lxndrblz / forensicsim Goto Github PK

A forensic open-source parser module for Autopsy that allows extracting the messages, comments, posts, contacts, calendar entries and reactions from a Microsoft Teams IndexedDB LevelDB database.

Home Page: https://forensics.im

License: MIT License

Python 100.00%

autopsy microsoft teams leveldb forensic-analysis module abertay-university electron parser indexeddb

forensicsim's Introduction

Forensics.im Microsoft Teams Parser & Autopsy Plugin 🕵️‍♂️

Forensics.im is an Autopsy Plugin, which allows parsing levelDB of modern Electron-based Instant Messenger Applications like Microsoft Teams. Unlike the existing levelDB plugin, Forensics.im also parses the binary ldb files, which contain the majority of the entries and allows identifies individual entities, such as messages and contacts, and presets these in Autopsy's blackboard view.

This parser has been tested using:

Microsoft Teams 1.4.00.11161 (Windows 10) with a free business organisation
Microsoft "Teams 2.0" (Windows 11) 48/21062133356 with a personal organisation

This plugin is an artefact of the Master Thesis Digital Forensic Acquisition and Analysis of Artefacts Generated by Microsoft Teams at the University of Abertay, Dundee, United Kingdom.

Microsoft Teams From a Forensic Perspective

If you are curious about the artefacts that are generate by Microsoft Teams, I would like to refer you to my in-depth blog post on my personal website. It discusses in great details which file are created by Microsoft Teams and how these could be utilised in a forensic investigation.

Demo

Quickstart

Autopsy Module Installation

This module requires the installation of Autopsy v4.18 or above and a Windows-based system.

To install the Microsoft Teams parser for Autopsy, please follow these steps:

Download the forensicsim.zip folder of the latest available release.
Extract the .zip folder onto your computer.
Open the Windows File Explorer and navigate to your Autopsy Python plugin directory. By default, it is located under %AppData%\autopsy\python_modules.
Create a new forensicsim folder within the python_modules folder.
Copy the ms_teams_parser.exe and the Forensicsim_Parser.py to the forensicsim directory.
Restart Autopsy to activate the module.

You can test verify that the module has installed successfully by performing the following steps:

Start Autopsy.
Open/Create a case and add a source.
You will find the added modules under the menu Tools-> Run Ingest Modules -> Name of the Data Source.

Standalone Parser Usage

The standalone parser script writes all the processed and identified records into a structured JSON file, which can either be processed by the Autopsy Plugin or in another application.

The main parser script can be used like this:

.\dist\ms_teams_parser.exe -f ".\forensicsim-data\john_doe_old_teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "john_doe.json"

Feel free to use the LevelDB files provided in this repository.

The parser has the following options:

Options:
  -f, --filepath PATH    File path to the .leveldb folder of the IndexedDB.
                         [required]
  -o, --outputpath PATH  File path to the processed output.  [required]
  -b, --blobpath PATH    File path to the .blob folder of the IndexedDB.
  --help                 Show this message and exit.

Development

Compiling the utils\main.py to an Executable:

pyinstaller "main.spec"

Utility Scripts for handling LevelDB databases:

dump_leveldb.py

This script allows dumping a Microsoft Teams LevelDB to a json file, without processing it further. The usage is as following. Simply specify the path to the database and where you want to output the JSON file.

usage: dump_leveldb.py [-h] -f FILEPATH -o OUTPUTPATH
dump_leveldb.py: error: the following arguments are required: -f/--filepath, -o/--outputpath

Utility Scripts for populating Microsoft Skype and Microsoft Teams

populate_skype.py

A wee script for populating Skype for Desktop in a lab environment. The script can be used like this:

tools\populate_skype.py -a 0 -f conversation.json

populate_teams.py

A wee script for populating Microsoft Teams in a lab environment. The script can be used like this:

tools\populate_teams.py -a 0 -f conversation.json

Datasets

This repository comes with two datasets that allow reproducing the findings of this work. The testdata folder contains the LevelDB databases that have been extracted from two test clients. These can be used for benchmarking without having to perform a (lengthy) data population.

The populationdata contains JSON files of the communication that has been populated into the testing environment. These can be used to reproduce the experiment from scratch. However, for a rerun, it will be essential to adjust the dates to future dates, as the populator script relies on sufficient breaks between the individual messages.

