Take a look at location:
C:\Users\<username>\AppData\Roaming\Microsoft\Teams\IndexedDB\
On my workstation there is a folder at this location:
https_teams.microsoft.com_0.indexeddb.leveldb
Looking at the *.log file at this location |
Open the .log file in Notepad++ <download>
File--> Open--> Path to
"C:\Users\username>\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb"
Open the .log file
Sample of the "000007.log" file in Notepad++ |
In Notepad++ with the .log file open --> Press "ctrl+F"
Searching for the value "renderContent" returned some messages logged from MS Teams.
Select Find All in Current Document |
The find results show all lines containing the value "renderContent" followed by posted messages.
Sample recovered MS Teams messages |
There are also other potential values of interest in this log including:
"imdisplayname"
"RichText/Html" (provided further chat and web content)
"meetingtitle"
MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"
This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination. Also recommending checking out a article written a few months back at cyberforensicator <link>.
-Bryan