Products
Browser History Examiner
PageRecon
Free Tools
Browser History Capturer
Browser History Viewer
SQLite Examiner
Support
Customer Portal
FAQs
Renew Subscription
Submit Ticket
Resources
Articles
Blog
Downloads
Free Tools
Company
Contact Us
Our Clients
About us
Blog Post
Home
/
Blog
/
Blog Post
Investigating Microsoft Teams IndexedDB data
19 January 2024
We recently added support to
Browser History Examiner
(BHE) for parsing Local Storage and IndexedDB data from Chromium web browsers such as Google Chrome and Microsoft Edge. This allows us to access additional data that has been stored on the user’s device by websites and web applications they have visited.
This also allows us to analyse the data of some desktop apps that use the Chromium browser engine in the background, for example the Microsoft Teams desktop app. Here’s a brief guide of how BHE could be used to investigate IndexedDB data from the Microsoft Teams app (based on version 1.6.00.35961 of Teams on Windows):
The Chromium browser data created by Teams is typically located at:
C:\Users\<username>\AppData\Roaming\Microsoft\Teams
To load the data into BHE, go to
File > Load History
, select
'Load history manually'
and enter the path to the Teams data under
'Chrome/Edge history files location'
.
Once the data has loaded select the Site Storage artifact from the left hand panel. A site record will then be displayed e.g.
https://teams.live.com
. Select the site record to extract the IndexedDB data for this site.
It is now possible to view Microsoft Teams app data in the table below. If we look at the IndexedDB object stores called “replychains” we can find messages sent and received via the app.
To make this data easier to analyse we can run a SQL query to extract just the message history data. To do this right-click on the site record and select
'Query with SQL'
. The following SQL query provides us with the message content, the account that sent the message and the time it was received.
Paste the SQL in and hit F5 to run the query and we can now see the message history in the table below.
To try this out for yourself, visit our
Downloads
page for a free trial of Browser History Examiner.
Capturing web pages as evidence
Prev Post
Proving copyright infringement with PageRecon
Next Post
Loading...