In a recent digital forensic analysis, researchers have successfully decrypted Zoom Team Chat databases, uncovering valuable insights into user activities and interactions.
This breakthrough highlights the complexities of analyzing encrypted communication platforms and the importance of forensic techniques in uncovering hidden data.
Forensic Analysis Challenges
The investigation began with a disk image analysis, which revealed a system compromised by ransomware.
This presented significant challenges, as many files were encrypted, and registry data was incomplete or damaged.
To overcome these obstacles, researchers turned to alternative artifacts such as Windows jumplists, which provided clues about recently executed programs and opened files.
A suspicious HTA file was identified, indicating potential malicious activity.
The encryption logic involved obfuscated JavaScript, which was deobfuscated using online tools.
Tracing User Activity
Further analysis focused on tracing user activity through Google Chrome and Discord.
A PDF file named “My todo list” hinted at a weak Windows password, which later proved crucial for decrypting protected data.
Chrome’s browsing history revealed access to Discord, leading to the analysis of Discord chat logs stored in Chrome’s cache.
According to the Report, these logs pointed to Zoom Team Chat as a potential source of important evidence.
Decrypting Zoom Team Chat
Zoom stores its application data in encrypted databases located under the user’s Roaming folder.
Two key databases were identified: the main database (zoomus.enc.db) and a user-specific database (zoomus.async.enksdb).
Both are encrypted using SQLCipher with custom parameters.
The decryption process required obtaining the main_key from the zoom.us.ini file, which was itself encrypted with DPAPI.
By cracking the Windows local password using tools like John the Ripper, researchers were able to decrypt the DPAPI-protected key.
However, decrypting the user-specific database also required the Key Wrapping Key (kwk), which is dynamically fetched from Zoom servers during login or session refresh.
This necessitated monitoring Zoom’s API calls to capture the kwk.
The successful decryption of Zoom Team Chat databases demonstrates the complexity and challenges involved in forensic analysis of encrypted communication platforms.
By combining local key extraction with API monitoring, researchers were able to uncover user communications and shared files, providing valuable insights into user activities.
