Data

Tools

Indexes

Applications

Experiments

Open Source Science

forensicsim

A forensic open-source parser module for Autopsy that allows extracting the messages, comments, posts, contacts, calendar entries and reactions from a Microsoft Teams IndexedDB LevelDB database.

https://github.com/lxndrblz/forensicsim

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (15.0%) to scientific vocabulary

Keywords

abertay-university autopsy electron forensic-analysis indexeddb leveldb microsoft module parser teams

Keywords from Contributors

mesh interactive
Last synced: 6 months ago · JSON representation ·

Repository

A forensic open-source parser module for Autopsy that allows extracting the messages, comments, posts, contacts, calendar entries and reactions from a Microsoft Teams IndexedDB LevelDB database.

Basic Info
  • Host: GitHub
  • Owner: lxndrblz
  • License: mit
  • Language: Python
  • Default Branch: main
  • Homepage: https://forensics.im
  • Size: 8.43 MB
Statistics
  • Stars: 89
  • Watchers: 4
  • Forks: 15
  • Open Issues: 7
  • Releases: 18
Topics
abertay-university autopsy electron forensic-analysis indexeddb leveldb microsoft module parser teams
Created almost 5 years ago · Last pushed over 1 year ago
Metadata Files
Readme License Citation Codeowners

README.md

Forensics.im Microsoft Teams Parser & Autopsy Plugin 🕵️‍♂️

GitHub License Build Status

Forensics.im is an Autopsy Plugin, which allows parsing levelDB of modern Electron-based Instant Messenger Applications like Microsoft Teams. Unlike the existing levelDB plugin, Forensics.im also parses the binary ldb files, which contain the majority of the entries and allows identifies individual entities, such as messages and contacts, and presets these in Autopsy's blackboard view.

This parser has been tested using: * Microsoft Teams 1.4.00.11161 (Windows 10) with a free business organisation * Microsoft "Teams 2.0" (Windows 11) 48/21062133356 with a personal organisation

This plugin is an artefact of the Master Thesis Digital Forensic Acquisition and Analysis of Artefacts Generated by Microsoft Teams at the University of Abertay, Dundee, United Kingdom.

Microsoft Teams From a Forensic Perspective

If you are curious about the artefacts that are generate by Microsoft Teams, I would like to refer you to my in-depth blog post on my personal website. It discusses in great details which file are created by Microsoft Teams and how these could be utilised in a forensic investigation.

Demo

Autopsy Module

Quickstart

Autopsy Module Installation

This module requires the installation of Autopsy v4.18 or above and a Windows-based system.

To install the Microsoft Teams parser for Autopsy, please follow these steps: * Download the forensicsim.zip folder of the latest available release. * Extract the .zip folder onto your computer. * Open the Windows File Explorer and navigate to your Autopsy Python plugin directory. By default, it is located under %AppData%\autopsy\python_modules. * Create a new forensicsim folder within the python_modules folder. * Copy the ms_teams_parser.exe and the Forensicsim_Parser.py to the forensicsim directory. * Restart Autopsy to activate the module.

You can test verify that the module has installed successfully by performing the following steps: * Start Autopsy. * Open/Create a case and add a source. * You will find the added modules under the menu Tools-> Run Ingest Modules -> Name of the Data Source.

Standalone Parser Usage

The standalone parser script writes all the processed and identified records into a structured JSON file, which can either be processed by the Autopsy Plugin or in another application.

The main parser script can be used like this:

bash .\dist\ms_teams_parser.exe -f ".\forensicsim-data\john_doe_old_teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" -o "john_doe.json"

Feel free to use the LevelDB files provided in this repository.

The parser has the following options:

text Options: -f, --filepath PATH File path to the .leveldb folder of the IndexedDB. [required] -o, --outputpath PATH File path to the processed output. [required] -b, --blobpath PATH File path to the .blob folder of the IndexedDB. --help Show this message and exit.

Development

Compiling the utils\main.py to an Executable:

bash pyinstaller "main.spec"

Utility Scripts for handling LevelDB databases:

