Forensic Artifacts — Symantec EDR “localdatastore” Folder

Recently one of my colleagues shared with me an interesting set of blog posts called “Your AV is Trying to Tell You Something” by @bmmaloney97. Where the author explores and analyze a set of log files from Symantec Endpoint Protection (SEP for short) and uncovers a lot of interesting information stored in there. Similarly, I thought i’ll take a look at Symantec EDR and try to look for interesting artifacts. In this quick blog post i describe my findings so far.

Quick Overview

For anyone not familiar with Symantec EDR here is the a quick overview of the product (at least the on-premises version).

\ProgramData\Symantec\Symantec Endpoint Protection\[Version]\Data\EDR\localdatastore

Local Data Store

The “localdatastore” folder contains sub-folders each contain portions of the data collected. For example data collected on the 16th of February 2021 will be stored inside a folder named “20210216XXX” where “XXX” is a number (not required) between “000” and “999”. Inside this folder we find some interesting files.

  • “LOG” file. That contains information about transactions made to the “.ldb” files
  • “.log” file (I’ll talk about this below)
  • Other files

“.log” File

Each time some data is collected from the endpoints it gets written to a “.log” file before it gets written to the “.ldb” files where it’ll be compressed.

Example of SEDR Log
$fileSysWatcher = New-Object System.IO.FileSystemWatcher$fileSysWatcher.IncludeSubdirectories = $true$fileSysWatcher.Path = [Path to the localdatastore folder]$fileSysWatcher.EnableRaisingEvents = $true$action ={$path = $event.SourceEventArgs.FullPath$changetype = $event.SourceEventArgs.ChangeType$ext = [IO.Path]::GetExtension($path)if ($ext -eq ".log"){Copy-Item -Path $path -Destination [Path to new location]}}Register-ObjectEvent $fileSysWatcher 'Created' -Action $action

Conclusion

This was a quick look at the “localdatastore” folder in the Symantec EDR product. I’ll keep analyzing the logs and files in hope to find more interesting artifacts.

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.