We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.