Forensic Artifacts — Parsing Symantec EDR “localdatastore” LevelDB Files

Last week I wrote a blog post about an interesting forensic artifact related to the Symantec EDR (localdatastore) that can be found inside the Symantec SEP “program data” folder. If you haven’t read it, i suggest you do before continuing as this is a direct continuation.

Symantec EDR “.ldb” Files

Symantec EDR stores the information collected from an endpoint in “.ldb” files inside the “localdatastore” folder. These files are actually “LevelDB” files. Here is a small definition from their official GitHub.

Parsing Symantec EDR “.ldb” files

So to extract all the data collected by SEDR here is how to proceed.

  • Execute the “dump_leveldb.py” script on a folder containing “.ldb” files (found inside the localdatastore folder).
#!/usr/bin/python3.8
python3 dump_leveldb.py /path/to/ldb/folder
Parsed / Reconstructed Level DB database
python sedr_localdatastore_parser.py /path/to/generated/csv/file
Parsed SEDR Data

Conclusion

That’s it for this blog post. I hope you enjoyed reading this as i did researching it. If you have any suggestions or questions hit me up on twitter @nas_bench

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.