diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index de9eade..496943c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -6,6 +6,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v4 + with: + submodules: recursive - name: Set up Python uses: actions/setup-python@v5 with: @@ -17,6 +19,8 @@ jobs: - name: Build binary 🔢 run: pyinstaller "main.spec" - name: Run conversion ↩️ - run: .\dist\ms_teams_parser.exe -f ".\testdata\John Doe\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "current_output.json" + run: | + .\dist\ms_teams_parser.exe -f ".\forensicsim-data\jane_doe_old_teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "jane_doe.json" + .\dist\ms_teams_parser.exe -f ".\forensicsim-data\john_doe_old_teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "john_doe.json" # - name: Calculate diff 👽 # run: git diff --no-index --word-diff expected_output/john_doe.json current_output.json diff --git a/.gitmodules b/.gitmodules index bcac081..c210bb0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,3 +4,6 @@ [submodule "utils\\ccl_chrome_indexeddb"] path = utils\\ccl_chrome_indexeddb url = https://github.com/cclgroupltd/ccl_chrome_indexeddb/ +[submodule "forensicsim-data"] + path = forensicsim-data + url = https://github.com/KarelZe/forensicsim-data.git diff --git a/README.md b/README.md index 26e3e60..ac506f3 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ either be processed by the Autopsy Plugin or in another application. The main parser script can be used like this: ```bash -.\dist\ms_teams_parser.exe -f ".\testdata\John Doe\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "C:\Temp\John Doe.json" +.\dist\ms_teams_parser.exe -f ".\forensicsim-data\john_doe_old_teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "john_doe.json" ``` Feel free to use the LevelDB files provided in this repository. diff --git a/forensicsim-data b/forensicsim-data new file mode 160000 index 0000000..68a144b --- /dev/null +++ b/forensicsim-data @@ -0,0 +1 @@ +Subproject commit 68a144b3406fa3a532eee24b9181bb72a8ad691d diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000114.ldb b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000114.ldb deleted file mode 100644 index e989473..0000000 Binary files a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000114.ldb and /dev/null differ diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb deleted file mode 100644 index 5b6bb94..0000000 Binary files a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb and /dev/null differ diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb deleted file mode 100644 index cbe9689..0000000 Binary files a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb and /dev/null differ diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000118.ldb b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000118.ldb deleted file mode 100644 index dd5327e..0000000 Binary files a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000118.ldb and /dev/null differ diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT deleted file mode 100644 index 30eb131..0000000 --- a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT +++ /dev/null @@ -1 +0,0 @@ -MANIFEST-000120 diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOCK b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOCK deleted file mode 100644 index e69de29..0000000 diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG deleted file mode 100644 index 9240ef4..0000000 --- a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG +++ /dev/null @@ -1,3 +0,0 @@ -2021/06/05-09:18:35.807000 15908 Recovering log #119 -2021/06/05-09:18:35.827000 15908 Delete type=0 #119 -2021/06/05-09:18:35.828000 15908 Delete type=3 #117 diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old deleted file mode 100644 index daa9240..0000000 --- a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old +++ /dev/null @@ -1,5 +0,0 @@ -2021/06/05-09:18:25.095000 6172 Recovering log #112 -2021/06/05-09:18:25.103000 6172 Level-0 table #118: started -2021/06/05-09:18:25.106000 6172 Level-0 table #118: 334495 bytes OK -2021/06/05-09:18:25.118000 6172 Delete type=0 #112 -2021/06/05-09:18:25.118000 