Keywords

1 Introduction

Adaptation of videoconferencing applications in the wake of COVID-19 pandemic has proved to be an efficient alternative as businesses and schools continue to utilize them for meetings and online classes. This technology may be used well past the pandemic is over owing to the convenience, higher productivity levels reported by employees and reduced travel costs among other advantages [1]. The market value of Voice over Internet Protocol (VoIP) applications is estimated at $6.03 billion in 2021 [1]. Most prevalent of these applications include Zoom, Cisco WebEx, Microsoft Teams, Google Hangouts, BlueJeans and Adobe Connect according to a recent G2 report [2].

Any application that connects to the internet is at risk. It is therefore important to consider the security and privacy risks posed by videoconferencing applications because they store and transmit data of millions of users. Malicious actors leverage the vulnerabilities present and exploit them to gain access to users’ account/data to harass, abuse or bully them. Zoom-bombing is an example of intruders exploiting a vulnerability (Zoom’s screen sharing feature) to hijack meetings to stream improper content or harass attendees [3]. Such vulnerabilities have since been patched; however, other persistent risks can be categorized into: software development risk, personal information loss, communication interception, unlawful access to confidential data and privacy violation [4]. Andrew Lewis, in his report, discusses how it is important to compare the security of a VoIP application compared to others but it is also important to analyze the risks of videoconferencing in terms of a broader digital platform [4].

WebEx, in 2019, was patched for critical vulnerabilities: CVE-2020-3419, CVE-2020-3441 and CVE-2020-3471, which would have allowed a hacker to obtain private user data without leaving a trace, therefore violating confidentiality and non-repudiation [5]. Houseparty was reported to have questionable privacy policies and collecting end-user information while Google Meet did not offer full encryption initially [6].

Evidently, there is a need to forensically analyze videoconferencing applications to extract artifacts that can attribute malicious actions to guilty individuals. These artifacts can therefore serve as digital evidence in criminal investigations. Microsoft Teams has experienced a surge in its userbase, with 145 million daily active users and 100+ million downloads on Google Play Store [7]. It is one of the top 3 videoconferencing applications in the market. This research work forensically analyzes the Microsoft Teams desktop application on a Windows virtual client machine to determine, carve and extract artifacts of potential evidential value from different locations on the client’s desktop. These include memory, disk-space and network. To the best of our knowledge, this is the first forensic analysis of the Microsoft Teams desktop application.

1.1 Microsoft Teams Protocol Overview

VoIP applications, with their upward trends of demand and userbase, have been scrutinized for the security services they offer. Zoom initially faced backlash in this regard. However, with time, security practices such as: (1) media encryption, (2) session encryption, and (3) hashing for integrity and authentication etc. have been adopted and implemented in these applications. Microsoft Teams has particularly benefitted from Microsoft’s mature security model [4]. Security services provided by Microsoft Teams’ communication protocols are discussed below [8]:

  • Transport Layer Security (TLS) is used for client-to-server signaling and Mutual Transport Layer Security (MTLS) is used to encrypt server-to-server messages.

  • Media traffic is encrypted using Secure Real-time Transport Protocol (SRTP).

  • Federal Information Processing Standard (FIPS) compliant algorithms are used for encryption key exchanges.

  • Client-to-server authentication is achieved using Modern Authentication (MA) which is Microsoft’s implementation of OAUTH 2.0. Multi-Factor Authentication (MFA) and conditional access are implemented using MA.

  • User Datagram Protocol (UDP) 3478–3481 and Transmission Control Protocol (TCP) 443 over TLS are used by the client to request for audio visuals.

  • Microsoft Teams stores files in SharePoint which is primarily a cloud-based document management and storage system developed by Microsoft. The files stored in SharePoint servers are protected by SharePoint encryption.

With strict encryption and authentication protocols being used for data in transit and at rest, our main goal in this research is to investigate what artifacts can be extracted from a client’s desktop (memory, disk-space and network). The contributions of our research are as follows:

  • We perform a detailed memory forensic analysis of Microsoft Teams to extract artifacts that are corroborated with artifacts from disk-space and network.

  • We analyze the Windows Registry on disk-space to extract registry keys pertaining to Microsoft Teams.

  • We present an in-depth network forensic analysis of Microsoft Teams’ (encrypted) traffic.

