Hello Reader,
I got some good answers this week and picking a winner was tough. This week I'm going to provide links to some additional submissions who almost cranked out a win. However this week's winner is Mark McKinnon who took a step beyond the others by:
A. Identifying the type of data storage in each of the relevant artifacts
B. Writing his own LevelDB Parser
C. Providing sample data to show
D. Expanding into additional artifacts
So that was my grading metric and here are the runner ups:
Oleg Skulkin: https://cyberforensicator.com/2020/04/16/looking-at-microsoft-teams-from-a-dfir-perspective/
Phil Moore: https://thinkdfir.com/2020/04/17/part-of-a-sunday-funday-answer-microsoft-teams/
Tune in tomorrow for your chance at another win and look below to see Maxim's winning post.
Question:
When looking at Microsoft Teams from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Can you recover file transfer?
6. Can you recover meeting history?
7. Anything else you can determine?
When looking at Microsoft Teams from a DFIR
perspective:
1.
Where are the artifacts?
a.
Leveldb
i.
AppData/Roaming/Microsoft/Teams/Service Worker/Database
ii.
AppData/Roaming/Microsoft/Teams/Local Storage/leveldb/
iii. AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb
b.
SQLite
i. AppData/Roaming/Microsoft/Teams/skylib/slimcore-aria-cache.data
ii.
AppData/Roaming/Microsoft/Teams/databases/Databases.db
iii. AppData/Roaming/Microsoft/Teams/QuotaManager
iv. AppData/Roaming/Microsoft/Teams/Cookies
v. AppData/Roaming/Microsoft/Teams/Origin Bound
Certs
c.
Chrome Cache
i.
AppData/Roaming/Microsoft/Teams/Cache
ii.
AppData/Roaming/Microsoft/Teams/Application Cache
iii.
AppData/Roaming/Microsoft/Teams/GPUCache
d.
Json Files
i.
AppData/Roaming/Microsoft/Teams/storage.json
ii.
AppData/Roaming/Microsoft/Teams/desktop-config.json
e.
Text Log Files
i.
AppData/Roaming/Microsoft/Teams/logs.txt
ii. AppData/Roaming/Microsoft/Teams/old_logs_YYYYMMDD24HHMMSS.txt
f. Misc
iii. AppData/Roaming/Microsoft/Teams/in_progress_download_metadata_store
2.
What format are they in?
a.
Leveldb
b.
SQLite
c.
Chrome Cache
d.
Json Files
e.
Text Log Files
f.
Misc - Not sure
3.
Can you recover chat history?
a.
Yes this information is stored in the
AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb
location but will have to worked on before they can easily be pulled out
4. Can
you recover call history?
a. Not sure about this, if anything may see it
in the
AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_
0.indexeddb.leveldb data, will have to parse
thru all this data to verify
5. Can you
recover file transfer?
a. I
can see files that have been transferred, between AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_0.indexeddb.leveldb and
AppData/Roaming/Microsoft/Teams/Cache should be able to find info. I do know files are not stored on the
workstation unless they have been downloaded.
Need to look into further.
6. Can
you recover meeting history?
a. Not
sure best places to try and corollate this information would be in
ppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com0.indexeddb.leveldb and
AppData/Roaming/Microsoft/Teams/Cache\
7. Anything else you can determine?
a.
IP address of computer was found in Cookies Database.
There is a lot of information that needs to be
investigated and correlatedArtifacts
SQLite Databases
1. Cookies
Host_Key
|
Name
|
Value
|
Creation_utc
|
Last_access-utc
|
Expires_utc
|
Description
|
.login.live.com
|
MSCC
|
99.99.213.76-US
|
13231215896175107
|
13262746541625305
|
13231215896175107
|
IP Address of Device Logged
in on
|
Also has device id, auths and
other things that have to be researched further.
2. Origin Bound
Certs - SQLite database with a Private key field , a host name and creation
time fields, what this means has to be explored.
3. Quota
Manager - Only table that I see data in is OriginInfoTable, this has a origin
column which has the teams site, it also has a use count which would have to be
explored as to its meaning if any, a last access and modified MS epoch
timestamps also.
4. slimcore-aria-cache.data
- this sqlite database also appears in skype, need to investigate further maybe
deleted records in it.
5. Databases -
Nothing in this database yet will have to play more to see if things get added
to it.
JSON and Text Files
1. Storage.Json
- Username, Email address, Ip Address, First Name, Last Name, Full Name, State
Time, update Time - Time stamps would have to be explored with what they really
represent.
2. Logs.txt and
old_logs-YYYYMMDD24HHMMSS.txt - have to look at closer but may be able to determine
startup and shutdown of application and other things.
3. in_progress_download_metadata_store
- May store document id's have to take a closer look.
4. Desktop-config.json
- userid/email address, internal userid maybe, device id, machine id, session
id - will have to look further to see how useful this is.
Chrome Cache
1. Cache -
Directory where information is cached, can see userid's, files shared, media
streamed. Will have to take a closer
look to see how to decipher it all.
2. Application
Cache - Chrome Cache - Nothing in there at this point may need to add some Apps
into teams to see what gets populated.
3. GPUCache -
Unclear what this all means and if there is any value here, will have to look
at closer
LevelDB
1. Service
Worker/Database - Appears to be some config info, nothing at this points shows
any useful infromation, may check back on this
2. Local
Storage/leveldb - Values for keys are json, saw username/email address, other
things will have to be looked at closer to see if any value in the data
3. IndexedDB/https+teams.microsoft.com_0indexeddb.leveldb
- Looks like a lot of potential information, username's of individuals that may
have had conversations, file names, Calls may be in here but there is a lot of
information to go thru and parse to see how it all fits together.
Artifact Locations/Formats
1.
Leveldb
a.
AppData/Roaming/Microsoft/Teams/Service Worker/Database
b.
AppData/Roaming/Microsoft/Teams/Local Storage/leveldb/
c.
AppData/Roaming/Microsoft/Teams/IndexedDB/https_teams.microsoft.com_
0.indexeddb.leveldb
2.
SQLite
a.
AppData/Roaming/Microsoft/Teams/skylib/slimcore-aria-cache.data
b.
AppData/Roaming/Microsoft/Teams/databases/Databases.db
c.
AppData/Roaming/Microsoft/Teams/QuotaManager
d.
AppData/Roaming/Microsoft/Teams/Cookies
e.
AppData/Roaming/Microsoft/Teams/Origin Bound Certs
3.
Chrome Cache
a.
AppData/Roaming/Microsoft/Teams/Cache
b.
AppData/Roaming/Microsoft/Teams/Application Cache
c.
AppData/Roaming/Microsoft/Teams/GPUCache
4.
Json Files
a.
AppData/Roaming/Microsoft/Teams/storage.json
b.
AppData/Roaming/Microsoft/Teams/desktop-config.json
5.
Text Log Files
a.
AppData/Roaming/Microsoft/Teams/logs.txt
b.
AppData/Roaming/Microsoft/Teams/old_logs_YYYYMMDD24HHMMSS.txt
6.
Misc
a.
AppData/Roaming/Microsoft/Teams/in_progress_download_metadata_store
Post a Comment