Daily Blog #677: Solution Saturday 4/18/20 - LevelDB Parser Challenge

Daily Blog #677: Solution Saturday 4/18/20 - LevelDB Parser Challenge

By April 18, 2020 Comments : 0

LevelDB Parser Challenge



Hello Reader,
       I got some good answers this week and picking a winner was tough. This week I'm going to provide links to some additional submissions who almost cranked out a win. However this week's winner is Mark McKinnon who took a step beyond the others by:
A. Identifying the type of data storage in each of the relevant artifacts
B. Writing his own LevelDB Parser
C. Providing sample data to show
D. Expanding into additional artifacts

So that was my grading metric and here are the runner ups:

Phil Moore: https://thinkdfir.com/2020/04/17/part-of-a-sunday-funday-answer-microsoft-teams/


Tune in tomorrow for your chance at another win and look below to see Maxim's winning post.



Question: 
When looking at Microsoft Teams from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Can you recover file transfer?
6. Can you recover meeting history?
7. Anything else you can determine?

The Winning Answer:
When looking at Microsoft Teams from a DFIR perspective:
1.     Where are the artifacts?
a.      Leveldb
i.         AppData/Roaming/Microsoft/Teams/Service Worker/Database
ii.       AppData/Roaming/Microsoft/Teams/Local Storage/leveldb/
iii.     AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb
b.      SQLite
i.      AppData/Roaming/Microsoft/Teams/skylib/slimcore-aria-cache.data
ii.       AppData/Roaming/Microsoft/Teams/databases/Databases.db
iii. AppData/Roaming/Microsoft/Teams/QuotaManager 
iv.   AppData/Roaming/Microsoft/Teams/Cookies
                            v.   AppData/Roaming/Microsoft/Teams/Origin Bound Certs
c.      Chrome Cache
i.         AppData/Roaming/Microsoft/Teams/Cache
ii.       AppData/Roaming/Microsoft/Teams/Application Cache
iii.      AppData/Roaming/Microsoft/Teams/GPUCache
d.      Json Files
i.         AppData/Roaming/Microsoft/Teams/storage.json
ii.       AppData/Roaming/Microsoft/Teams/desktop-config.json
e.      Text Log Files
i.         AppData/Roaming/Microsoft/Teams/logs.txt
ii.      AppData/Roaming/Microsoft/Teams/old_logs_YYYYMMDD24HHMMSS.txt f. Misc
                           iii.   AppData/Roaming/Microsoft/Teams/in_progress_download_metadata_store
2.     What format are they in?
a.      Leveldb
b.      SQLite
c.      Chrome Cache
d.      Json Files
e.      Text Log Files
f.       Misc - Not sure

3.     Can you recover chat history?
a.      Yes this information is stored in the

AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb  

              location but will have to worked on before they can easily be pulled out


             4.   Can you recover call history?
                         a.   Not sure about this, if anything may see it in the

AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_

0.indexeddb.leveldb data, will have to parse thru all this data to verify 

5.   Can you recover file transfer?
a.    I can see files that have been transferred, between AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb and AppData/Roaming/Microsoft/Teams/Cache should be able to find info.  I do know files are not stored on the workstation unless they have been downloaded.  Need to look into further.

             6.   Can you recover meeting history?
a.   Not sure best places to try and corollate this information would be in ppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com0.indexeddb.leveldb and AppData/Roaming/Microsoft/Teams/Cache\

7. Anything else you can determine?
a.      IP address of computer was found in Cookies Database.
                     There is a lot of information that needs to be investigated and correlated

 Artifacts

SQLite Databases

1.    Cookies
Host_Key
Name
Value
Creation_utc
Last_access-utc
Expires_utc
Description
.login.live.com
MSCC
99.99.213.76-US
13231215896175107
13262746541625305
13231215896175107
IP Address of Device Logged in on
Also has device id, auths and other things that have to be researched further.
2.    Origin Bound Certs - SQLite database with a Private key field , a host name and creation time fields, what this means has to be explored.
3.    Quota Manager - Only table that I see data in is OriginInfoTable, this has a origin column which has the teams site, it also has a use count which would have to be explored as to its meaning if any, a last access and modified MS epoch timestamps also.
4.    slimcore-aria-cache.data - this sqlite database also appears in skype, need to investigate further maybe deleted records in it.
5.    Databases - Nothing in this database yet will have to play more to see if things get added to it.

JSON and Text Files

1.    Storage.Json - Username, Email address, Ip Address, First Name, Last Name, Full Name, State Time, update Time - Time stamps would have to be explored with what they really represent.
2.    Logs.txt and old_logs-YYYYMMDD24HHMMSS.txt - have to look at closer but may be able to determine startup and shutdown of application and other things.
3.    in_progress_download_metadata_store - May store document id's have to take a closer look.
4.    Desktop-config.json - userid/email address, internal userid maybe, device id, machine id, session id - will have to look further to see how useful this is.

Chrome Cache

1.    Cache - Directory where information is cached, can see userid's, files shared, media streamed.  Will have to take a closer look to see how to decipher it all.
2.    Application Cache - Chrome Cache - Nothing in there at this point may need to add some Apps into teams to see what gets populated.
3.    GPUCache - Unclear what this all means and if there is any value here, will have to look at closer

LevelDB

1.    Service Worker/Database - Appears to be some config info, nothing at this points shows any useful infromation, may check back on this
2.    Local Storage/leveldb - Values for keys are json, saw username/email address, other things will have to be looked at closer to see if any value in the data

3.    IndexedDB/https+teams.microsoft.com_0indexeddb.leveldb - Looks like a lot of potential information, username's of individuals that may have had conversations, file names, Calls may be in here but there is a lot of information to go thru and parse to see how it all fits together.

 Artifact Locations/Formats
1.     Leveldb
a.      AppData/Roaming/Microsoft/Teams/Service Worker/Database
b.      AppData/Roaming/Microsoft/Teams/Local Storage/leveldb/
c.      AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_
0.indexeddb.leveldb
2.     SQLite
a.      AppData/Roaming/Microsoft/Teams/skylib/slimcore-aria-cache.data
b.      AppData/Roaming/Microsoft/Teams/databases/Databases.db
c.      AppData/Roaming/Microsoft/Teams/QuotaManager
d.      AppData/Roaming/Microsoft/Teams/Cookies
e.      AppData/Roaming/Microsoft/Teams/Origin Bound Certs
3.     Chrome Cache
a.      AppData/Roaming/Microsoft/Teams/Cache
b.      AppData/Roaming/Microsoft/Teams/Application Cache
c.      AppData/Roaming/Microsoft/Teams/GPUCache
4.     Json Files
a.      AppData/Roaming/Microsoft/Teams/storage.json
b.      AppData/Roaming/Microsoft/Teams/desktop-config.json
5.     Text Log Files
a.      AppData/Roaming/Microsoft/Teams/logs.txt
b.      AppData/Roaming/Microsoft/Teams/old_logs_YYYYMMDD24HHMMSS.txt
6.     Misc

a.      AppData/Roaming/Microsoft/Teams/in_progress_download_metadata_store

Also Read: Daily Blog #676

Post a Comment

Subscribe to: Post Comments ( Atom )