search

cclgroupltd / ccl_chromium_reader

(Sometimes partial) Python re-implementations of the technologies involved in reading various data sources in Chrome-esque applications.
MIT License
134 stars 34 forks source link

Exception "invalid magic number" in Microsoft Teams Leveldb files #13

Closed StephB4L closed 2 years ago

StephB4L commented 2 years ago

Hi, when I try to parse a MS Teams IndexedDB folder I run into this exception:

  File "ccl_chrome_indexeddb\ccl_leveldb.py", line 554, in __init__
  File "ccl_chrome_indexeddb\ccl_leveldb.py", line 221, in __init__
ValueError: Invalid magic number in ******\******\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\002818.ldb

MS Teams version too recent, maybe?

cclgroupltd commented 2 years ago

I don't believe that the leveldb format has changed in such a fundamental way, the magic is still the same: https://github.com/google/leveldb/blob/479a1f4e9b1138d7dda4db5078aadc4e7b845a85/table/format.h#L76

I suspect that something about that particular file may be broken. Did you maybe export deleted files from an image and that file is partially overwritten? Are you able to share the contents of the last 48 bytes of the file referenced (there shouldn't be any sensitive data there if the file isn't broken, just information about the structure of the file).

StephB4L commented 2 years ago

I suspect that something about that particular file may be broken. Did you maybe export deleted files from an image and that file is partially overwritten?

The folder content wasn't carved or recovered or deleted (I think), I have an image (EWF file) ciphered with BitLocker, I mount it (then of course I insert BitLocker pw) and extracted Teams IndexedDB folder with a logical copy.

Errata corrige: it seems they are deleted files! So sorry and thanks for your patience!

Are you able to share the contents of the last 48 bytes of the file referenced (there shouldn't be any sensitive data there if the file isn't broken, just information about the structure of the file).

Ok this is weird, file (002818.ldb) is almost empty (but size is 2MiB) and almost every offset is filled with 00. And the same is for the subsequent file (002819.ldb), it almost seems data starts from 002820.ldb or 002834.ldb. Log text file is called 002832.log, maybe should I delete or ignore ldb file under that number?

cclgroupltd commented 2 years ago

It's almost always deleted files. If you exclude those files it should work fine (I hope!).

StephB4L commented 2 years ago

It's almost always deleted files. If you exclude those files it should work fine (I hope!).

it worked like a charm. Many thanks!