The rest of this paper is structured as follows. Section 2 discusses research previously done in VoIP applications’ forensic analysis and other similar Instant Messaging (IM)/social media applications. Section 3 presents the research methodology adopted and the experimental setup. Sections 4, 5 and 6 present the findings of memory forensics, disk-space forensics and network forensics for Microsoft Teams, respectively. Finally, Sect. 7 provides a summary of the contributions and discusses prospects of further research that can be performed in VoIP forensics.

2 Literature Review

Previous research in the domain of forensic analysis of videoconferencing applications is limited. Some of the most recent works in VoIP application forensics are discussed in this section.

Sgaras et al. [9] presented forensic analyses of some IM and VoIP applications namely WhatsApp, Viber, Skype and Tango on both Android and iOS platforms. They developed a taxonomy of the artifacts that can be extracted using logical and manual analyses.

Yang et al. [10] performed an in-depth forensic analysis of Facebook and Skype on a Windows 8.1 machine. Terrestrial artifacts such as installation information, log-in and log-off information, contact lists, conversations and transferred files were extracted from memory, disk-space and network traffic. The authors also observed that uninstalling the applications removed most artifacts from the file-system, but some installation data still remained on the disk; therefore, anti-forensics attempts by deleting data can be detected.

Tandel and Rughani [11] investigated the client artifacts that can be extracted from an Asterisk server during a (Zoiper) VoIP communication if the server is compromised. The authors used Encase to extract usernames, passwords, call records, access logs and error logs from the server.

Dargahi et al. [12] presented the analysis of forensically valuable remnants of mobile VoIP applications: Viber, Skype and WhatsApp messenger on an Android smartphone. They recovered artifacts such as messages, contact details, phone numbers, images and video files from logical images of a rooted Samsung Galaxy S3 GT-i9300 smartphone.

Mohemmed et al. [13] presented a packet level forensic analyzer for VoIP network traffic. The framework can identify and analyze the VoIP-SIP stream (which is the protocol used to initiate a VoIP communication session) and regenerate the VoIP-RTP stream (protocol used for data transfer) in order to trace malicious users involved in a conversation.

Recently, Nicoletti and Bernaschi [14] forensically analyzed Skype for Business with a focus on Skype’s communication architecture, protocols and VoIP codec to extract artifacts. They presented case studies that elaborated the relevance of extracted artifacts in different investigative cases. They identified the Windows Registry, Event Viewer, client application folder and log files as sources of potential evidence in the presented case studies.

After the COVID-19 outbreak, the number of VoIP applications and their usage has surged but research regarding forensic analysis of the most recent and prevalent videoconferencing applications is still scarce. Zoom, however, has been analyzed in-depth by Mahr et al. [15]. The authors presented a detailed disk-space forensic analysis of Zoom on Windows and macOS desktops. Their research included an analysis of Android and iOS smartphones as well. Various databases in the Zoom data directory were investigated to extract artifacts that included chats, contacts, caches, video meetings and user/device configurations. Preliminary memory and network forensic analyses were also presented.

The Zoom databases analyzed by Mahr et al. [15] were stored on disk in un-encrypted form at the time of their research. However, from our own forensic analysis of the Zoom data directory, we have observed that the databases are now stored in encrypted form on the disk-space. This adds another layer of complexity for the forensic analyst since a passphrase or key is required for decryption.

Similar works include forensic analysis of Social Media applications such as Instagram [16], Facebook, Twitter, LinkedIn [17], WhatsApp, Hangouts and Line [18] on mobile operating systems such as Android and iOS for digital forensic artifacts.

3 Methodology and Experimental Setup

For the purpose of this research, a controlled test environment created using a Windows 10 Virtual Machine (VM) was used. 4 GB RAM and 60 GB disk-space was allotted to the VM. A Microsoft Teams user account was created and signed-in. A clean test environment facilitates a more precise analysis as unnecessary mixing or over-writing of artifacts of Microsoft Teams with other applications or system files is avoided.

To create test data for the forensic analysis, the Microsoft Teams user account was used emulating typical user actions such as: setting up the user profile ID, searching for people in correspondence using keyword search, adding/deleting contacts, audio/video calls and one-to-one/group meetings etc. Table 1 lists features of Microsoft Teams and some user actions that were performed accordingly in order to create the test data.

