Daily Blog #684: Solution Saturday 4/25/20 - ZOOM DFIR Challenge Winner

Hello Reader,
        Another week of competition is concluded and a victor has a emerged. This week we continued the video conferencing artifacts and Oleg Skulkin with his sheer persistence every week has pulled out the win!

The Question:

When looking at Zoom from a DFIR perspective:

1. Where are the artifacts?

2. What format are they in?

3. Can you recover chat history?

4. Can you recover call history?

5. Anything else you can determine?

The Winning Answer:
Oleg Skulkin (@oskulkin)
https://cyberforensicator.com/

Let’s start from artifacts locations. This time I used two devices for testing: a Windows laptop and a macOS laptop.

So, on Windows the artifacts are stored under:

C:\Users\%USERNAME%\AppData\Roaming\Zoom

You can find the following files and folders inside:

The most interesting folder here is data. Here are its contents:

At first glance we can see two DB files, which are SQLite databases, but unfortunately both databases don’t contain much useful information.

The first, zoommeeting.db, contains some info about meetings, including the timestamps in Unix Epoch:

The next database, zoomus.db, should contain lots of juicy artifacts as, according to Procmon, zoom.exe interacted with it very often, but in fact – it’s almost empty. You can collect some general configuration information from zoom_kv table. Another table, zoom_conf_avatar_image_cache, contains paths for conference avatar images located in the same folder. One more table, zoom_actions_logs, contains info about conference actions, for example, screen sharing, audio muting, etc. Other tables in my testing were empty. I tried recover data using multiple forensic tools as well as using hex viewer, but had no luck. It seems Zoom doesn’t want to store anything due to recently uncovered security flaws. 

As for macOS, artifacts are located under:

/Users/%USERNAME%/Library/Application Support/zoom.us

There are two folders inside: data and Plugins.

The data folder contains the same databases as Windows version – zoommeeting.db and zoomus.db, also almost empty.

So? I couldn’t recover neither call, no chat history. Probably, it needs much more testing.

Also Read: Daily Blog #683

Read More

Daily Blog #678: Sunday Funday 4/19/20 - Zoom from a DFIR Perspective Challenge

Hello Reader,
         We had some strong contenders for last weeks contest and I think most of you understood the expedited need to understand more about these virtual conferencing technologies in this work from home world we are in. Let's then continue our journey by looking into an application that has been much in the news of late, Zoom. It's time to put your skills to use by letting the community know what they can recover from the Zoom video conference app.

Please note as with last weeks challenge I'm not specifying an operating system. You are allowed to test/research/document any zoom client you have access to. If you do more than one that could be how your submission comes over the line to a win.




The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 4/24/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

When looking at Zoom from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Anything else you can determine?

Also Read: Daily Blog #677

Read More