{"id":16582412,"url":"https://github.com/lxndrblz/forensicsim","last_synced_at":"2025-05-07T01:48:55.233Z","repository":{"id":37238340,"uuid":"367586683","full_name":"lxndrblz/forensicsim","owner":"lxndrblz","description":"A forensic open-source parser module for Autopsy that allows extracting the messages, comments, posts, contacts, calendar entries and reactions from a Microsoft Teams IndexedDB LevelDB database.","archived":false,"fork":false,"pushed_at":"2024-07-11T10:45:20.000Z","size":8837,"stargazers_count":86,"open_issues_count":7,"forks_count":15,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-12T01:42:36.730Z","etag":null,"topics":["abertay-university","autopsy","electron","forensic-analysis","indexeddb","leveldb","microsoft","module","parser","teams"],"latest_commit_sha":null,"homepage":"https://forensics.im","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lxndrblz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-15T09:11:05.000Z","updated_at":"2025-04-06T10:26:16.000Z","dependencies_parsed_at":"2024-07-07T11:48:45.458Z","dependency_job_id":"e2bcef41-af7d-4f89-8de1-a2ece7bf8ef9","html_url":"https://github.com/lxndrblz/forensicsim","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxndrblz%2Fforensicsim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxndrblz%2Fforensicsim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxndrblz%2Fforensicsim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxndrblz%2Fforensicsim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lxndrblz","download_url":"https://codeload.github.com/lxndrblz/forensicsim/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252798780,"owners_count":21805880,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abertay-university","autopsy","electron","forensic-analysis","indexeddb","leveldb","microsoft","module","parser","teams"],"created_at":"2024-10-11T22:32:42.652Z","updated_at":"2025-05-07T01:48:55.204Z","avatar_url":"https://github.com/lxndrblz.png","language":"Python","funding_links":[],"categories":["electron"],"sub_categories":[],"readme":"# Forensics.im Microsoft Teams Parser \u0026 Autopsy Plugin 🕵️‍♂️\n\n![GitHub License](https://img.shields.io/github/license/lxndrblz/forensicsim)\n![Build Status](https://img.shields.io/github/actions/workflow/status/lxndrblz/forensicsim/release.yaml?event=release)\n\nForensics.im is an Autopsy Plugin, which allows parsing *levelDB* of modern Electron-based Instant Messenger\nApplications like Microsoft Teams. Unlike the\nexisting [levelDB plugin](https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Leveldb), Forensics.im also parses\nthe binary *ldb* files, which contain the majority of the entries and allows identifies individual entities, such as\nmessages and contacts, and presets these in Autopsy's blackboard view.\n\nThis parser has been tested using:\n* Microsoft Teams 1.4.00.11161 (Windows 10) with a free business organisation\n* Microsoft \"Teams 2.0\" (Windows 11) 48/21062133356 with a personal organisation\n\nThis plugin is an artefact of the Master Thesis *Digital Forensic Acquisition and Analysis\nof Artefacts Generated by Microsoft Teams* at the University of Abertay, Dundee, United Kingdom.\n\n---\n\n# Microsoft Teams From a Forensic Perspective\nIf you are curious about the artefacts that are generate by Microsoft Teams, I would like to refer you to my in-depth blog post on my [personal website](https://www.alexbilz.com/post/2021-09-09-forensic-artifacts-microsoft-teams/). It discusses in great details which file are created by Microsoft Teams and how these could be utilised in a forensic investigation.\n\n# Demo\n\n![Autopsy Module](img/demo.gif)\n\n---\n\n# Quickstart\n\n## Autopsy Module Installation\nThis module requires the installation of Autopsy v4.18 or above and a *Windows*-based system.\n\nTo install the *Microsoft Teams* parser for *Autopsy*, please follow these steps:\n* Download the `forensicsim.zip` folder of the latest available [release](https://github.com/lxndrblz/forensicsim/releases).