We recently added support to Browser History Examiner (BHE) for parsing Local Storage and IndexedDB data from Chromium web browsers such as Google Chrome and Microsoft Edge. This allows us to access additional data that has been stored on the user’s device by websites and web applications they have visited.

This also allows us to analyse the data of some desktop apps that use the Chromium browser engine in the background, for example the Microsoft Teams desktop app. Here’s a brief guide of how BHE could be used to investigate IndexedDB data from the Microsoft Teams app (based on version 1.6.00.35961 of Teams on Windows):

  1. The Chromium browser data created by Teams is typically located at:
    C:\Users\<username>\AppData\Roaming\Microsoft\Teams

  2. To load the data into BHE, go to File > Load History, select 'Load history manually' and enter the path to the Teams data under 'Chrome/Edge history files location'.



  3. Once the data has loaded select the Site Storage artifact from the left hand panel. A site record will then be displayed e.g. https://teams.live.com. Select the site record to extract the IndexedDB data for this site.



  4. It is now possible to view Microsoft Teams app data in the table below. If we look at the IndexedDB object stores called “replychains” we can find messages sent and received via the app.



  5. To make this data easier to analyse we can run a SQL query to extract just the message history data. To do this right-click on the site record and select 'Query with SQL'. The following SQL query provides us with the message content, the account that sent the message and the time it was received.



    Paste the SQL in and hit F5 to run the query and we can now see the message history in the table below.


To try this out for yourself, visit our Downloads page for a free trial of Browser History Examiner.