Forensics for Microsoft Teams

TL;DR

This paper explores forensic procedures for investigating misuse in Microsoft Teams, focusing on PSTN and Walkie Talkie communication scenarios amid increased remote usage during the pandemic.

Contribution

It provides a detailed analysis of Teams' usage scenarios and proposes forensic methods for investigating inappropriate conduct within these communication channels.

Findings

Analysis of Teams' communication scenarios

Forensic procedures for PSTN investigations

Guidelines for Walkie Talkie misuse detection

Abstract

Microsoft Teams is a collaboration and communication platform developed by Microsoft that replaces and extends Microsoft Skype for Business. It differs from Skype for Business by the fact that it exists only as part of the Microsoft 365 products whereas Skype for Business can be deployed completely or partly on-premise. During the pandemic emergency in 2020 and 2021 Microsoft Teams has increased dramatically its base of users as most of the meetings and the communications had to be conducted in virtual environments by users working remotely. Microsoft Teams allows users to collaborate sending and sharing information virtually with anyone internal or external to the an organization with PCs and mobile devices, therefore it requires a careful review of all the security configurations and procedures within the organization. Microsoft Teams infrastructure can also be integrated with PSTN telephone services, natively within the Microsoft 365 services or by integrating other PSTN service providers. Therefore, its architecture extends the perimeter that could be exploited for an attack. Microsoft Teams features can also be extended by Apps. There are hundreds of Apps developed by Microsoft and by other companies to address the various needs of modern collaboration. "Walkie Talkie", one of those Apps, transforms the Teams client installed in a mobile phone into a Walkie Talkie communication device for registered users. The goal of this paper is to describe different Teams' usage scenarios and to analyse Teams' PSTN and Teams' Walkie Talkie communication scenarios describing forensics procedures to investigate inappropriate users' conduct.