Blog >> Zoom

Investigating Zoom

25/06/2021 Friday

Zoom is one of the leading cloud-based video conferencing and messaging software. The video telephony software allows multiple participants to communicate concurrently. Its popularity spiked during the COVID-I9 pandemic period of 2019-2020 by gathering the interest of people on both personal and business levels. It is used by banks, schools, universities, and government agencies around the world.

The software is available for installation on desktop (Windows, macOS, Linux), as an application on mobile (Android and iOS), and via web browsers. This allows users to join and access the software from anywhere and on any device. Zoom provides its users with simplified features such as one-on-one meetings, group video conferences, screen sharing, meeting recording and transcription, team chats, collaboration tools, and much more.

Digital Forensics Value of Zoom Artifacts

The company (Zoom Video Communications) reported over 300 million meeting participants daily in April 2020 only. The high usage seen by this software makes it important to be able to extract and view its critical artifacts that will aid in investigations. Zoom artifacts keep information like ID's, email addresses, messages, and phone numbers. The time information within these artifacts such as meetings, call history, and messaging are very valuable. This information is vital in an investigation.

Location of Zoom Artifacts

When Zoom is used, it will create Artifacts in the following locations in the user's system:

Windows XP:

• C:\Documents and Settings\Administrator\Application Data\Zoom
• C:\Documents and Settings\Administrator\Application Data\Zoom\data

Windows 7/10:

• C:\Users\[Username]\AppData\Roaming\Zoom
• C:\Users\[Username]\AppData\Roaming\Zoom\data\
• C:\Users\[Username]\Documents\Zoom

Structure of Zoom Artifacts

The structure of files containing Zoom Artifacts is SQLite Databases. Each contains multiple tables with information regarding the users' actions on the software.

Analyzing Zoom Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Zoom artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Zoom Artifacts:

ArtiFast can analyze Zoom Chat Messages, Sent/Received Files, Call History, Sessions, Contacts, Groups, Meeting History, Meeting Messages, User Accounts, Subscription Requests, Active Devices, Action Logs and Settings. For demonstration purposes all the artifacts have been chosen, however you have the option to select one or more artifacts.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Zoom artifacts in ArtiFast software.

Zoom Chat Messages Artifact

This artifact contains the texts exchanged between the user and his/her contacts. The details you can view include:

• Message ID - The GUID of the message.
• Message Body - The body of the message.
• Sender Name - The name of the user who sent the message.
• Sender Buddy ID - Zoom ID of the user or group that the message was sent to.
• Sent by Me - Whether the message was sent by account owner.
• Group ID - The ID of the group this message was sent in.
• Is Read - Whether the message has been read.
• Message Sub Type - Whether a message is a direct response to a specific message.
• Thread ID - The ID the message belongs to.
• Thread Date/Time - The Date/Time the thread started.
• Last Edit Date/Time - The Date/Time message was last edited.
• Message Date/Time - The Date/Time the message was sent/received.

Zoom Sent/Received Files Artifact

This artifact shows information on all files that were sent or received by the user in a chat room. The details you can view include:

• File Name - Name of the file.
• File Size - Size of the file.
• File Extension - Extension of the file.
• Message ID - Message unique identifier
• Owner - Zoom ID of user who sent the file.
• Session ID - ID of session when the file was sent.
• Is Downloaded - Whether the user downloaded the file.
• Downloaded Size - Size of the downloaded file.
• Is Played - Whether the user played the file.
• Local Path - Local path of file.
• Picture Preview Path - Preview path.
• Sent by Me - Whether the file was sent by the account owner.
• Creation Date/Time - The Date/Time the file message was created.
• Modified Date/Time - The Date/Time the file message was modified.
• Sent/Received Date/Time - The Date/Time the file was sent/received.

Zoom Call History Artifact

This artifact shows information on the Zoom calls the user participated in. The details you can view include:

• Call ID - Call unique identifier.
• Caller Name - Name of the caller.
• Callee Name - Name of the person receiving the call.
• Meeting Number - Meeting number assigned to the call.
• Caller ID - Zoom ID of the caller.
• Callee ID - Zoom ID of the person receiving the call.
• Call Date/Time - Date/Time the call occurred.