Acknowledgements & Thanks

ccl_chrome_indexeddb Python module for enumerating the * LevelDB* artefacts without external dependencies.
Gutenberg Project Part of Arthur Conan Doyle's book The Adventures of Sherlock Holmes have been used for creating a natural conversation between the two demo accounts.

forensicsim's People

Contributors

Stargazers

Watchers

Forkers

mgeeky friedrta blue-infosec conexioninversa bytjn1416124 przemyslawrodzik faniahmed mengzhisuoliu xambroz seychelles111 tim1512

forensicsim's Issues

[request] HTML output support, via the CMD line

Won't work

I followed all the instructions , but when I start Autopsy, It does not show anything under results.

Process conversations

Example:

    {
        "key": "b'\\x010\\x001\\x009\\x00:\\x000\\x005\\x008\\x000\\x005\\x002\\x007\\x00d\\x002\\x00e\\x00a\\x008\\x004\\x000\\x000\\x005\\x009\\x008\\x009\\x004\\x008\\x007\\x00d\\x007\\x00b\\x00d\\x00d\\x008\\x000\\x00f\\x002\\x00a\\x00@\\x00t\\x00h\\x00r\\x00e\\x00a\\x00d\\x00.\\x00t\\x00a\\x00c\\x00v\\x002'",
        "origin_file": "/Users/alexanderbilz/Desktop/unknown/https_teams.microsoft.com_0.indexeddb.leveldb",
        "seq": null,
        "state": null,
        "store": "conversations",
        "value": {
            "clientArrivalTime": "2020-11-10T12:01:01.682Z",
            "clientUpdateTime": "2020-11-10T14:01:40.038Z",
            "conversationSyncFailureCount": 0,
            "detailsVersion": 1605016897727.0,
            "id": "19:[email protected]",
            "isSyncedToStartOfTime": false,
            "lastMessage": {
                "_callRecording": null,
                "_callTranscript": null,
                "_meetingObjects": null,
                "_pinState": {
                    "isPinned": false
                },
                "cachedDeduplicationKey": "8:orgid:67fd3dd0-4a9c-4b49-954a-eb11dd321e673582176094116322000",
                "cachedOriginalArrivalTime": "2020-11-13T01:55:13.306Z",
                "cachedOriginalArrivalTimeUtc": 1605232513306.0,
                "callDuration": 0,
                "callParticipantsCount": 0,
                "callParticipantsMris": [],
                "clientArrivalTime": "2020-11-13T01:55:13.443Z",
                "clientmessageid": "3582176094116322000",
                "composetime": "2020-11-13T01:55:13.306Z",
                "content": "<div><div><div>This is a big lizard! <a href=\"https://www.nbcnews.com/news/animal-news/video-shows-gigantic-gator-florida-golf-club-amid-tropical-storm-n1247617\" rel=\"noreferrer noopener\" target=\"_blank\" title=\"https://www.nbcnews.com/news/animal-news/video-shows-gigantic-gator-florida-golf-club-amid-tropical-storm-n1247617\">https://www.nbcnews.com/news/animal-news/video-shows-gigantic-gator-florida-golf-club-amid-tropical-storm-n1247617</a></div>\n</div></div>",
                "contenttype": "text",
                "conversationId": "19:[email protected]",
                "conversationLink": "https://notifications.skype.net/v1/users/ME/conversations/19:[email protected];messageid=1604850812840",
                "createdTime": 1605232513306.0,
                "creator": "8:orgid:67fd3dd0-4a9c-4b49-954a-eb11dd321e67",
                "from": "https://notifications.skype.net/v1/users/ME/contacts/8:orgid:67fd3dd0-4a9c-4b49-954a-eb11dd321e67",
                "id": "1605232513306",
                "idUnion": "3582176094116322000",
                "imdisplayname": "Redacted",
                "isForceDelete": false,
                "isFromMe": false,
                "isRichContentProcessed": false,
                "isRichMessagePropertiesProcessed": false,
                "isSanitized": true,
                "isSfBGroupConversation": false,
