Daily Blog #684: Solution Saturday 4/25/20 - ZOOM DFIR Challenge Winner

ZOOM DFIR challenge.

Hello Reader,
        Another week of competition is concluded and a victor has a emerged. This week we continued the video conferencing artifacts and Oleg Skulkin with his sheer persistence every week has pulled out the win!

The Question:
When looking at Zoom from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Anything else you can determine?

The Winning Answer:
Oleg Skulkin (@oskulkin)

Let’s start from artifacts locations. This time I used two devices for testing: a Windows laptop and a macOS laptop.

So, on Windows the artifacts are stored under:


You can find the following files and folders inside:

ZOOM DFIR challenge.

The most interesting folder here is data. Here are its contents:

ZOOM DFIR challenge.

At first glance we can see two DB files, which are SQLite databases, but unfortunately both databases don’t contain much useful information.

The first, zoommeeting.db, contains some info about meetings, including the timestamps in Unix Epoch:

ZOOM DFIR challenge.

The next database, zoomus.db, should contain lots of juicy artifacts as, according to Procmon, zoom.exe interacted with it very often, but in fact – it’s almost empty. You can collect some general configuration information from zoom_kv table. Another table, zoom_conf_avatar_image_cache, contains paths for conference avatar images located in the same folder. One more table, zoom_actions_logs, contains info about conference actions, for example, screen sharing, audio muting, etc. Other tables in my testing were empty. I tried recover data using multiple forensic tools as well as using hex viewer, but had no luck. It seems Zoom doesn’t want to store anything due to recently uncovered security flaws. 

As for macOS, artifacts are located under:
/Users/%USERNAME%/Library/Application Support/zoom.us

There are two folders inside: data and Plugins.

The data folder contains the same databases as Windows version – zoommeeting.db and zoomus.db, also almost empty.

So? I couldn’t recover neither call, no chat history. Probably, it needs much more testing.

1 comment :

  1. I am finding something very similar in terms of very few artefacts. I wonder if this has been an improvement on their end in terms of security-by-design.