Bowling Herschel, Seigfried-Spellar Kathryn, Karabiyik Umit, Rogers Marcus
Computer and Information Technology, Purdue University, West Lafayette, Indiana, USA.
J Forensic Sci. 2023 Mar;68(2):434-460. doi: 10.1111/1556-4029.15208. Epub 2023 Feb 3.
Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.
微软在2017年发布了一个新的通信平台——微软团队。部分由于新冠疫情,像微软团队这样的通信平台的受欢迎程度呈指数级增长。鉴于其用户基础和日益增长的受欢迎程度,数字取证调查人员似乎很可能会遇到与微软团队相关的案件。然而,由于微软团队是一个相对较新的应用程序,针对该应用程序的取证研究有限,尤其是针对移动操作系统的研究。为了填补这一空白,我们在Windows 10操作系统以及安卓和苹果iOS移动操作系统上对微软团队静态存储的数据进行了分析。在一个隔离的测试环境中执行了微软团队提供的基本功能,如消息传递、文件共享、参加视频会议等功能。分别使用Cellebrite UFED Physical Analyzer和Magnet AXIOM Examine工具来分析移动设备和Windows设备。手动或非自动化调查至少部分恢复了所有三个操作系统中的大部分工件。在本研究中,在手动调查中,总共77.6%的已填充工件被部分或全部恢复。另一方面,所使用的取证工具并没有自动恢复手动调查中发现的许多工件。在所有三个设备上,只有13.8%的工件被取证工具部分或全部恢复。展示这些发现的工件和调查结果是为了协助数字取证调查。