                "messageKind": "skypeMessageLocal",
                "messageStorageState": 1,
                "messagetype": "RichText/Html",
                "notificationLevel": 1,
                "originalarrivaltime": "2020-11-13T01:55:13.306Z",
                "parentMessageId": "1604850812840",
                "properties": {
                    "importance": 0,
                    "links": "[{\"@type\":\"http://schema.skype.com/HyperLink\",\"itemid\":\"0\",\"url\":\"https://www.nbcnews.com/news/animal-news/video-shows-gigantic-gator-florida-golf-club-amid-tropical-storm-n1247617\",\"previewenabled\":true}]",
                    "subject": ""
                },
                "sequenceId": 2,
                "source": 2,
                "trimmedMessageContent": "This is a big lizard! https://www.nbcnews.com/news/animal-news/video-shows-gigantic-gator-florida-golf-club-amid-tropical-storm-n1247617",
                "type": "Message",
                "userHasStarred": false,
                "version": "1605232513306",
                "versionNumber": 1605232513306.0
            },
            "lastSeenSkipRosterState": true,
            "memberProperties": {
                "isFollowing": false,
                "memberExpirationTime": 253402300800000.0,
                "role": "User"
            },
            "messages": "",
            "messagesStale": true,
            "messagesSyncAfterUtc": 0,
            "messagesSyncFailureCount": 0,
            "nonFilteredLastMessageTimeUtc": 1605232513306.0,
            "oldConsumptionHorizonKeys": [],
            "properties": {
                "favorite": "true",
                "isfollowed": "false",
                "lastimreceivedtime": "2020-11-08T15:53:32.84Z"
            },
            "replyChainSyncMap": {},
            "rosterSummary": {
                "botCount": 2,
                "externalMemberCount": 0,
                "memberCount": 8,
                "readerCount": 0,
                "roleCounts": {
                    "Admin": 1,
                    "User": 7
                }
            },
            "rosterVersion": 1605016897727.0,
            "syncState": "",
            "syncStateUpdatedBy": "ConversationsStore_cleanNonPersistedSyncState",
            "targetLink": "",
            "teamId": "19:[email protected]",
            "threadProperties": {
                "channelDocsDocumentLibraryId": null,
                "channelDocsFolderRelativeUrl": null,
                "createdat": "1604849486581",
                "creator": "8:orgid:67fd3dd0-4a9c-4b49-954a-eb11dd321e67",
                "favDefault": "false",
                "gapDetectionEnabled": true,
                "isdeleted": "false",
                "lastSequenceId": 1,
                "lastjoinat": "1604849487687",
                "retentionHorizon": 0,
                "retentionHorizonV2": 0,
                "spaceId": "19:[email protected]",
                "tab::e295f711-004c-43d8-82bc-b7081e4d13a2": "{\"id\":\"tab::e295f711-004c-43d8-82bc-b7081e4d13a2\",\"name\":\"Wiki\",\"definitionId\":\"com.microsoft.teamspace.tab.wiki\",\"directive\":\"extension-tab\",\"tabType\":\"tab:\",\"order\":10000,\"replyChainId\":0,\"settings\":{\"wikiTabId\":1,\"wikiDefaultTab\":true,\"hasContent\":false,\"subtype\":\"wiki-tab\"}}",
                "tenantid": "f91eb2ca-e46d-44b6-814b-d4bbacdc5a48",
                "threadType": "topic",
                "topic": "Random",
                "topicThreadTopic": "Random",
                "topicThreadVersion": "v5",
                "version": "1605016897727"
            },
            "threadVersion": 1605016897727.0,
            "type": "Topic",
            "version": 1605016899074.0
        }
    },
    