\n* Extract the `.zip` folder onto your computer.\n* Open the Windows File Explorer and navigate to your *Autopsy* Python plugin directory. By default, it is located under `%AppData%\\autopsy\\python_modules`.\n* Create a new `forensicsim` folder within the `python_modules` folder.\n* Copy the `ms_teams_parser.exe` and the `Forensicsim_Parser.py` to the `forensicsim` directory.\n* Restart *Autopsy* to activate the module.\n\nYou can test verify that the module has installed successfully by performing the following steps:\n* Start Autopsy.\n* Open/Create a case and add a source.\n* You will find the added modules under the menu Tools-\u003e Run Ingest Modules -\u003e Name of the Data Source.\n\n## Standalone Parser Usage\n\nThe standalone parser script writes all the processed and identified records into a structured JSON file, which can\neither be processed by the Autopsy Plugin or in another application.\n\nThe main parser script can be used like this:\n\n```bash\n.\\dist\\ms_teams_parser.exe -f \".\\forensicsim-data\\john_doe_old_teams\\IndexedDB\\https_teams.microsoft.com_0.indexeddb.leveldb\" -o \"john_doe.json\"\n```\n\nFeel free to use the LevelDB files provided in this repository.\n\nThe parser has the following options:\n\n```text\nOptions:\n  -f, --filepath PATH    File path to the .leveldb folder of the IndexedDB.\n                         [required]\n  -o, --outputpath PATH  File path to the processed output.  [required]\n  -b, --blobpath PATH    File path to the .blob folder of the IndexedDB.\n  --help                 Show this message and exit.\n```\n\n---\n\n# Development\n\n## Compiling the utils\\main.py to an Executable:\n\n```bash\npyinstaller \"main.spec\"\n```\n\n---\n\n# Utility Scripts for handling LevelDB databases:\n\n## dump_leveldb.py\nThis script allows dumping a *Microsoft Teams LevelDB* to a json file, without processing it further. The usage is\nas following. Simply specify the path to the database and where you want to output the JSON file.\n```text\nusage: dump_leveldb.py [-h] -f FILEPATH -o OUTPUTPATH\ndump_leveldb.py: error: the following arguments are required: -f/--filepath, -o/--outputpath\n```\n---\n\n# Utility Scripts for populating Microsoft Skype and Microsoft Teams\n\n## populate_skype.py\n\nA wee script for populating *Skype for Desktop* in a lab environment. The script can be used like this:\n\n```bash\ntools\\populate_skype.py -a 0 -f conversation.json\n```\n\n## populate_teams.py\n\nA wee script for populating *Microsoft Teams* in a lab environment. The script can be used like this:\n\n```bash\ntools\\populate_teams.py -a 0 -f conversation.json\n```\n\n---\n# Datasets\nThis repository comes with two datasets that allow reproducing the findings of this work. The `testdata` folder contains the *LevelDB* databases that have been extracted from two test clients. These can be used for benchmarking without having to perform a (lengthy) data population.\n\nThe `populationdata` contains *JSON* files of the communication that has been populated into the testing environment. These can be used to reproduce the experiment from scratch. However, for a rerun, it will be essential to adjust the dates to future dates, as the populator script relies on sufficient breaks between the individual messages.\n\n---\n\n# Acknowledgements \u0026 Thanks\n\n- [ccl_chrome_indexeddb](https://github.com/cclgroupltd/ccl_chrome_indexeddb) Python module for enumerating the *\n  LevelDB* artefacts without external dependencies.\n- [Gutenberg Project](https://www.gutenberg.org/files/1661/1661-0.txt) Part of Arthur Conan Doyle's book *The Adventures\n  of Sherlock Holmes* have been used for creating a natural conversation between the two demo accounts.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flxndrblz%2Fforensicsim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flxndrblz%2Fforensicsim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flxndrblz%2Fforensicsim/lists"}