Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network
Source of Publication
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
Videoconferencing applications have seen a jump in their userbase owing to the COVID-19 pandemic. The security of these applications has certainly been a hot topic since millions of VoIP users’ data is involved. However, research pertaining to VoIP forensics is still limited to Skype and Zoom. This paper presents a detailed forensic analysis of Microsoft Teams, one of the top 3 videoconferencing applications, in the areas of memory, disk-space and network forensics. Extracted artifacts include critical user data, such as emails, user account information, profile photos, exchanged (including deleted) messages, exchanged text/media files, timestamps and Advanced Encryption Standard encryption keys. The encrypted network traffic is investigated to reconstruct client-server connections involved in a Microsoft Teams meeting with IP addresses, timestamps and digital certificates. The conducted analysis demonstrates that, with strong security mechanisms in place, user data can still be extracted from a client’s desktop. The artifacts also serve as digital evidence in the court of Law, in addition to providing forensic analysts a reference for cases involving Microsoft Teams.
Springer International Publishing
Artifacts, Digital forensics, Memory forensics, Microsoft Teams, Network forensics, Videoconferencing, VoIP
Khalid, Zainab; Iqbal, Farkhund; Al-Hussaeni, Khalil; MacDermott, Aine; and Hussain, Mohammed, "Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network" (2022). All Works. 5189.
Indexed in Scopus