Table 1. Key features of Microsoft Teams.
Full size table

Following test user activities, FTK imager was used to create memory and disk images of the VM. For memory analysis, each memory dump was taken after major user actions were performed such as user login, chat messages, meetings etc. to analyze them separately.

For automated analysis of the forensic images, tools such as Volatility, Bulk Extractor and Photorec were used. Manual forensic analysis was performed using string searching, employing relevant keywords/phrases. The artifacts in focus are categorized into different profiles [12]: (1) installation data, (2) traffic data, (3) content data, (4) user profile data, (5) user authentication data, (6) contact database, (7) attachment/files and (8) location data.

To capture and analyze the network traffic, we used Wireshark. Network miner was also used to analyze .pcap traffic captured using Wireshark. The research methodology is illustrated in Fig. 1 (Table 2).

Fig. 1.
figure 1

Research methodology.

Full size image
Table 2. Tools used for forensic analysis.
Full size table

4 Memory Forensics

Random Access Memory (RAM), or memory, stores information about the Operating System’s (OS) running processes and applications. Data is often stored in un-encrypted form in the memory which makes it an interesting reserve of information that can serve as digital evidence. Microsoft Teams’ artifacts carved from the memory of the VM are presented.

Determining whether Microsoft Teams was running on a device or not was fairly simple; the pslist, or pstree plug-ins of Volatility showed the teams.exe processes running in the memory. The processes were displayed against their Process IDs (PID). The PID’s Parent Process Identifier (PPID) can also be traced to make sure that the teams.exe originated from the legitimate Teams process and not a foreign/malicious process. The timestamps of the teams.exe process also indicated when the application was running. The pstree output in Fig. 2(a), shows the Teams processes. Volatility can also be used to investigate the network connections that were listening/established close to when the memory image was captured. The output of netscan for Microsoft Teams is discussed in Sect. 6.

Yarascan is another Volatility plugin that was used to search artifacts particular to a PID. Figure 2(b) shows information regarding a message deletion related to a Teams process (searched using Teams PID 3744).

Fig. 2.
figure 2

(a) Pstree output for Microsoft Teams via Volatility. (b) Yarascan search for PID 3744 via Volatility.

Full size image

As shown, Yarascan searches can reveal useful information about user activity, but it displayed a limited window of information and further analysis required tracing the physical/virtual offsets of the displayed output. The same information was easily extracted using string searching as discussed further.

Another tool, Bulk Extractor was used to carve Advances Encryption Standard (AES) keys, as shown in Fig. 3(a). The email histogram (Fig. 3(b)) showed the user’s correspondence in one-to-one and group meetings in an order. It is observed that the user communicated most with user accounts associated with the emails at the top of the histogram.

Fig. 3.
figure 3

(a) AES keys extracted via Bulk Extractor. (b) Email histogram displaying most contacted emails extracted via Bulk Extractor.

Full size image

Photorec was used to carve photographic images from the memory dumps. We were able to extract critical images, such as: (1) profile photo of the logged-in user account, (2) profile photos of accounts the user interacted with, (3) Microsoft Teams logos and (4) other favicon images related to the application, as shown in Fig. 4. This shows that Microsoft Teams’s profile images are processed in un-encrypted form in the memory; a useful artifact in regard to investigations.

Fig. 4.
figure 4

Profile photos carved from memory via Photorec.

Full size image

Manual forensic analysis was also conducted using string searches against the memory dumps which revealed a plethora of information such as the user’s account details (user display name, email address associated with Microsoft Teams and the user ID etc.), as shown in Fig. 5(a). The user password was not found in the memory in plaintext as a result of string search against the memory dump. This was expected since sensitive authentication information is stored in encrypted form.

Figure 5(b) shows details about an audio call that was made. The start time, end time, user ID and display name of the account that made the call and the recipient’s user ID were all present in the memory.

The keyword search option in Microsoft Teams enables the user to search for aquaintances and friends. In memory, information regarding searches made using the option were found under the QueryString tag as shown in Fig. 5(c).

Fig. 5.
figure 5

(a) User account details extracted via manual string search. (b) Call information extracted via manual string search. (c) Keyword search extracted via manual string search.

Full size image

The Microsoft Teams Chat Files tag stores information about the exchanged text files (including deleted text files) as shown in Fig. 6. The user name, email address of the sender, date and time of exchange, user IDs, name and size of the text file were extracted. Under the same (Microsoft Teams Chat Files) tag, information about the exchanged and deleted (photo) media files, their sizes and timestamps were also extracted. The SharePoint server addresses, where these files are stored, were extracted under the tag as well.

Fig. 6.
figure 6

(a) Exchanged text file extracted via manual string search. (b) Deleted text file extracted via manual string search. (c) Exchanged media file extracted via manual string search. (d) Deleted media file extracted via manual string search.

Full size image

Messages exchanged between the user and other parties were also extracted from the memory under the skypexspaces-[user ID] tag, which is the database name of the particular user. This database (stored in SharePoint) seemingly stores all the messages of the user including timestamps and other information as shown in Fig. 7. This included deleted messages as well. Microsoft Teams stores messages in the databases even after they are deleted. Using the timestamps, a messaging exchange can be reconstructed in chronological order including the deleted messages. Exchanged Uniform Resource Locators (URLs) were also found under the skypexspaces-[user ID] tag (Fig. 7).

Note that some text messages, URLs and media/text files exchanged between users during test activities were deleted. These artifacts were then extracted from the memory dumps using manual string searches as discussed, which shows that deleted information that is seemingly deleted and no longer visible on the application’s user interface, still resides in the memory and can be recovered using Microsoft Teams Chat Files and skypexspaces-[user ID] tags. Therefore, anti-forensic attempts like such can be detected using an analysis of the memory.

Fig. 7.
figure 7

(a) Exchanged text message extracted via manual string search. (b) Deleted text message extracted via manual string search. (c) Exchanged URLs extracted via manual string search. (d) Deleted URLs extracted via manual string search.

Full size image

Information regarding scheduled meetings was also extracted from the memory. Figure 8 shows that a meeting named “Test Meeting” was scheduled for 2 PM Wednesday on July 14, 2021. The organizer’s user ID is also extracted along with other information. Chat messages sent (deleted messages included) were also found in the memory (Table 3).

Fig. 8.
figure 8

Scheduled meeting information extracted via manual string search.

Full size image
Table 3. Summary of memory artifacts of Microsoft Teams.
Full size table

5 Disk-Space Forensics

Unlike the memory, disk-space stores information for a relatively longer time. While our analysis of Microsoft Team’s client application folder did not reveal information/artifacts of critical value, the Windows Registry is nonetheless a potential source of forensic artifacts. Microsoft Operating System’s Windows Registry is a central hierarchal database that stores configuration information about the OS. This includes information about the users, (Microsoft or foreign) applications that are (or were) installed on the device and hardware devices attached to the device. User information can also include credentials and relevant timestamps that can prove useful for an investigation.

We performed an in-depth analysis of the Windows Registry for keys related to Microsoft Teams and it was observed that while basic information about the user account is retrievable from the registry, no credentials/authentication information was found.

The HKCU\SOFTWARE\RegisteredApplications key lists Microsoft Teams in registered applications. The HKCU\SOFTWARE\Microsoft\Office\Teams key stores basic user account information, as shown in Fig. 9, such as the email address, private meeting settings, the installation source used to install Microsoft Teams, the web account ID and login information etc. The HKCU\SOFTWARE\Microsoft\Office\Teams\Capabilities\URLAssociations key stores the URL associations of Microsoft Teams: sip, sips, im, callto and msteams. The HKCU\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamsAddin.FastConnect lists the Microsoft Teams add-in for Outlook. If Microsoft Teams is uninstalled, it is listed in HKCU\SOFTWARE\Microsoft\UserData\UninstallTimes key (Table 4).

Fig. 9.
figure 9

Registry keys for Microsoft Teams.

Full size image
Table 4. Registry keys for Microsoft Teams.
Full size table

6 Network Forensics

The netscan output of Microsoft Teams (Fig. 10) shows connections established with Microsoft servers over UDPv4, UDPv6 and TLSv4 while transferring meeting media during a Teams meeting. Volatility seemingly missed some PIDs and IP addresses, which is a recurring problem with the newer versions of Windows (i.e. Windows 10 and its various versions). Nonetheless, the netscan output still offers valuable information including timestamps, and other IP addresses that can be corroborated with the pslist output or packets captured using a network protocol analyzer as discussed further. Owing to the volatile nature of memory, it is not always available during an investigation. The disk-space, on the other hand, can be manipulated one way or another. In such a case, the network proves to be a reliable alternative for extracting artifacts because network traffic cannot be tampered with.