    
    ```

JSON Decode Errors

Error Log:

buddylist skypexspaces-contacts-<GUID_1> (Records: 5)
replychains skypexspaces-<GUID_1> (Records: 0)
conversations skypexspaces-<GUID_1> (Records: 0)
people skypexspaces-<GUID_1> (Records: 1924)
people Teams:substrate-suggestions-manager:<GUID_2> (Records: 0)
replychains Teams:replychain-manager:<GUID_3> (Records: 13225)
conversations Teams:conversation-manager:<GUID_3> (Records: 1358)
Traceback (most recent call last):
  File "main.py", line 65, in <module>
  File "click\core.py", line 1157, in __call__
  File "click\core.py", line 1078, in main
  File "click\core.py", line 1434, in invoke
  File "click\core.py", line 783, in invoke
  File "main.py", line 61, in process_cmd
  File "forensicsim\parser.py", line 373, in process_db
  File "forensicsim\parser.py", line 355, in parse_records
  File "forensicsim\parser.py", line 245, in _parse_conversations
  File "dataclasses_json\api.py", line 70, in from_dict
  File "dataclasses_json\core.py", line 206, in _decode_dataclass
  File "forensicsim\parser.py", line 36, in decode_dict
  File "json\__init__.py", line 359, in loads
  File "json\decoder.py", line 337, in decode
  File "json\decoder.py", line 355, in raw_decode
json.decoder.JSONDecodeError: Expecting value: line 1 column 2 (char 1)
[15784] Failed to execute script 'main' due to unhandled exception!

"there could be this many dbs, but I don't support it yet" error was occured.

I read the Teams log and got the following error

Do you know what caused it?

NotImplementedError: there could be this many dbs, but I don't support it yet

Traceback (most recent call last):
File "C:\Personal\Git\forensicsim\utils\main.py", line 314, in
cli()
File "C:\Personal\Git\forensicsim\utils\main.py", line 309, in cli
run(args)
File "C:\Personal\Git\forensicsim\utils\main.py", line 292, in run
process_db(args.filepath, args.outputpath)
File "C:\Personal\Git\forensicsim\utils\main.py", line 282, in process_db
extracted_values = shared.parse_db(filepath)
File "C:\Personal\Git\forensicsim\utils\shared.py", line 170, in parse_db
db = FastIndexedDB(filepath)
File "C:\Personal\Git\forensicsim\utils\shared.py", line 53, in init
self.fetch_data()
File "C:\Personal\Git\forensicsim\utils\shared.py", line 78, in fetch_data
raise NotImplementedError("there could be this many dbs, but I don't support it yet")
NotImplementedError: there could be this many dbs, but I don't support it yet

Also running into this problem. Any ideas what's up? Just curious is this on your roadmap to look at?

~Salty

Cannot use AUTOPSY. because Fw wont allowed downloads of models from server

[Autopsy] Failed to load ForensicIMIngestModuleFactory

I am receivng the below error when trying to add the plugin for the parser into Autopsy.

ValueError: Can't resolve blob if blob dir is not set

Hey I am working with some people, but some people move.
there is a thing, that IT people, just delete everything in the chats you had done... but I need to refer to old messages in teams. (One more reason to keep main Mmm )

When running the script I encounter the ValueError: Can't resolve blob if blob dir is not set.

Is it possible, I can use the tools some how ?

[please import that ] [Certain Database IDs get missed]

cclgroupltd/ccl_chrome_indexeddb#18
cclgroupltd/ccl_chrome_indexeddb@0b80ecd

thank , please add

[request] option to archive pictures ?

Hello I really need to archive my Teams chats, my employe-er might actually delete my account, while they release me on a "vacation without pay", for half a year... which might end in a termination later, and in the short term, someone actual confusing my account and delete it.

Im confused, if I the files themselves could be saved some how... ie pictures or whatever...
I just dont wanna lose my chats... its so annoying... everyone that leaves, I am losing backlogs of chats... which does distruct things, as things that happens weeks or months ago matter.. also re-evaluing , what you had done is important... and if I were in 2019 it wouldbt been so easy to archive, yet I cannot use the other tools.. only this localdb thing which is only chats right?

Error with parse_db attribute

Any idea why this is presenting an error? I have installed the shared python3 module.

Error loading module 0.81

Hello
I am having problems loading the module using Autopsy
Details are as follows:

Autopsy version Autopsy 4.21.0
Forensicsim version 0.81
Windows version Microsoft Windows [Version 10.0.19045.3930]
Virtual machine - 2 cores, 8GB RAM

I have attached a screenshot and the Autopsy log
Feel free to contact me for any further information needed to solve this issue

WKC

autopsy.log

Where to find .leveldb file

I have two Teams desktop app installed, one is the business or work teams distribution and the other is personal use teams distribution. I have found db file for the business/work one but I could not found any db for the personal use teams distribution.
The business/word distribution has the following path

C:\\Users\\Farhan Ahmed\\AppData\\Roaming\\Microsoft\\Teams\\IndexedDB\\https_teams.live.com_0.indexeddb.leveldb

