A Forensic Analysis of Microsoft Teams

n 2017, Microsoft released a new communication platform, Microsoft Teams(Koenigsbauer, 2017). Due to the application’s relatively young age, there has not been any significant forensic research relating to Microsoft Teams. This platform as of April 2021 had 145million daily active users (Wright, 2021), nearly double the number of daily users at the same time in 2020 (Zaveri, 2020). This rapid growth is attributed in part to the need to work from home due to the COVID-19 virus (Zaveri, 2020). Given the size of its user base, it seems likely that forensic investigators will encounter cases where Microsoft Teams is a relevant component but may not have the knowledge required to efficiently investigate the platform.

To help fill this gap, an analysis of data stored at rest by Microsoft Teams was conducted, both on the Windows 10 operating system as well as on mobile operating systems, such as IOS and Android has been conducted. Basic functionality such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides were performed in an isolated testing environment. These devices were analyzed with both automated forensic tools, and non automated investigation. Specifically, Cellebrite UFED for the mobile devices, and Magnet AXIOM for the Windows device were used. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three devices. In this study, the forensic tools used did not recover many of the artifacts that were found with manual investigation. These discovered artifacts, and the results of the tools, are documented in the hopes of aiding future investigations.