Fig. 10.
figure 10

Netscan output via volatility.

Full size image

To perform network forensic analysis of the Microsoft Teams application, we setup a unique Wi-Fi hotspot to isolate the traffic. This was done to aid the process of analysis. We used the Wireshark network protocol analyzer to both capture and analyze the traffic. Network miner was also used for the analysis of the .pcap traffic captured using Wireshark. The IP addresses of servers were investigated using https://ipdata.co/?ref=iplocation.

The traffic was captured intermittently, i.e., the login activity, exchange of messages/URLs/image media and (one-to-one and group) meetings were captured separately to be analyzed individually. From our observations, all the network traffic of Microsoft Teams was encrypted as no credentials, messages, or transferred image or text files were observed in the packet captures in plaintext. The encryption keys were exchanged using the Elliptic Curve Diffie Hellman (ECDH) key agreement protocol, while the application data was transferred using either HTTP over TLSv1.2 or HTTP2, as shown in Fig. 11.

Fig. 11.
figure 11

Communication protocols used by Microsoft Teams as observed via Wireshark.

Full size image

Sessions between client and Microsoft Teams’ servers were encrypted using TLS (Fig. 12). As can be seen, JA3 and JA3S hashing was used to fingerprint the negotiation between client and server.

Analyzing network traffic of Microsoft Teams using Network Miner, we observed that the application makes connections to Microsoft servers mostly (unlike other applications which are likely to use services of other organizations as well). This is expected since Microsoft has an established infrastructure that is capable of all required services. However Akamai Technologies, as observed in the network traffic, is used by Teams as a content distribution system.

Logging into Microsoft Teams, client is first authenticated to the Teams cloud skypedataprdcolneu04.cloudapp.net, login.microsoftonline.com, stamp2.login.microsoftonline on port 443. Another point to note is that Microsoft Teams uses several of Skype’s servers as well. Configuration data is fetched from settingsfd-geo.trafficmanager.net, settings-win.data.microsoft.com.

As previously discussed, since network traffic is encrypted, captured frames did not contain any plaintext data. However, digital certificates employed and transferred during the meetings and other activities were extracted. The digital certificates can be used to track whether the communicating hosts were authenticated or not.

Fig. 12.
figure 12

(a) TLS handshake via Network Miner. (b) Digital certificates via Network Miner.

Full size image

The IP addresses and timestamps from the network traffic were used to reconstruct the history of whom the client device communicated with and when. Table 5 provides details of the captured traffic, IP addresses and servers that the host communicated with. This information can also be used to flag Microsoft Teams’ network traffic.

Table 5. Network information.
Full size table

7 Conclusion and Future Work

VoIP applications are here to stay. Their tremendous use in business and education raises some security and privacy concerns for users. This paper presented an elaborate forensic analysis of Microsoft Teams in terms of different data localities, namely memory, disk-space and network. Nowadays, companies ensure implementation of security best practices in their applications to build and maintain user trust. Our aim was to analyze Microsoft Teams with its security mechanisms in place and see what critical user information can still be extracted. We presented an in-depth memory forensic analysis of the application, extracting email addresses, profile photos, user account IDs, AES keys, exchanged (including deleted) messages, text/media files, URLs, meeting information and more, in plaintext. Moreover, analysis of Windows Registry keys related to Microsoft Teams revealed some configuration information related to the user account. Network traffic of Teams was encrypted; however, information regarding server domains, their associations, IP addresses and relevant timestamps were investigated. All extracted artifacts can be corroborated holistically to reconstruct events in a forensically sound manner.

Research in the area of forensic analysis of recent VoIP applications is limited; therefore, it would be interesting to extend our research to other videoconferencing applications such as Google Hangouts, BlueJeans and Adobe Connect. Additionally, a comprehensive comparative analysis of the top VoIP applications can be done to highlight the security posture of each application individually as well as VoIP security as a broader communication platform. Secondly, other Operating Systems (such as macOS, Linux, Android and iOS) can be considered for forensic artifact investigation.