David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunday’s challenge was to look at Microsoft Teams from a forensic or DFIR perspective, so here we go.
The first question, where are the artifacts? It looks like the artifacts are located under C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams:
So, we can see here lots of different files: SQLite databases, JSON files, plain text logs… But where can we find artifacts of interest, e.g., messages, call logs, etc? If we look at under IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb we can find 000003.log – it contains lots of useful artifacts. Here comes the next question – what format are they in? And the answer is – LevelDB. This is a LevelDB Log File. According to its GitHub page, “LevelDB is a fast key-value storage library written at Google that provides an ordered mapping from string keys to string values”.
So, can we find artifacts of chat history? Yes, we can! Here is one of the messages:
As you can see, there is a good number of keys and values. First of all, we can see the message content, that is “Hey mate!” and the name of the user who sent it – “msteamstestpub“. Timestamps are also included and presented in UTC: compose time (2020-04-15T12:59:34.639Z) and original arrival time (2020-04-15T12:59:40.207Z).
Now let’s look at incoming message:
As this is an incoming message, here we have another timestamp – client arrival time (2020-04-15T12:59:58.270Z).
So what about call logs? We can find it in the same file:
Here we can see the timestamps in UTC again, start time, connect time and end time. Also we can see that the call was incoming, and only two parties participated in it, as well as the calling person used “A B” for displayed name.
Let’s look at file transfers. Unfortunately, there is no info about file transfers in 000003.log. But it’s not a big problem! There is another LevelDB Log File under Local Storage folder – 000044.log. And here is file transfer information:
Here we have file type, its size, name, location on the target drive, and, of course, status – downloaded. Also there is a timestamp in UTC.
And finally, meeting history. Let’s get back to 000003.log file:
As you can see, the title of the meeting was “Time to meet!”. Again we have a bunch of timestamps as well as information about meeting creator – user principal name (admin@UnknownPleasures.onmicrosoft.com) and display name (A B).
But what if our suspect used web application instead of classic? Great news! If Google Chrome was used, you can find similar LevelDB Log File under C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb!
Another file that may be of interest to a forensic analyst is desktop-config.json. It’s located under C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams, and contains, for example, account information.