Tuesday, September 22, 2020

Microsoft Teams artifacts and chat logs

 Take a look at location: 

C:\Users\<username>\AppData\Roaming\Microsoft\Teams\IndexedDB\


On my workstation there is a folder at this location:

https_teams.microsoft.com_0.indexeddb.leveldb

Looking at the *.log file at this location


Open the .log file in Notepad++ <download>

File--> Open--> Path to 

"C:\Users\username>\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" 

Open the .log file

Sample of the "000007.log" file in Notepad++









In Notepad++ with the .log file open --> Press "ctrl+F"

Searching for the value "renderContent" returned some messages logged from MS Teams.

Select Find All in Current Document














The find results show all lines containing the value "renderContent" followed by posted messages.

Sample recovered MS Teams messages


There are also other potential values of interest in this log including: 

"imdisplayname" 

"RichText/Html" (provided further chat and web content)

"meetingtitle"

MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"


This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination.  Also recommending checking out a article written a few months back at cyberforensicator <link>.


-Bryan






No comments:

Post a Comment