Microsoft Teams
The Microsoft Teams desktop app uses a Chromium browser engine in the background which means data stored by the Teams app can be viewed using Browser History Examiner.
The IndexedDB folder is where Microsoft Teams stores data such as chat messages. This is stored in different locations depending on the app version. We are currently examining various Teams app versions to try and determine the possible locations for the IndexedDB folder.
| Version |
Path |
| 1.6
|
C:\Users\{username}\AppData\Roaming\Microsoft\Teams |
| 1.7 |
C:\Users\{username}\AppData\Roaming\Microsoft\Teams\Partitions\msa |
| 2.0+ |
C:\Users\{username}\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\ |
| 2.0+ |
C:\Users\{username}\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\WV2Profile_tfw |
To view Teams data in BHE follow these steps:
- Go to File > Load History, select 'Load history manually', select Chromium App as the browser type, and enter the path to the Teams data under 'Chromium App history files location'.
- Once the data has loaded select the Site Storage artifact from the left hand panel. A site record will then be displayed e.g. https://teams.live.com. Select the site record to extract the IndexedDB data for this site.
- It is now possible to view Microsoft Teams app data in the panel below. If we look at the IndexedDB object store called "replychains" we can find messages sent and received via the app.
- To make this data easier to analyse we can run a SQL query to extract just the message history data. To do this right-click on the "replychains" object store and select 'Query with SQL'. The following SQL query provides us with the message content, the account that sent the message and the time it was received.
-
The results can be exported to CSV for further analysis by going to File > Export to CSV within the SQL results window.