Electron is a game-changer in the world of app development. It allows developers to create desktop applications using web technologies like JavaScript, HTML, and CSS. Apps built with Electron look and feel like native applications, but under the hood, they are essentially Chrome-based web apps with a Node.js backend. This gives them access to the file system and operating system, making them powerful and versatile.
-----------------------------------------------------------------------------------------------------------
Why Should We Care About Electron in Forensics?
From a forensic perspective, Electron apps are interesting for two main reasons:
Electron is Chromium-based – It follows the same structure as Google Chrome, meaning it generates similar artifacts.
Each Electron app maintains its own browser-like database – Unlike traditional browsers, each Electron-based app creates and manages its own Chromium databases.
This is crucial because popular apps like Discord, Microsoft Teams, Slack, and WhatsApp Desktop use Electron, and each of them stores user data in separate locations. If you’re investigating a system, chances are you’ll find multiple Electron applications, each leaving behind valuable forensic artifacts.
-----------------------------------------------------------------------------------------------------------
Where to Find Electron App Data
Identifying an Electron app is easy. Look for Chrome-like folders in unexpected places, specifically under:
%UserProfile%\AppData\RoamingEach Electron app keeps its own set of Chromium-based databases, but unlike standard Chrome browsers, they don’t use the full suite of Chrome databases.
Instead, they rely mainly on:
Chromium Cache
LevelDB databases (IndexedDB, LocalStorage, SessionStorage)
-----------------------------------------------------------------------------------------------------------
Understanding Electron’s Storage Structure
1. Chromium Cache
Every Electron app has its own cache, just like Chrome. This cache stores local copies of resources fetched from the web, making it an excellent source of forensic data. Standard forensic tools used to analyze Chrome’s cache will also work here.
Expect to find:
User-uploaded images
Downloaded files
JSON-formatted chat messages (especially in apps like Discord)
Cached web pages
🔎 Forensic Tip: Look for cached URLs containing parameters like messages?limit= in Discord. These often contain entire chat histories!
2. LevelDB Databases – The Real Goldmine
LevelDB is where Electron apps store persistent data. It holds everything from user credentials to chat messages, making it a critical artifact for forensic analysis.
There are three major types of storage:
IndexedDB: Stores JavaScript objects (often in JSON format). This is where apps keep user data like contacts, messages, and logs.
Local Storage: Stores long-term text-based data. For example, Discord keeps login and username details here, while Microsoft Teams tracks file transfers and message drafts.
Session Storage: Similar to Local Storage but only lasts for the duration of a session. Once the app is closed, this data disappears.
What’s Inside a LevelDB Database?
LevelDB databases contain multiple files, but the most important ones are:
.log files – Store recent transactions, often containing recoverable deleted data.
.ldb files – Compressed storage files that hold processed data.
MANIFEST and CURRENT files – Metadata files used to manage the database structure.
🔎 Forensic Tip: .log files are gold! They don’t use compression and often store old deleted data. Check them first!
Challenges in Analyzing LevelDB
While LevelDB is a treasure trove of data, it’s also incredibly difficult to parse.
It uses multiple data formats (ASCII, UTF-8, UTF-16, and binary blobs).
Data is compressed using Google’s Snappy algorithm.
It employs key sharing, meaning duplicate data is stored only once and referenced elsewhere.
These complexities make simple string searches ineffective unless your tool can fully reconstruct the database.
How to Analyze Electron Artifacts
Despite the challenges, there are tools that can help with Electron forensic investigations:
ChromeCacheView – Extracts cached files and metadata from Chromium-based apps.
LevelDB parsers – There aren’t many, but some tools attempt to dump key/value pairs.
Manual Analysis – Sometimes, it’s best to extract the database files and examine them manually.
-----------------------------------------------------------------------------------------------------------
LevelDB
Magnet AXIOM now includes a built-in LevelDB viewer, which is a big step forward in forensic investigations. However, it’s essential to understand its strengths and limitations. When you open a LevelDB database from the File System view in AXIOM, the tool attempts to pull out data from key/value pairs. These pairs usually contain simple text or JSON, making it easier to extract useful information.
Investigating Microsoft Teams Data
Imagine you’re analyzing a system where Microsoft Teams is installed. You navigate to
%UserProfile%\AppData\Roaming\Microsoft\Teams and find LevelDB files inside. AXIOM’s viewer allows you to browse this data in different formats, such as JSON view or hex view, and you can even use external tools for deeper analysis. Searching within the database helps filter out irrelevant data, making it easier to spot valuable evidence.
However, AXIOM only parses individual .ldb files and doesn’t process the entire LevelDB database structure, which includes .log files. This means you get a partial view, which isn’t always enough for a complete investigation.
-----------------------------------------------------------------------------------------------------------
Going Deeper with RabbitHole
One of the best tools for analyzing LevelDB data is RabbitHole, developed by Alex Caithness from CCL Solutions Group.
This commercial tool can process LevelDB files along with other data formats like Mozilla LZ4, Snappy, SQLite, Base64, OLE, Plists, and protobufs.
RabbitHole’s biggest advantage is its ability to reconstruct LevelDB databases properly. When you open an .ldb or .log file, RabbitHole gathers all related files and presents the data in a structured format. It helps forensic analysts understand how LevelDB is organized, which is crucial for examining Electron applications like Microsoft Teams.
-----------------------------------------------------------------------------------------------------------
Why Analyzing LevelDB is Challenging
LevelDB databases are complex and often contain a massive amount of repetitive data. Since they store temporary data in .log files before moving it to .ldb files, duplication is common. Understanding this structure is key to extracting valuable forensic evidence.
-----------------------------------------------------------------------------------------------------------
Other Tools: LevelDB Recon and Custom Parsers
Apart from RabbitHole, LevelDB Recon by Arsenal Recon is another tool designed to help make sense of LevelDB data. However, every Electron application stores its data differently, meaning you often need a dedicated parser for each app.
Final Thoughts
Analyzing LevelDB isn’t straightforward, but with the right tools and approach, you can uncover valuable forensic evidence. AXIOM’s built-in viewer is a good start, but tools like RabbitHole provide a much deeper level of analysis. Since Electron applications store data differently, forensic analysts must be flexible and use a mix of tools to extract meaningful insights.
If you work in digital forensics, learning how to investigate LevelDB databases will give you a significant edge when dealing with modern applications like Microsoft Teams, Slack, and Discord. Stay curious, experiment with different tools, and always verify your findings!
-------------------------------------------Dean--------------------------------------------------
Comments