fatcousin
// evidence type

sqlite database / wal

app db · browser History/Cookies sqlite · messenger store. parse schema, recover wal-free pages, carve deleted records — common on mobile and desktop.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. sqlite forensicsdrop any SQLite database · scan free pages for deleted row data · check WAL journal · list all tables · detect hidden data · recover partial deleted records · export CSV · runs locally
  2. sqlite wal analyzerdrop -wal · optional .db schema · WAL header frames transactions · leaf page rows · page viewer · csv export · runs locally
  3. sqlite record carverdrop a sqlite database · recover deleted records · parse free pages · unallocated space · extract surviving data · runs locally
  4. sqlite wal and free page deep reconstructordrop any sqlite database · simultaneously scan free pages · wal journal · and unallocated page regions · recover soft-deleted rows · uncommitted wal transactions · partial records · unified recovery report · runs locally
  5. sqlite rescuerecover rows from a corrupt SQLite database · page-level scan · export surviving tables to CSV · runs locally
  6. Chrome / Firefox / Edge SQLite history parserdrop chrome firefox or edge sqlite history database file · parse visit history search terms and download records · reconstruct browsing timeline · identify high-risk domains and visit patterns · runs locally
  7. android whatsapp database forensic analyzerdrop an Android WhatsApp msgstore.db · parse all messages, chats, groups, and media metadata · reconstruct conversation timelines · surface message delivery status, forwarding metadata, location shares, and contact cards · detect deleted message gaps · runs locally
  8. microsoft access database forensic analyzerdrop mdb or accdb files · parse jet database structure · extract tables · recover deleted records · vba macro scan · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. iOS WhatsApp artifact forensic extractordrop iOS WhatsApp ChatStorage.sqlite and Contacts.sqlite · parse all chats, messages, groups, and media references · reconstruct conversation timelines with delivery status · surface location shares, contact cards, and deleted message placeholders · runs locally
  2. browser storage forensic correlatordrop indexeddb leveldb · localstorage json · cookies sqlite · cache exports · correlate session · auth tokens · pii · runs locally
  3. IndexedDB artifact extractordrop chrome or firefox indexeddb leveldb files or sqlite file · extract stored web application data · reconstruct key-value records from indexeddb databases · surface web app session tokens cached content and application state · runs locally
  4. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready