ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.

---

About Blog Research CTF/Challenge GitHub RSS

21 January 2025

Diving Deep - LevelDB

by ogmini

While investigating the ChatGPT Desktop application in yesterday’s post, I came across an Electron App leveraging LevelDB databases. That of course led me to search for tools and research to help me parse and understand the LevelDB files.

I found that a lot of research has been focused on Discord, WhatApp, and older versions of Teams.

• A presentation by Claudia Squire on Electron Apps
  • https://www.sans.org/presentations/electron-apps-unplugged-unveiling-digital-forensic-treasures/
  • https://www.youtube.com/watch?v=XDFAgns90-s
• Research published by CCL Solutions Group along with python code
  • https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb
  • https://www.cclsolutionsgroup.com/post/indexeddb-on-chromium
  • https://www.cclsolutionsgroup.com/post/chromium-session-storage-and-local-storage
• LevelDB Dumper
  • https://github.com/mdawsonuk/LevelDBDumper
• Hindsight
  • https://dfir.blog/hindsight-better-leveldb-and-new-web-ui/
• Arsenal Recon has a tool called LevelDB Recon. This is commercial software, I have no way to play with this one.
  • https://arsenalrecon.com/additional-products

There is a lot to dig into here. I haven’t found anytime to explore any of the tools or libraries to see how they work. I was saddened to not find any 010 Editor Binary Templates. Maybe something to play around with… The documentation from CCL Solutions Group should make it pretty straightforward.

tags: LevelDB - exploration