6172 Delete type=3 #1 diff --git a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000120 b/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000120 deleted file mode 100644 index d860a2a..0000000 Binary files a/testdata/Jane Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000120 and /dev/null differ diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb deleted file mode 100644 index 58a46cc..0000000 Binary files a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000115.ldb and /dev/null differ diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb deleted file mode 100644 index f027337..0000000 Binary files a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000116.ldb and /dev/null differ diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT deleted file mode 100644 index 7ed683d..0000000 --- a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/CURRENT +++ /dev/null @@ -1 +0,0 @@ -MANIFEST-000001 diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOCK b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOCK deleted file mode 100644 index e69de29..0000000 diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG deleted file mode 100644 index 3296e80..0000000 --- a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG +++ /dev/null @@ -1,91 +0,0 @@ -2021/06/01-11:08:22.749 1bc8 Reusing MANIFEST C:\Users\forensics\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000001 -2021/06/01-11:08:22.751 1bc8 Recovering log #80 -2021/06/01-11:08:22.755 1bc8 Reusing old log C:\Users\forensics\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb/000080.log -2021/06/01-11:34:29.465 878 Level-0 table #86: started -2021/06/01-11:34:29.550 878 Level-0 table #86: 1572363 bytes OK -2021/06/01-11:34:29.571 878 Delete type=0 #80 -2021/06/01-11:34:33.492 878 Compacting 1@1 + 2@2 files -2021/06/01-11:34:33.812 878 Generated table #87@1: 6171 keys, 2157870 bytes -2021/06/01-11:34:34.081 878 Generated table #88@1: 6579 keys, 1553069 bytes -2021/06/01-11:34:34.082 878 Compacted 1@1 + 2@2 files => 3710939 bytes -2021/06/01-11:34:34.084 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-11:34:34.086 878 Delete type=2 #82 -2021/06/01-11:34:34.087 878 Delete type=2 #83 -2021/06/01-11:34:34.087 878 Delete type=2 #86 -2021/06/01-11:51:24.252 878 Level-0 table #90: started -2021/06/01-11:51:24.317 878 Level-0 table #90: 1468471 bytes OK -2021/06/01-11:51:24.335 878 Delete type=0 #85 -2021/06/01-11:52:04.362 878 Compacting 1@1 + 2@2 files -2021/06/01-11:52:04.599 878 Generated table #91@1: 6703 keys, 2163120 bytes -2021/06/01-11:52:04.749 878 Generated table #92@1: 6361 keys, 1579429 bytes -2021/06/01-11:52:04.749 878 Compacted 1@1 + 2@2 files => 3742549 bytes -2021/06/01-11:52:04.751 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-11:52:04.752 878 Delete type=2 #87 -2021/06/01-11:52:04.752 878 Delete type=2 #88 -2021/06/01-11:52:04.752 878 Delete type=2 #90 -2021/06/01-12:14:58.927 878 Level-0 table #94: started -2021/06/01-12:14:58.985 878 Level-0 table #94: 1606715 bytes OK -2021/06/01-12:14:58.988 878 Delete type=0 #89 -2021/06/01-12:16:12.424 878 Compacting 1@1 + 2@2 files -2021/06/01-12:16:12.529 878 Generated table #95@1: 6743 keys, 2162266 bytes -2021/06/01-12:16:12.652 878 Generated table #96@1: 6970 keys, 1706305 bytes -2021/06/01-12:16:12.652 878 Compacted 1@1 + 2@2 files => 3868571 bytes -2021/06/01-12:16:12.653 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-12:16:12.654 878 Delete type=2 #91 -2021/06/01-12:16:12.654 878 Delete type=2 #92 -2021/06/01-12:16:12.654 878 Delete type=2 #94 -2021/06/01-12:28:37.975 878 Level-0 table #98: started -2021/06/01-12:28:38.003 878 Level-0 table #98: 1446134 bytes OK -2021/06/01-12:28:38.004 878 Delete type=0 #93 -2021/06/01-12:29:18.793 878 Compacting 1@1 + 2@2 files -2021/06/01-12:29:18.884 878 Generated table #99@1: 6743 keys, 2161280 bytes -2021/06/01-12:29:19.014 878 Generated table #100@1: 7389 keys, 1786103 bytes -2021/06/01-12:29:19.014 878 Compacted 1@1 + 2@2 files => 3947383 bytes -2021/06/01-12:29:19.020 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-12:29:19.023 878 Delete type=2 #95 -2021/06/01-12:29:19.024 878 Delete