The Microsoft Teams personal use distribution is being installed as Windows app and I do not know where it's .leveldb file is

Error parsing Microsoft Teams Leveldb files

Hi,

I'm trying to parse leveldb files from Microsoft Teams adquisition and when executing the script returns an error in magic number like this:

|  ___|__  _ __ ___ _ __  ___(_) ___ ___  (_)_ __ ___  
| |_ / _ \| '__/ _ \ '_ \/ __| |/ __/ __| | | '_ ` _ \ 
|  _| (_) | | |  __/ | | \__ \ | (__\__ \_| | | | | | |
|_|  \___/|_|  \___|_| |_|___/_|\___|___(_)_|_| |_| |_|
                                                       
 ____                          _____           _ 
|  _ \ _   _ _ __ ___  _ __   |_   _|__   ___ | |
| | | | | | | '_ ` _ \| '_ \    | |/ _ \ / _ \| |
| |_| | |_| | | | | | | |_) |   | | (_) | (_) | |
|____/ \__,_|_| |_| |_| .__/    |_|\___/ \___/|_|
                      |_|                        

Traceback (most recent call last):
  File "/teams2/teams_profile/forensicsim/utils/dump_leveldb.py", line 74, in <module>
    cli()
  File "/teams2/teams_profile/forensicsim/utils/dump_leveldb.py", line 70, in cli
    run(args)
  File "/teams2/teams_profile/forensicsim/utils/dump_leveldb.py", line 55, in run
    process_db(args.filepath, args.outputpath)
  File "/teams2/teams_profile/forensicsim/utils/dump_leveldb.py", line 48, in process_db
    extracted_values = shared.parse_db(filepath, True)
  File "/teams2/teams_profile/forensicsim/utils/shared.py", line 172, in parse_db
    db = FastIndexedDB(filepath)
  File "/teams2/teams_profile/forensicsim/utils/shared.py", line 48, in __init__
    self._db = ccl_leveldb.RawLevelDb(leveldb_dir)
  File "/teams2/teams_profile/forensicsim/utils/ccl_chrome_indexeddb/ccl_leveldb.py", line 554, in __init__
    self._files.append(LdbFile(file))
  File "/teams2/teams_profile/forensicsim/utils/ccl_chrome_indexeddb/ccl_leveldb.py", line 221, in __init__
    raise ValueError(f"Invalid magic number in {file}")
ValueError: Invalid magic number in /teams2/teams_profile/184844-Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb/000374.ldb

When I tried to dump local storage and session storage works well but with leveldb not works fine for me. ¿Do you know why?

Thanks!
Joan.

Update forensics.im for simplified installation process 🆕

With #40 we added a zip to the release for easier use in autopys. Forensicsim_Parser.py and ms_teams_parser.exe are now released in forensicsim.zip.

@lxndrblz please also update https://forensics.im/blog/installing-forensicsim-module/ to be consistent with README.md.

feat: Integrate other Electron-based Messenger

Currently, there is a larger number of Electron-based Messaging Apps that could be extracted in similar fashion to Microsoft Teams, including the following applications:

Discord
WhatsApp
Zalo
Slack
Twist

I would be able to create a base class and extend it for the individual messengers. The output should be following a common layout to allow reuse of the existing Autopsy code.

Plugin not work

I put plugin dir in Roaming\autopsy\python_modules\forensicsim but it not work when i choose it to analyze Teams dir

"there could be this many dbs, but I don't support it yet" error was occured.

Does not seem to work with newer versions of TEAMS. Please update this awesome tool! You will be doing a great service for an ongoing case we have. Kind regards.

TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'

Hi,
The code is perfectly working with the classic Teams. When I switch to new teams, I get the following error:

 _____                        _            _
|  ___|__  _ __ ___ _ __  ___(_) ___ ___  (_)_ __ ___
| |_ / _ \| '__/ _ \ '_ \/ __| |/ __/ __| | | '_ ` _ \
|  _| (_) | | |  __/ | | \__ \ | (__\__ \_| | | | | | |
|_|  \___/|_|  \___|_| |_|___/_|\___|___(_)_|_| |_| |_|

