Enumerates all Key values in a LevelDB database and outputs their corresponding Value
Report a Bug
·
Request Feature
Like the project? Please give it a star ⭐ to show your appreciation and watch the project to get notified on new releases
This project was created out of a lack of a cross-platform tool which was able to enumerate every key in a LevelDB database and output its value. Other Level DB dumpers either were limited to one OS or had a complex installation process, so there was a need for a dumper which can be downloaded and run without dependency or installation issues.
I'm by no means an expert at using Go, so the code might not be as efficient or clean as it could be. If you want to help improve code quality, please consider contributing.
A massive thanks to Harsh Vardhan Singh and his repo which laid the foundations for some of the LevelDB enumeration work.
LevelDB Dumper has been tested to work on the following applications and provide the following forensics artifacts:
- Discord - User email, User token, Recent games, Search history, Draft messages, Collapsed categories/channels, User settings, GIF favourites (Local Storage DB)
- WhatsApp - User name, mobile phone type (Local Storage DB)
This works on Local Storage LevelDBs - support for IndexedDBs using the idb_cmp1 comparator is coming soon, which will enable support for applications such as Skype, Microsoft Teams, and more
h/help Display this help message
d/dir Directory to recursively process. This is required
q/quiet Don't output all key/value pairs to console. This happens by default
t/outputType Output type. Can be "csv" or "json"
o/outputDir Directory to save all output results to. Required for any file output
f/outputFile Filename to use when saving output. This will be appended with path and date
b/batch Combine all output files into one file. Supported by "csv" and "json" file types
c/clean-output Clean the file output of non-visual characters, such as \u001
z/timezone Specify the IANA timezone to use when using timestamps. Default is UTC
no-header Don't display the header
u/check-update Check for updates only
offline Runs in offline mode, this doesn't check for updates
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Examples: LevelDBParser.exe -d "C:\Temp\leveldb"
LevelDBParser.exe -d "C:\Temp\leveldb" -o "C:\Temp" -q --offline
LevelDBParser.exe -d "C:\Temp\leveldb" --quiet --no-header --clean-output
LevelDBParser.exe -d "C:\Temp\leveldb" -b --outputType json -outputFile Evidence.json
LevelDBParser.exe -d "C:\Temp\leveldb" -t csv -f LevelDB.csv -o Evidence -b --quiet
LevelDBParser.exe -d "C:\Temp\leveldb" -t csv -o Evidence -b --timezone America/New_York
LevelDBParser.exe -d "C:\Temp\leveldb" -t json -o Evidence -b -z Local --quiet --clean-output
LevelDBParser.exe --check-update
LevelDBParser.exe --help
LevelDB Dumper will search recursively from the directory passed to it for LevelDB databases. Upon finding one, it will be queued for dumping. Once it has searched the entire drive, the databases will be enumerated from the item list. By default, the Key/Value pairs are output to the console.
It is recommended to specify an output file for dumping. Using -o <Directory>
will output a file per LevelDB database found, with the file name containing the timestamp of dumping and path to the LevelDB database. The default format is CSV. If you wish all the output to be in one file, -b
will batch the outputs and add additional columns for path and the timestamp it was dumped at.
It is worth noting that all Unicode control characters/non-graphics characters are stripped from the output strings but are retained for file output, such as CSV. For applications such as Discord, where null terminators are found in Key names, this is used to improve output formatting.
There have been issues with Windows 10 where the program is opened in a new window instead of the current Command Line window instance, meaning that the output is not visible. A work-around for this appears to be running the Command Prompt/Powershell as Administrator. However, for analysis of output, the key/value pairs should be output to a file rather than redirecting or analysing through the command line window.
To get a local copy up and running follow these simple steps.
LevelDB Dumper is written in Go, so it can be run cross-platform. If you are building from source, you will need to install Golang
-
Download the latest release for your platform of choice.
-
That's it!
Commands available in the README can change from time to time. To get the available commands for the latest release, run with --help
- Clone the repo
git clone https://github.com/mdawsonuk/LevelDBDumper.git
- Using Go CLI, get the required packages to build
go get github.com/syndtr/goleveldb/leveldb
go get github.com/hashicorp/go-version
go get github.com/gookit/color
If building for/on Windows, get the Windows sys package
go get golang.org/x/sys/windows
- Using Go CLI, build the application
cd src/LevelDBDumper
go build
- That's it! An executable should be created in that directory. View the article here for information on cross-platform compilation.
Recursively parse from directory instead of providing one LevelDB database✔️Improved help dialog with list of arguments and examples✔️Export to CSV file for each discovered LevelDB database✔️Quiet mode to avoid dumping all Key/Values✔️Truncate long Values in non-quiet output✔️Display coloured Key/Value for non-quiet mode✔️Ignore processing empty LevelDB databases to avoid creating empty output files✔️Travis CI builds for Windows and Linux✔️Allow toggling of output colouring✔️Check if user has Administrator/root privileges✔️Detect comparator type from MANIFEST file✔️Update check against GitHub (check latest release)✔️JSON export✔️✔️--no-header
command to hide header✔️-u/--update
command to only check for updateAllow optional cleaning of output of non-graphical characters✔️Batch output file (All LevelDB dumps into one file)✔️Specify last modified timestamp timezone - default to UTC✔️- Allow customisation of output name
- Allow suppression of warning/error messages through command line e.g.
2>/dev/null
- Implement idb_cmp1 Google comparator for IndexedDB databases
- Look into possibility of retrieving deleted keys from databases
Want to make the tool better? Improve the code? Pull requests are accepted and very much appreciated.
Distributed under the GPLv3 License. See LICENSE for more information.