Investigating Slack for Windows
28/09/2022 Wednesday
Slack is a cross-platform productivity and communication app utilized by individuals and enterprises. Users can share messages, documents, and images on Slack “Channels,” and each channel is part of Slack “Workspace.” Enterprises can manage and track teams by creating different workspaces. Teams can develop project-based channels and track the progress of the projects using Slack. Slack integrates the vast majority of tools and applications, such as Google Drive and Microsoft Teams. These integrational capabilities, versatile configuration options, and central administration make it different from other collaboration tools.
Digital Forensics Value of Slack Artifacts
Slack is very popular among enterprises. According to their website, Slack is used by more than 750,000 businesses, which makes it an essential source of evidentiary information. By analyzing Slack artifacts, we can collect valuable details related to the users, like users' info, workspaces, downloaded images, etc.
Location of Slack Artifacts
In windows, Slack artifacts are located at
C:\Users\[username]\AppData\Roaming\Slack
Analyzing Slack Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Slack artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Slack artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Proton VPN artifacts in ArtiFast.
Slack Cache: This artifact contains information about all the cache files saved by Slack.
- HTTP Content - HTTP content of this cache.
- Content-Type - The type of cached content.
- Key - The URL of the webpage for the cache.
- File Name - The title of the website.
- Content Size - The size of the cache in bytes.
- Is Dirty - Indicates whether the cache is dirty or not.
- Long Key Data - The long key data of this cache.
- Payload - The path of this cache file.
- Refetch Count - The number of times that cache has been refetched.
- Reuse Count - The number of times that cache has been used.
- State - The state of the cache.
- Creation Time - The date and time that the cache was created.
- Cache Entry Last Modified Time - The cache date and time were last modified.
- Cache Entry Last Used Time - The date and time the cache was last used.
Slack Downloads: This artifact contains information about images downloaded by the users.
- Path - The location of the image downloaded to the user's computer.
- Status - Indicates whether the download process is finished or interrupted.
- Start Time - The start time of the download process.
- Finish Time - The finish time of the download process.
Slack Information: This artifact contains general information about the app.
- Name - The Name of the software.
- Version - The Version of the software.
Slack Users: This artifact contains information related to the users.
- User Name - The real name of the user.
- Display Name - The name chosen by the user as a display name.
- Email - The email the user uses to register in the application.
Slack Workspaces: This artifact contains information about the user's workspaces.
- Workspace Name - The name of the workspace the user is joining.
- Workspace Order - The order of the importance of that workspace to the user.
Slack Cache Image: This artifact contains information about all the cache Images saved by Slack.
- Image Bytes - The Bytes of the image that Slack caches.
- Created Date/Time - Creation date/time of the downloaded image in the file system.
- Size - The size of the image in bytes.
For more information or suggestions please contact: [email protected]
