Home Articles Looking at Microsoft Teams from a DFIR Perspective

Looking at Microsoft Teams from a DFIR Perspective

Comments Off on Looking at Microsoft Teams from a DFIR Perspective

David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunday’s challenge was to look at Microsoft Teams from a forensic or DFIR perspective, so here we go.

The first question, where are the artifacts? It looks like the artifacts are located under C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams:

A folder with Microsoft Teams data

So, we can see here lots of different files: SQLite databases, JSON files, plain text logs… But where can we find artifacts of interest, e.g., messages, call logs, etc? If we look at under IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb we can find 000003.log – it contains lots of useful artifacts. Here comes the next question – what format are they in? And the answer is – LevelDB. This is a LevelDB Log File. According to its GitHub page, “LevelDB is a fast key-value storage library written at Google that provides an ordered mapping from string keys to string values”.

So, can we find artifacts of chat history? Yes, we can! Here is one of the messages:

A piece of chat history extracted from 000003.log

As you can see, there is a good number of keys and values. First of all, we can see the message content, that is “Hey mate!” and the name of the user who sent it – “msteamstestpub“. Timestamps are also included and presented in UTC: compose time (2020-04-15T12:59:34.639Z) and original arrival time (2020-04-15T12:59:40.207Z).

Now let’s look at incoming message:

Another piece of chat history extracted from 000003.log

As this is an incoming message, here we have another timestamp – client arrival time (2020-04-15T12:59:58.270Z).

So what about call logs? We can find it in the same file:

Call log extracted from 00000.log

Here we can see the timestamps in UTC again, start time, connect time and end time. Also we can see that the call was incoming, and only two parties participated in it, as well as the calling person used “A B” for displayed name.

Let’s look at file transfers. Unfortunately, there is no info about file transfers in 000003.log. But it’s not a big problem! There is another LevelDB Log File under Local Storage folder – 000044.log. And here is file transfer information:

File transfer log extracted from 000044.log

Here we have file type, its size, name, location on the target drive, and, of course, status – downloaded. Also there is a timestamp in UTC.

And finally, meeting history. Let’s get back to 000003.log file:

A piece of meeting history extracted from 000003.log

As you can see, the title of the meeting was “Time to meet!”. Again we have a bunch of timestamps as well as information about meeting creator – user principal name (admin@UnknownPleasures.onmicrosoft.com) and display name (A B).

But what if our suspect used web application instead of classic? Great news! If Google Chrome was used, you can find similar LevelDB Log File under C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb!

Another file that may be of interest to a forensic analyst is desktop-config.json. It’s located under C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams, and contains, for example, account information.

Load More Related Articles
Load More In Articles
Comments are closed.