Forensic Artifacts — Parsing Symantec EDR “localdatastore” LevelDB Files

Symantec EDR “.ldb” Files

Parsing Symantec EDR “.ldb” files

  • First clone the “ccl_chrome_indexeddb” repository (Link Below)
  • Next, copy the SEDR “localdatastore” folder to a separate location.
  • Execute the “” script on a folder containing “.ldb” files (found inside the localdatastore folder).
python3 /path/to/ldb/folder
  • This will generate a CSV file containing “all” the information that was stored inside the “.ldb” files. (See screenshot)
Parsed / Reconstructed Level DB database
python /path/to/generated/csv/file
Parsed SEDR Data





I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

KuCoin Announces to Support the KardiaChain (KAI) MainNet Token Swap

Copycat Attack on Balancer: Why DeFi Needs to Change

{UPDATE} Julenissen Adventure Games Hack Free Resources Generator

Bexpress Pro: Giving You Confidence In Trading

{UPDATE} Shopkins: Shoppie Dash! Hack Free Resources Generator

HIPAA from InfoSec Viewpoint

@ christopherlucas You are warned!!.

Hacking A $Trillion Fund — Why HTTPS is Not Secure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

More from Medium

The Story of A Simple SentinelOne Hash Blacklist Bypass

Digital Forensics and its Types and Process by Mr. Ankur Chandrakant

Practical Malware Analysis

Sweet Orange Exploitation Kit Infection — Malware Traffic Analysis