Logo ot the FQLite Project

Forensic SQLite Data Recovery Tool 

Author: Dirk Pawlaszczyk


Introduction

FQLite is a tool to find and restore deleted records in SQlite databases. It therefore examines the database for entries marked as deleted. Those entries can be recovered and displayed. It is written with the Java programming language. The program can operates with a simple graphical user interface (GUI mode). The program is able to search a SQLite database file for regular as well as deleted records.

Technical Background

SQLite is a software library that implements a simple SQL database engine. It is trendy and used in different software products. Mozilla Firefox and Google Chrome, for example, use SQLite version 3 databases for user data such as history, cookies, and downloads. Sometimes single records are deleted from the database, or even a complete table has been dropped. But this does not mean that this data is physically removed. In most cases, such artifacts can still be found, even if the beginning of the data records has been partially overwritten. Beyond this, a database file might contain one or more pages that are not in active use. Such unused pages can arise when information is deleted from the database. They are stored on the free list and were reused, whenever new pages are required. Such artifacts are often of high forensic value. FQLite can make this data visible again by extracting the desired information directly from the binary data. The tool works without an interface on the raw data image.


The User Interface (Main-Screen)
Figure: The FQLite user interface

Features


FQLite allows you to:
Some features:


user interface
Figure: The SQL Analyzer

Text-to-SQL Assistant
Figure: Text-to-SQLAssistant


Benchmark

Below are some test results of programs achieved with the forensic corpus [1], a benchmark specifically designed for SQLite databases. The table shows how well the individual tools performed in restoring the 278 deleted records of the corpus.

Undark SQLite
Deleted
Record
Parser		 Stellar
Phoenix
Repair
for SQLite		 SysTools
SQLite
Database
Recovery		 Sanderson
Forensic
Browser
for SQLite
95/278
34,8%		 139/278
50%		 0/278
0%		 0/278
0%		 33/278
11,9%
SQLabs
SQLite
Doctor		 Sqlite
Forensic
Explorer		 Autopsy
SQLite
Deleted
Records
Plugin		 bring2lite FQLite
0/278
0%
 73/278
26,3
 0/278
0%
 147/278
52,9%
 278/278
100%

 Table: Recovery rates of FQLite compared to
9 other tools tested with the Forensic Corpus
(vgl. D. Pawlaszczyk and C. Hummert 2021 [2] S. Nemetz and S. Schmitt et al 2018 [1])

Download latest version


February 05th  2026

GitHub Downloads (all assets, specific tag)  GitHub Downloads (all assets, specific tag)  GitHub Downloads (all assets, specific tag) 

The latest stable Version 4.0 available for download here:

click here to start download the Linux version for X64 architecture click here to start download the Windows version for X64 architecture click here to start download the MAC OS version for X64 architectureclick here to start download the MAC OS version for M1/M2 Macs


Changes in release 4.0:
  • the schema view was completely reworked
  • HTML Report functionality was added
  • introducing a new RAG-pipeline support AI-based a Text-to-SQL functionality for SQL query generation
  • SQL-Analyzer now works with SQLite syntax, Support for other dialects has been canceled
  • smaller Bug fixes
  • solved some issues around IllegalStateException: "Not on FX application thread"

Changes in release 3.3:

  • an export into a SQLite database is supported
  • reworked user interface (introduced new icons, added points to context menus)
  • source code cleaning and improvments - better readability, comments were added
  • login level can now be adjusted by the user within the settings dialogue
  • smaller bug fixes

Changes in release 3.2:

  • smaller bug fixes in detection algorithm
  • added a new ROWID column
  • pll and hl columns are merged now into one column
  • UI layout improvements

Changes in release 3.1:

  • SQLAnalyzer beta has been added
  • HexViewer -> bug fixes (blank lines when klick on offset)
  • Improvements during db import (FXObservable)
  • Licence info was updated (changed to Apache 2.0 Licence)

Changes in release 3.0:

  • We now support ".exe" installation files for Windows as welle as ".deb installation" package for Linux
  • Updated user handbook
  • smaller bug fixes

Changes in release 2.7:

  • Export functionality has been completely reworked (new dialog window)
  • Font settings as well as export settings are now persistent
  • Fixed bug in multi-row selection


Changes in release 2.65:

  • Added support for FTS3/FTS4 virtual tables
  • Massive speed improvements for larger files (including WAL)
  • Solved some issues with software locks in GUI mode
  • Bug fixes in WAL overflow handling
  • Encrypted databases (e.g. Signal.db) are now automatically detected and import stops
  • smaller bug fixes for BLOB preview

Changes in release 2.6:

  • Added support for databases with a size > 2,1 GB
  • Hex-Viewer is now only displayed if needed (not allways in Background)
  • There is a new ViewLog option in the 'Info'-Menu - you can now check the log-messages
  • Columns for header fields, schema-info  and pages-tab are new sortable
  • Filter function on table view has been updated
  • Links in the Schema-Detail-View now work as expected
  • Fonts-Dialog now offers Support to go back to Default Font
  • Smaller bug fixes 

Changes in release 2.5:

  • Improved support for decoding BLOB-columns (BSON, MessagePack, AVRO, Thrift...)
  • Smaller bug fixes

Changes in release 2.41:
  • Improved detection of deleted files
  • New pages tab for preview page types
  • Improved Filter-function for tables (you can now filter for a particular column)
  • Several smaler bug fixes

Changes in release 2.3:

  • Support for pdf-BLOBs with internal PDF-Viewer
  • copy Tooltip content to clipboard
  • view .tiff and .heic BLOBs with OS default viewer fort those file types
  • clicking on the <help> - function will open an PDF-Version from the user manual (before, the online help was displayed)

Changes in release 2.2:
  • Preview of bplist (Apple plist-format), BASE64 decoded string as well as Google ProtoBuffer (experimental) is now supported
  • Improved timestamp support for Integer and Real fields (in tooltip)
  • Easy BLOB export to clipboard
  • Some smaller bug fixes for data schema analyzes (schema table definitions without a sql-type are now correctly mapped to BLOB) 


In the latest version, the FQLite is bundled with a Java Runtine Environment (JRE) and all required libraries.

Important note: With version 2.0 the support for the command line mode was cancelled.

User Guide

The latest version  of the official userguide can be obtained here

SQLite Forencis with FQLite - The Official Userguide


Installation Instructions


macOS
Installation via .dmg File

1. Download the latest version of FQLite in .dmg format from the Release page.
2. Open the .dmg file and drag the application into the "Applications" folder.
3. You can now launch FQLite from the Applications folder.

Important node: If you try to open an app by an unknown developer and you see a warning dialog on your Mac. A dialog is displayed saying that the app is damaged. In fact, the app is simply not signed with a developer certificate. For this reason, Gatekeeper refuses to execute. The first method will allow a single program to run, without having to disable Gatekeeper. Open a terminal and run the following command: 
sudo  xattr -dr com.apple.quarantine /Applications/fqlite.app

The app should then start without any further complaints.

Windows
Installation via .exe File

1. Download the latest version of FQLite in .exe format from the Release page.
2. Run the .exe file and follow the installation instructions.
3. After installation, FQLite can be opened from the Start menu.

Linux
Installation via .deb File

1. Download the latest version of FQLite in .deb format from the Release page.
2. Open a terminal and navigate to the directory where the .deb file is saved.
3. Install FQLite with the following command:

sudo apt install ./fqlite.deb

4. After installation, FQLite can be launched from the application menu.


Video tutorial and other resources


You can watch here a small introduction video, which explains the essential functions of FQLite right here (in German) click here.

To download an example database with 9 different binary format samples click here.

To view a short video showing the decoding of binary data with FQlite click here.

Get the Source Code


You check out the source code you can download the github repository from this link:

https://github.com/pawlaszczyk/fqlite

GitHub Logo

References

[1] S. Nemetz, S. Schmitt, F. Freiling: A standardized corpus for SQLite database forensics. In: Digital Investigation, vol. 24, Supplement, 2018, pages 121-130, (2018).    
https://doi.org/10.1016/j.diin.2018.01.015.

[2] D. Pawlaszczyk, C. Hummert: (2021). Making the Invisible Visible – Techniques for Recovering Deleted SQLite Data Records. International Journal of Cyber Forensics and Advanced Threat Investigations, 0, 1-1. Retrieved from https://conceptechint.net/index.php/CFATI/article/view/17

Also check out my publication on Springer Mobile Forensics – The File Format Handbook. This open access book summarizes knowledge about several file systems and mobile file formats commonly used in mobile devices. It also includes a chapter on Forensic Analysis of SQLite Databases.

File Format Handbook - Cover


Contact


Address:
Dirk Pawlaszczyk
Technikumplatz17
09846 Mittweida
Germany

Email:
pawlaszc@hs-mittweida.de

My university web page:

https://www.cb.hs-mittweida.de/professoren-innen/forensik/prof-pawlaszczyk/

Contact me on Researchgate:

https://www.researchgate.net/profile/Dirk_Pawlaszczyk
 This web page was tested and can be viewed with the Netscape Navigator 9 and Lynx web browser.  No tracking. No JavaScript.

© 2019-2026 Dirk Pawlaszczyk 
Impressum