dump_leveldb.py

This script allows dumping a Microsoft Teams LevelDB to a json file, without processing it further. The usage is as following. Simply specify the path to the database and where you want to output the JSON file. ```text usage: dumpleveldb.py [-h] -f FILEPATH -o OUTPUTPATH dumpleveldb.py: error: the following arguments are required: -f/--filepath, -o/--outputpath

```

Utility Scripts for populating Microsoft Skype and Microsoft Teams

populate_skype.py

A wee script for populating Skype for Desktop in a lab environment. The script can be used like this:

bash tools\populate_skype.py -a 0 -f conversation.json

populate_teams.py

A wee script for populating Microsoft Teams in a lab environment. The script can be used like this:

bash tools\populate_teams.py -a 0 -f conversation.json

Datasets

This repository comes with two datasets that allow reproducing the findings of this work. The testdata folder contains the LevelDB databases that have been extracted from two test clients. These can be used for benchmarking without having to perform a (lengthy) data population.

The populationdata contains JSON files of the communication that has been populated into the testing environment. These can be used to reproduce the experiment from scratch. However, for a rerun, it will be essential to adjust the dates to future dates, as the populator script relies on sufficient breaks between the individual messages.

Acknowledgements & Thanks

  • cclchromeindexeddb Python module for enumerating the * LevelDB* artefacts without external dependencies.
  • Gutenberg Project Part of Arthur Conan Doyle's book The Adventures of Sherlock Holmes have been used for creating a natural conversation between the two demo accounts.

Owner

  • Name: Alexander Bilz
  • Login: lxndrblz
  • Kind: user
  • Location: Germany

Auditor and Travel Enthusiast

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it using these metadata."
authors:
  - family-names: Bilz
    given-names: Alexander
    affiliation: "Abertay University"
    orcid: "https://orcid.org/0000-0002-0692-2482"
title: "Forensics.im Microsoft Teams Parser & Autopsy Plugin"
keywords:
  - "Microsoft Teams"
  - Forensics
  - Electron
abstract: "Autopsy Plugin for the Digital Forensic Acquisition and Analysis of Artefacts Generated by Microsoft Teams."
version: 0.8.5
license: MIT
date-released: "2021-08-07"

GitHub Events

Total
  • Issues event: 1
  • Watch event: 20
  • Issue comment event: 2
  • Pull request event: 1
  • Fork event: 3
  • Create event: 2
Last Year
  • Issues event: 1
  • Watch event: 20
  • Issue comment event: 2
  • Pull request event: 1
  • Fork event: 3
  • Create event: 2

Committers

Last synced: about 1 year ago

All Time
  • Total Commits: 202
  • Total Committers: 4
  • Avg Commits per committer: 50.5
  • Development Distribution Score (DDS): 0.455
Past Year
  • Commits: 109
  • Committers: 3
  • Avg Commits per committer: 36.333
  • Development Distribution Score (DDS): 0.22
Top Committers
Name Email Commits
Alexander Bilz m****l@a****m 110
Markus Bilz g****b@m****m 85
dependabot[bot] 4****] 6
Michal Ambroz 7****z 1
Committer Domains (Top 20 + Academic)
markusbilz.com: 1 alexbilz.com: 1

Issues and Pull Requests

Last synced: 10 months ago

All Time
  • Total issues: 35
  • Total pull requests: 80
  • Average time to close issues: 4 months
  • Average time to close pull requests: 12 days
  • Total issue authors: 20
  • Total pull request authors: 6
  • Average comments per issue: 2.43
  • Average comments per pull request: 0.09
  • Merged pull requests: 71
  • Bot issues: 0
  • Bot pull requests: 6
Past Year
  • Issues: 13
  • Pull requests: 22
  • Average time to close issues: 12 days
  • Average time to close pull requests: about 6 hours
  • Issue authors: 6
  • Pull request authors: 2
  • Average comments per issue: 1.38
  • Average comments per pull request: 0.09
  • Merged pull requests: 16
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • seychelles111 (5)
  • kenichi-kobayashi (3)
  • lxndrblz (3)
  • salty4n6 (2)
  • itsathejoey (1)
  • faniAhmed (1)
  • ae263 (1)
  • Beercow (1)
  • dfir-man131 (1)
  • jcorert (1)
  • KarelZe (1)
  • AdonisLeavis (1)
  • Max0menia (1)
  • liamrb123 (1)
  • ghost (1)
Pull Request Authors
  • KarelZe (60)
  • lxndrblz (33)
  • dependabot[bot] (12)
  • seychelles111 (2)
  • MrMcX (2)
  • xambroz (1)
  • mgeeky (1)
Top Labels
Issue Labels
bug (7) enhancement (2) invalid (2) question (2) wontfix (2) help wanted (1) duplicate (1) documentation (1)
Pull Request Labels
enhancement (26) dependencies (16) bug (15) python (13) documentation (4)

Dependencies

.github/workflows/build.yaml actions
  • actions/checkout v4 composite
  • actions/setup-python v5 composite
  • actions/upload-artifact v4 composite
.github/workflows/codeql.yml actions
  • actions/checkout v4 composite
  • github/codeql-action/analyze v3 composite
  • github/codeql-action/autobuild v3 composite
  • github/codeql-action/init v3 composite
.github/workflows/release.yaml actions
  • actions/checkout v4 composite
  • actions/setup-python v5 composite
pyproject.toml pypi
  • beautifulsoup4 *
  • chromedb @ git+https://github.com/karelze/ccl_chrome_indexeddb@master
  • click *
  • dataclasses-json *
  • pause *
  • pyautogui *
  • pywinauto *