Zoom Sessions Artifact

This artifact has information on the Zoom sessions the user has participated in. The details you can view include:

• Session ID - Session unique identifier.
• Is Group - Is this a group session?
• Last Message ID - Last Message unique identifier.
• Unread Message Count - Number of unread messages.
• Search Open Date/Time - Last time session was opened through search.
• Last Update Date/Time - Last time session the was updated.
• Last Read Date/Time - Last date and time a message in the session was read.

Zoom Searches Artifact

This artifact gets information on search queries made by the user on the software. The details you can view include:

• Search Key - The searched term.
• Search Type - Where the term was searched for.
• Search Date/Time - The Date/Time of the search.

Zoom Contacts Artifact

This artifact contains information on the users' contacts. The details you can view include:

• Contact ID - The contact's unique zoom identifier.
• First Name - The contact's first name.
• Last Name - The contact's last name.
• Nickname - The contact's nickname.
• Email - Email address of the contact.
• Phone Number - The contact's phone number.
• Message Group Name - The message group name the contact belongs to.
• Picture Path - Local path to profile picture.
• Avatar URL - Avatar URL.
• Contact Type - Type of contact.
• Add Date/Time - Date/Time the contact was added.

Zoom Groups Artifact

This artifact contains information on groups the user is a part of. The details you can view include:

• Group ID - Group unique identifier.
• Group Name - The group name.
• Owner ID - ID of the group creator.
• Group Description - Group description by owner.
• Group Admins - Zoom ID of the group admins.
• Members List - List of Members of the group.

Zoom Meeting History Artifact

This artifact shows information on meetings the user has participated in. The details you can view include:

• Host ID - Unique zoom identifier of the host.
• Meeting Number - The meeting number.
• Topic - Topic of the meeting.
• Join Date/Time - Date/Time the user joined the meeting.
• Duration - Duration of the meeting in minutes.
• Record Path - The path where the recorded meeting is stored.

Zoom Meeting Messages Artifact

During a meeting, Zoom allows the participants to send messages within the session. The details you can view include:

• Message ID - Encrypted GUID of the message.
• Conference ID - Encrypted meeting ID where message was sent.
• Sender ID - Unique zoom identifier of the sender.
• Sender Name - Encrypted sender name.
• Receiver ID - ID of the receiver 0 if everyone.
• Receiver Name - Encrypted receiver name.
• Content - Encrypted message content.
• Is Read - Whether the message was read.
• Sent Date/Time - Date/Time the message was sent.

Zoom User Accounts Artifact

This artifact contains Zoom encrypted information on the user accounts that have logged into the system using the software. The details you can view include:

• User ID - Encrypted unique user identifier.
• Username - Encrypted account username.
• Zoom Email - Encrypted email address associated with account.
• First Name - Encrypted user's first name.
• Last Name - Encrypted user's last name.
• Picture URL - Encrypted profile picture URL.
• Local Picture Path - Encrypted local picture path.

Zoom Subscription Requests Artifact

This artifact contains information on subscription requests received or sent by the user. The details you can view include:

• Request ID - Request sender/receiver Zoom ID.
• Request Email - Request sender/receiver email associated with zoom.
• Screen Name - Request sender/receiver zoom screen name.
• Request Type - Type of request sent.
• Request Status - Status of the request sent.
• Request Date/Time - Date/Time request was sent or received.

Zoom Active Devices Artifact

This artifact contains information on the devices where the user account is active. The details you can view include:

• User ID - User Zoom ID.
• Device ID - User Device ID.
• Certificate - Certificate of the device.
• Privacy Enhanced Mail - Private key used.
• Encrypted Password - Encrypted password associated with the device.
• Last Sync Date/Time - Last date/time the device was synced.
• Last Active Date/Time - Last date/time the device was active.

Zoom Action Logs Artifact

This artifact contains information from the Zoom action logs. The details you can view include:

• Client Device ID - Client Device ID.
• Command Environment - The environment used to carry out the command.
• Parameter 1.
• Parameter 2.
• Parameter 3.
• Parameter 4.
• Parameter 5.
• Logged Date/Time - Date/time action was logged.

Zoom Settings Artifact

This artifact contains information of settings made on the users' software. The details you can view include:

• Key - Setting key.
• Value - Value of the set key.
• Section - Zoom feature the setting belongs to.