dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and leveldb files.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

dfIndexeddb

dfindexeddb is an experimental Python tool for performing digital forensic analysis of IndexedDB and LevelDB files.

It parses LevelDB, IndexedDB and JavaScript structures from these files without requiring native libraries. (Note: only a subset of IndexedDB key types and JavaScript types for Firefox, Safari and Chromium-based browsers are currently supported).

The content of IndexedDB files is dependent on what a web application stores locally/offline using the web browser's IndexedDB API. Examples of content might include:

  • text from a text/source-code editor application,
  • emails and contact information from an e-mail application,
  • images and metadata from a photo gallery application

Installation

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev
  1. Create a virtual environment and install the package
    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install dfindexeddb

Optional plugins

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install 'dfindexeddb[plugins]'

Installation from source

  1. [Linux] Install the snappy compression development package
    $ sudo apt install libsnappy-dev

  1. Clone or download/unzip the repository to your local machine.

  2. Create a virtual environment and install the package

    $ python3 -m venv .venv
    $ source .venv/bin/activate
    $ pip install .

Optional plugins

To also install the dependencies for leveldb/indexeddb plugins, run

    $ pip install '.[plugins]'

Usage

Two CLI tools for parsing IndexedDB/LevelDB files are available after installation:

IndexedDB

$ dfindexeddb -h
usage: dfindexeddb [-h] {blink,gecko,db,ldb,log} ...

A cli tool for parsing IndexedDB files

positional arguments:
  {blink,gecko,db,ldb,log}
    blink               Parse a file as a blink-encoded value.
    gecko               Parse a file as a gecko-encoded value.
    db                  Parse a directory/file as IndexedDB.
    ldb                 Parse a ldb file as IndexedDB.
    log                 Parse a log file as IndexedDB.

options:
  -h, --help    show this help message and exit

Examples:

Platform / Source Format Command
Firefox (sqlite) JSON dfindexeddb db -s SOURCE --format firefox -o json
Safari (sqlite) JSON-L dfindexeddb db -s SOURCE --format safari -o jsonl
Chrome (LevelDB/sqlite) JSON dfindexeddb db -s SOURCE --format chrome
Chrome (.ldb) JSON-L dfindexeddb ldb -s SOURCE -o jsonl
Chrome (.log) Python repr dfindexeddb log -s SOURCE -o repr
Chrome (Blink) JSON dfindexeddb blink -s SOURCE
Filter Records by key JSON dfindexeddb db -s SOURCE --format chrome --filter_key search_term
Filter Records by value JSON dfindexeddb db -s SOURCE --format chrome --filter_value "search_term"

LevelDB

$ dfleveldb -h
usage: dfleveldb [-h] {db,log,ldb,descriptor} ...

A cli tool for parsing leveldb files

positional arguments:
  {db,log,ldb,descriptor}
    db                  Parse a directory as leveldb.
    log                 Parse a leveldb log file.
    ldb                 Parse a leveldb table (.ldb) file.
    descriptor          Parse a leveldb descriptor (MANIFEST) file.

options:
  -h, --help            show this help message and exit

Examples

Source Type Command
LevelDB Folder Records dfleveldb db -s SOURCE
Log file (.log) Physical Records dfleveldb log -s SOURCE -t physical_records
Log file (.log) Blocks dfleveldb log -s SOURCE -t blocks
Log file (.log) Write Batches dfleveldb log -s SOURCE -t write_batches
Log file (.log) Internal Key Records dfleveldb log -s SOURCE -t parsed_internal_key
Table file (.ldb) Records dfleveldb ldb -s SOURCE -t record
Table file (.ldb) Blocks dfleveldb ldb -s SOURCE -t blocks
Descriptor (MANIFEST) Version Edits dfleveldb descriptor -s SOURCE -t versionedit

Optional Plugins

To apply a plugin parser for a leveldb file/folder, add the --plugin [Plugin Name] argument. Currently, there is support for the following artifacts:

Plugin Name Artifact Name
ChromeNotificationRecord Chrome/Chromium Notifications

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dfindexeddb from gravatar.com dfindexeddb Avatar for google_opensource from gravatar.com google_opensource

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

20260210

This version

20260205

20251109

20241105

20241031

20240519

20240501

20240417

20240402

20240331

20240331a0 pre-release

20240324

20240305

20240301

20240229

20240225

20240224

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dfindexeddb-20260205.tar.gz (65.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dfindexeddb-20260205-py3-none-any.whl (86.9 kB view details)

Uploaded Python 3

File details

Details for the file dfindexeddb-20260205.tar.gz.

File metadata

  • Download URL: dfindexeddb-20260205.tar.gz
  • Upload date:
  • Size: 65.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20260205.tar.gz
Algorithm Hash digest
SHA256 e1351dd1b96f4b48c43f8de7e138c339f87b9dcf23368ddd62f95caa3a633af3
MD5 d752864c64a9cb855814600326245be8
BLAKE2b-256 a1abea2830bf057bf44825bd96abfebfe1992c09fc831e2104c154ff735fc589

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20260205.tar.gz:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dfindexeddb-20260205-py3-none-any.whl.

File metadata

  • Download URL: dfindexeddb-20260205-py3-none-any.whl
  • Upload date:
  • Size: 86.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dfindexeddb-20260205-py3-none-any.whl
Algorithm Hash digest
SHA256 49da12f60f221fe63b994ea8573e276a38fb0e6f85ae8aa3feb758876acafc1d
MD5 75993feeb254be192f8f7b3fb63d9397
BLAKE2b-256 a3f56fb972c9195add9f38230d2bd1e48a57e29e424c352fa9c14722094a3052

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfindexeddb-20260205-py3-none-any.whl:

Publisher: pypi-publish.yml on google/dfindexeddb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page