Science and Technologies for Smart Cities. 7th EAI International Conference, SmartCity360°, Virtual Event, December 2-4, 2021, Proceedings

Research Article

Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-031-06371-8_37,
    author={Zainab Khalid and Farkhund Iqbal and Khalil Al-Hussaeni and Aine MacDermott and Mohammed Hussain},
    title={Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network},
    proceedings={Science and Technologies for Smart Cities. 7th EAI International Conference, SmartCity360°, Virtual Event, December 2-4, 2021, Proceedings},
    proceedings_a={SMARTCITY},
    year={2022},
    month={6},
    keywords={Artifacts Digital forensics Memory forensics Microsoft Teams Network forensics Videoconferencing VoIP},
    doi={10.1007/978-3-031-06371-8_37}
}
  • Zainab Khalid
    Farkhund Iqbal
    Khalil Al-Hussaeni
    Aine MacDermott
    Mohammed Hussain
    Year: 2022
    Forensic Analysis of Microsoft Teams: Investigating Memory, Disk and Network
    SMARTCITY
    Springer
    DOI: 10.1007/978-3-031-06371-8_37
Zainab Khalid1,*, Farkhund Iqbal2, Khalil Al-Hussaeni3, Aine MacDermott, Mohammed Hussain2
  • 1: National University of Science and Technology (NUST)
  • 2: College of Technological Innovation
  • 3: Department of Computer Science
*Contact email: zkhalid.msis18seecs@seecs.edu.pk

Abstract

Videoconferencing applications have seen a jump in their userbase owing to the COVID-19 pandemic. The security of these applications has certainly been a hot topic since millions of VoIP users’ data is involved. However, research pertaining to VoIP forensics is still limited to Skype and Zoom. This paper presents a detailed forensic analysis of Microsoft Teams, one of the top 3 videoconferencing applications, in the areas of memory, disk-space and network forensics. Extracted artifacts include critical user data, such as emails, user account information, profile photos, exchanged (including deleted) messages, exchanged text/media files, timestamps and Advanced Encryption Standard encryption keys. The encrypted network traffic is investigated to reconstruct client-server connections involved in a Microsoft Teams meeting with IP addresses, timestamps and digital certificates. The conducted analysis demonstrates that, with strong security mechanisms in place, user data can still be extracted from a client’s desktop. The artifacts also serve as digital evidence in the court of Law, in addition to providing forensic analysts a reference for cases involving Microsoft Teams.

Keywords
Artifacts Digital forensics Memory forensics Microsoft Teams Network forensics Videoconferencing VoIP
Published
2022-06-17
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-031-06371-8_37
Copyright © 2021–2025 ICST
EAI Logo

About EAI

Community

Publish with EAI