Microsoft Teams desktop application forensic investigations utilizing IndexedDB storage.

ABSTRACT

While the COVID-19 virus remolded the routines of the establishments, remote collaboration and distant communication gained more popularity. As the way electronic communications are handled changes drastically, new applications and storage mechanisms are introduced. Microsoft Teams is an application offered within the scope of Microsoft Office 365 that offers services for hosting virtual meetings, team communication, and comprehensive team resource management. It is prevalently used by organizations and indicates a great potential to be a source of digital forensic investigations. This paper scrutinizes the artifacts created by Microsoft Teams in IndexedDB persistent storage. IndexedDB is a fast-growing client-side storage technology that is relatively new as a source for digital forensic investigations. A single-case pretest-posttest quasi experiment was conducted to produce artifacts in Microsoft Teams IndexedDB storage. The artifacts were extracted without user credentials indicating security flaws in the application. Extracted artifacts were processed based on signature patterns and evaluated for their significance. Traditional database queries were utilized to link and present the information clustered according to their relevancy. A time-frame analysis was constructed to display information in a suitable format for investigators. The results indicate that Microsoft Teams IndexedDB storage artifacts contain significant potential for digital investigations with extraction of complete contents of private chat messages, voice mails, and team extensions with efficient time-frame analysis.