type=2 #96 -2021/06/01-12:29:19.025 878 Delete type=2 #98 -2021/06/01-12:48:01.382 878 Level-0 table #102: started -2021/06/01-12:48:01.437 878 Level-0 table #102: 1546489 bytes OK -2021/06/01-12:48:01.438 878 Delete type=0 #97 -2021/06/01-12:48:15.611 878 Compacting 1@1 + 2@2 files -2021/06/01-12:48:15.794 878 Generated table #103@1: 6824 keys, 2161016 bytes -2021/06/01-12:48:15.913 878 Generated table #104@1: 7828 keys, 1879845 bytes -2021/06/01-12:48:15.913 878 Compacted 1@1 + 2@2 files => 4040861 bytes -2021/06/01-12:48:15.915 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-12:48:15.915 878 Delete type=2 #99 -2021/06/01-12:48:15.915 878 Delete type=2 #100 -2021/06/01-12:48:15.915 878 Delete type=2 #102 -2021/06/01-13:09:23.833 878 Level-0 table #106: started -2021/06/01-13:09:23.921 878 Level-0 table #106: 1509663 bytes OK -2021/06/01-13:09:23.927 878 Delete type=0 #101 -2021/06/01-13:09:58.991 878 Compacting 1@1 + 2@2 files -2021/06/01-13:09:59.219 878 Generated table #107@1: 6882 keys, 2161119 bytes -2021/06/01-13:09:59.472 878 Generated table #108@1: 8337 keys, 1992965 bytes -2021/06/01-13:09:59.472 878 Compacted 1@1 + 2@2 files => 4154084 bytes -2021/06/01-13:09:59.473 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-13:09:59.474 878 Delete type=2 #103 -2021/06/01-13:09:59.474 878 Delete type=2 #104 -2021/06/01-13:09:59.474 878 Delete type=2 #106 -2021/06/01-13:22:19.323 878 Level-0 table #110: started -2021/06/01-13:22:19.417 878 Level-0 table #110: 1429237 bytes OK -2021/06/01-13:22:19.423 878 Delete type=0 #105 -2021/06/01-13:23:26.726 878 Compacting 1@1 + 2@2 files -2021/06/01-13:23:26.871 878 Generated table #111@1: 6907 keys, 2160730 bytes -2021/06/01-13:23:27.057 878 Generated table #112@1: 8690 keys, 2065540 bytes -2021/06/01-13:23:27.057 878 Compacted 1@1 + 2@2 files => 4226270 bytes -2021/06/01-13:23:27.061 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-13:23:27.062 878 Delete type=2 #107 -2021/06/01-13:23:27.062 878 Delete type=2 #108 -2021/06/01-13:23:27.062 878 Delete type=2 #110 -2021/06/01-13:43:03.005 878 Level-0 table #114: started -2021/06/01-13:43:03.098 878 Level-0 table #114: 1576186 bytes OK -2021/06/01-13:43:03.101 878 Delete type=0 #109 -2021/06/01-13:44:09.358 878 Compacting 1@1 + 2@2 files -2021/06/01-13:44:09.450 878 Generated table #115@1: 6958 keys, 2160117 bytes -2021/06/01-13:44:09.547 878 Generated table #116@1: 9273 keys, 2183136 bytes -2021/06/01-13:44:09.547 878 Compacted 1@1 + 2@2 files => 4343253 bytes -2021/06/01-13:44:09.548 878 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-13:44:09.549 878 Delete type=2 #111 -2021/06/01-13:44:09.549 878 Delete type=2 #112 -2021/06/01-13:44:09.549 878 Delete type=2 #114 diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old deleted file mode 100644 index eb4e725..0000000 --- a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/LOG.old +++ /dev/null @@ -1,14 +0,0 @@ -2021/06/01-10:12:06.695 17ec Reusing MANIFEST C:\Users\forensics\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000001 -2021/06/01-10:12:06.697 17ec Recovering log #74 -2021/06/01-10:12:06.721 17ec Reusing old log C:\Users\forensics\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb/000074.log -2021/06/01-10:46:52.270 70 Level-0 table #81: started -2021/06/01-10:46:52.297 70 Level-0 table #81: 1637675 bytes OK -2021/06/01-10:46:52.299 70 Delete type=0 #74 -2021/06/01-10:50:49.190 70 Compacting 1@1 + 2@2 files -2021/06/01-10:50:49.245 70 Generated table #82@1: 6659 keys, 2163971 bytes -2021/06/01-10:50:49.315 70 Generated table #83@1: 5444 keys, 1387104 bytes -2021/06/01-10:50:49.315 70 Compacted 1@1 + 2@2 files => 3551075 bytes -2021/06/01-10:50:49.317 70 compacted to: files[ 0 0 2 0 0 0 0 ] -2021/06/01-10:50:49.318 70 Delete type=2 #77 -2021/06/01-10:50:49.318 70 Delete type=2 #78 -2021/06/01-10:50:49.318 70 Delete type=2 #81 diff --git a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000001 b/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000001 deleted file mode 100644 index 01e68bf..0000000 Binary files a/testdata/John Doe/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/MANIFEST-000001 and /dev/null differ