__  ___                  _     _____           _
\ \/ / |_ _ __ __ _  ___| |_  |_   _|__   ___ | |
 \  /| __| '__/ _` |/ __| __|   | |/ _ \ / _ \| |
 /  \| |_| | | (_| | (__| |_    | | (_) | (_) | |
/_/\_\\__|_|  \__,_|\___|\__|   |_|\___/ \___/|_|


WARNING: Skipping database Teams:app-definition-images-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:app-device-permissions-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:apps-usage-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:artifacts-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:channel-installed-apps-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:cross-tenant-policies-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:extracted_app_definition-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:files-thumbnail-blob-content-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:mentions-manager:d826664f-15b5-465e-b789-65c3c61e69ee:8:orgid:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:platform-store-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:recommendedteams:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:replychain-metadata-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
WARNING: Skipping database Teams:store-device-manager:d826664f-15b5-465e-b789-65c3c61e69ee:e72c2f67-db47-49f8-9dfc-dd1bbfe072c3
Traceback (most recent call last):
  File "main.py", line 314, in <module>
  File "main.py", line 309, in cli
  File "main.py", line 292, in run
  File "main.py", line 282, in process_db
  File "shared.py", line 179, in parse_db
  File "shared.py", line 131, in iterate_records
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'
[21520] Failed to execute script 'main' due to unhandled exception!

You will find attached an example of a leveldb database containing new teams data, so you can duplicate the issue.
Any help would be appreciated.
https_teams.microsoft.com_0.indexeddb.leveldb.zip

TypeError: '>' not supported between instances of 'NoneType' and 'int'

Hi,
I've been running into this issue lately.

Traceback (most recent call last):
File "C:\Personal\Git\forensicsim\utils\main.py", line 314, in
cli()
File "C:\Personal\Git\forensicsim\utils\main.py", line 309, in cli
run(args)
File "C:\Personal\Git\forensicsim\utils\main.py", line 292, in run
process_db(args.filepath, args.outputpath)
File "C:\Personal\Git\forensicsim\utils\main.py", line 282, in process_db
extracted_values = shared.parse_db(filepath)
File "C:\Personal\Git\forensicsim\utils\shared.py", line 170, in parse_db
db = FastIndexedDB(filepath)
File "C:\Personal\Git\forensicsim\utils\shared.py", line 53, in init
self.fetch_data()
File "C:\Personal\Git\forensicsim\utils\shared.py", line 77, in fetch_data
if db_id.dbid_no > 0x7f:
TypeError: '>' not supported between instances of 'NoneType' and 'int'

The tool is awesome when I can get it to function. Any help would be appreciated.

~Salty

Error

Hi there,

I receive the following error
ms_teams_parser.exe -f "f:\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o c:\temp\levelDB\level.json

Could not decode reply chain

thanks

Error parsing Teams leveldb

Hi, Im having error parsing Teams leveldb.
The scripts returns error says like this;

`(base) C:\Users\User\Desktop\forensicsim-0.5.0\utils>python main.py -f ....\foren\AppData\local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\IndexedDB\https_teams.live.com_0.indexeddb.leveldb -o ..\test.json

| | _ __ ___ _ __ () ___ ___ () __ ___
| | / _ | '/ _ \ '_ / | |/ / | | | ' ` _
| | () | | | / | | _ \ | (_ _| | | | | | |
|_| _/|_| _|| ||/|_|()|| || |_|

\ / / |_ _ __ __ _ | | | | ___ | |
\ /| | '/ ` |/ __| __| | |/ _ \ / _ | |
/ | || | | (| | (__| | | | () | () | |
//_\__|| _,|_|_| ||_/ ___/|_|

Traceback (most recent call last):
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\main.py", line 314, in
cli()
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\main.py", line 309, in cli
run(args)
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\main.py", line 292, in run
process_db(args.filepath, args.outputpath)
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\main.py", line 282, in process_db
extracted_values = shared.parse_db(filepath)
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\shared.py", line 170, in parse_db
db = FastIndexedDB(filepath)
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\shared.py", line 53, in init
self.fetch_data()
File "C:\Users\User\Desktop\forensicsim-0.5.0\utils\shared.py", line 77, in fetch_data
if db_id.dbid_no > 0x7f:
TypeError: '>' not supported between instances of 'NoneType' and 'int'`

Dumping localstorage works file but with leveldb not working for me.
could you help plz..