveldb.
    log                 Parse a leveldb log file.
    ldb                 Parse a leveldb table (.ldb) file.
    descriptor          Parse a leveldb descriptor (MANIFEST) file.

options:
  -h, --help            show this help message and exit

Examples

To parse records from a LevelDB folder, use the following command:

dfleveldb db -s SOURCE

To parse records from a LevelDB folder, and use the sequence number to determine recovered records and output as JSON, use the following command:

dfleveldb db -s SOURCE --use_sequence_number

To parse blocks / physical records/ write batches / internal key records from a LevelDB log (.log) file, use the following command, specifying the type (block, physical_records, etc) via the -t option. By default, internal key records are parsed:

$ dfleveldb log  -s SOURCE [-t {blocks,physical_records,write_batches,parsed_internal_key}]

To parse blocks / records from a LevelDB table (.ldb) file, use the following command, specifying the type (blocks, records) via the -t option. By default, records are parsed:

$ dfleveldb ldb -s SOURCE [-t {blocks,records}]

To parse version edit records from a Descriptor (MANIFEST) file, use the following command:

$ dfleveldb descriptor -s SOURCE [-o {json,jsonl,repr}] [-t {blocks,physical_records,versionedit} | -v]

Plugins

To apply a plugin parser for a leveldb file/folder, add the --plugin [Plugin Name] argument. Currently, there is support for the following artifacts:

Plugin Name Artifact Name
ChromeNotificationRecord Chrome/Chromium Notifications

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

20260210

20260205

This version

20251109

20241105

20241031

20240519

20240501

20240417

20240402

20240331

20240331a0 pre-release

20240324

20240305

20240301

20240229

20240225

20240224

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dfindexeddb-20251109.tar.gz (60.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dfindexeddb-20251109-py3-none-any.whl (81.1 kB view details)

Uploaded Python 3

File details

Details for the file dfindexeddb-20251109.tar.gz.

File metadata

  • Download URL: dfindexeddb-20251109.tar.gz
  • Upload date:
  • Size: 60.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20251109.tar.gz
Algorithm Hash digest
SHA256 108726bc75f9b03975122ac1e048c8967f3e65e50402aa2c8a7b44ce6e60f190
MD5 fa029e078dd28bdbcd05428860175968
BLAKE2b-256 1f53f5725398c78a302cd9e0c13e76d2b4cb3a03c2f5793dcc5642546772612b

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20251109.tar.gz:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dfindexeddb-20251109-py3-none-any.whl.

File metadata

  • Download URL: dfindexeddb-20251109-py3-none-any.whl
  • Upload date:
  • Size: 81.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20251109-py3-none-any.whl
Algorithm Hash digest
SHA256 e530471e2bb078b9015ef026746d89d0b954b8e5f1c56c755908111122153994
MD5 530146393ccbf0a9e71051f874a54ded
BLAKE2b-256 18cf851ff8068424177770cbe0fcbaa0ef915823d9dda4a715d90707d4def457

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20251109-py3-none-any.whl:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page