Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network

Document Type

Book Chapter

Source of Publication

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

Publication Date

6-17-2022

Abstract

Videoconferencing applications have seen a jump in their userbase owing to the COVID-19 pandemic. The security of these applications has certainly been a hot topic since millions of VoIP users’ data is involved. However, research pertaining to VoIP forensics is still limited to Skype and Zoom. This paper presents a detailed forensic analysis of Microsoft Teams, one of the top 3 videoconferencing applications, in the areas of memory, disk-space and network forensics. Extracted artifacts include critical user data, such as emails, user account information, profile photos, exchanged (including deleted) messages, exchanged text/media files, timestamps and Advanced Encryption Standard encryption keys. The encrypted network traffic is investigated to reconstruct client-server connections involved in a Microsoft Teams meeting with IP addresses, timestamps and digital certificates. The conducted analysis demonstrates that, with strong security mechanisms in place, user data can still be extracted from a client’s desktop. The artifacts also serve as digital evidence in the court of Law, in addition to providing forensic analysts a reference for cases involving Microsoft Teams.

ISSN

1867-8211

Publisher

Springer International Publishing

Volume

442

First Page

583

Last Page

601

Disciplines

Computer Sciences

Keywords

Artifacts, Digital forensics, Memory forensics, Microsoft Teams, Network forensics, Videoconferencing, VoIP

Scopus ID

85133288323

Indexed in Scopus

yes

Open Access

no

Link to Full Text

Share

COinS