Tuesday, September 22, 2020

Microsoft Teams artifacts and chat logs

 Take a look at location: 

C:\Users\<username>\AppData\Roaming\Microsoft\Teams\IndexedDB\


On my workstation there is a folder at this location:

https_teams.microsoft.com_0.indexeddb.leveldb

Looking at the *.log file at this location


Open the .log file in Notepad++ <download>

File--> Open--> Path to 

"C:\Users\username>\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" 

Open the .log file

Sample of the "000007.log" file in Notepad++









In Notepad++ with the .log file open --> Press "ctrl+F"

Searching for the value "renderContent" returned some messages logged from MS Teams.

Select Find All in Current Document














The find results show all lines containing the value "renderContent" followed by posted messages.

Sample recovered MS Teams messages


There are also other potential values of interest in this log including: 

"imdisplayname" 

"RichText/Html" (provided further chat and web content)

"meetingtitle"

MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"


This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination.  Also recommending checking out a article written a few months back at cyberforensicator <link>.


-Bryan






Posted by at No comments:

Monday, September 21, 2020

Video and Image Analysis - Authentication




Video authentication 

Video authentication is a process that is used to obtain the trustworthiness of a digital video and to assure a video hasn't been altered or tampered.


Performing Authentication Examinations of Imagery and Videos

Review visible scene content:

  • Shadows
  • Lighting
  • Density
  • Texture/Patterns (skin and background pattern)
  • Gravity
  • Physical body details (hair, muscles, body curves)
  • Contact with other objects and body
  • Skin to skin contact
  • Imperfections on body
  • Consistencies/Inconsistencies


Visual scene content includes low-quality synthesized faces, visible splicing boundaries, color mismatch, visible parts of the original face, inconsistent synthesized face orientations.








Review non-scene content:
  • EXIF info (duration, GPS, software writer, codec)
  • Comparing signatures of camera to video/image in question 
  • Behavior of file type (compression type) 
  • Reviewing binary structures and sequence of bytes in the hex of the file
  • Evidence of being opened in a video editor 
Viewing the EXIF data of a file



Using structural analysis from the video forensic tool (link MEDEX forensics) showing a video editing tool was detected in the structure of the video file.






Reference:

https://medexforensics.com/#applications-span

https://cognitech.com/

https://arxiv.org/pdf/2001.06564.pdf




Posted by at No comments:
Subscribe to: Posts (Atom)