Forensic Science International: Digital Investigation 36 (2021) 301107

Contents lists available at ScienceDirect

Forensic Science International: Digital Investigation

journal homepage: www.elsevier.com/locate/fsidi

Zooming into the pandemic! A forensic analysis of the Zoom

Application
Andrew Mahr, Meghan Cichon, Sophia Mateo, Cinthya Grajeda,
Ibrahim Baggili Elder Family Endowed Chair *
Cyber Forensics Research and Education Group (UNHcFREG), Samuel S. Bergami Jr. Cybersecurity Center, Connecticut Institute of Technology, University of
New Haven, 300 Boston Post Rd., West Haven, CT, 06516, USA

a r t i c l e i n f o a b s t r a c t

Article history: The global pandemic of COVID-19 has turned the spotlight on video conferencing applications like never
Received 24 July 2020 before. In this critical time, applications such as Zoom have experienced a surge in its user base jump
Accepted 5 January 2021 over the 300 million daily mark (ZoomBlog, 2020). The increase in use has led malicious actors to exploit
Available online 23 January 2021
the application, and in many cases perform Zoom Bombings. Therefore forensically examining Zoom is
inevitable. Our work details the primary disk, network, and memory forensic analysis of the Zoom video
Keywords:
conferencing application. Results demonstrate it is possible to find users' critical information in plain text
Network
and/or encrypted/encoded, such as chat messages, names, email addresses, passwords, and much more
Disk
Memory forensics
through network captures, forensic imaging of digital devices, and memory forensics. Furthermore we
Artifacts elaborate on interesting anti-forensics techniques employed by the Zoom application when contacts are
Zoom video conferencing deleted from the Zoom application's contact list.
© 2021 Elsevier Ltd. All rights reserved.

1. Introduction in 2018 detailing two major CVEs. CVE-2018-157152 showed how

malicious actors could take control of users’ screens, spoof chat
Digital evidence acquired from video conferencing applications messages, and control other aspects of the meeting. CVE-2020-
may prove useful in investigations and are used by individuals in all 114433 detailed how the Windows Zoom IT Installer, which deletes
sectors. Applications like Skype, Google Video/Messaging series, files and data before reinstalling Zoom, could be exploited to delete
and Microsoft Teams have been more commonly used in recent files a user would not normally be allowed to delete. Additional
years (Abbott, 2020). Due to the COVID-19 pandemic,1 many vulnerabilities were found in the Zoom application and Zoom has
schools, businesses, and people have turned to the Zoom video responded with patches for these issues (Zoom, 2020c).
conferencing application to communicate with one another. This As video conferencing applications continue to be the main
rapid increase of user traffic has led to scrutiny and suspicion communication method during events such as this pandemic, it is
regarding the cybersecurity practices of the company after major important that we understand the forensic artifacts produced by
exploits were found within its protocols. These security issues have these systems. Our work aims to investigate the digital evidence
led to privacy breaches committed through Zoom Bombings produced by the Zoom application and provides an analysis of the
(O'Flaherty, 2020; Lorenz and Alba, 2020) and the exploitation of critical data that can be found. The devices investigated in our work
basic protocols. Zoom Bombings involve unwanted conference dis- include a Samsung Galaxy S6, an iPhone 5s, a Windows 10 Virtual
ruptions of any kind, including, but not limited to, the projection of Machine (VM), and an Apple MacBook Pro.
illicit images and the use of verbal profanity, which could be a form To date, and to the best of our knowledge, there has not been a
of criminal harassment (Office, 2020; Setera, 2020). formal forensic analysis of the Zoom application and therefore our
The most notable security issues come in Common Vulnerabil- work contributes as follows:
ities and Exposures (CVE) reports. Zoom published a security report

2
https://support.zoom.us/hc/en-us/articles/360020436071-Security-CVE-2018-
* Corresponding author. 15715.
3
E-mail address: ibaggili@newhaven.edu (I. Baggili). https://support.zoom.us/hc/en-us/articles/360043036451-Security-CVE-2020-
1
https://www.cdc.gov/coronavirus/2019-ncov/index.html. 11443.

https://doi.org/10.1016/j.fsidi.2021.301107
2666-2817/© 2021 Elsevier Ltd. All rights reserved.
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

A primary disk, memory, and network forensic analysis of the and forensics of social messaging applications such as WhatsApp,
Zoom platform. Viber, Tango, and ooVoo. Their work concluded it was possible to

A collection of Zoom application digital forensic artifacts shared find user information within the application data folders. Addi-
on the Artifact Genome Project4 (Grajeda et al., 2018). tionally, it demonstrated some of these applications stored publicly

A collection of SQL queries that can be used by digital forensic accessible user data on their servers and transmitted plaintext in-
investigators to extract relevant data from the application formation on the network.
databases. Primary work was also conducted on the network forensics of
WhatsApp, and focused on decrypting the WhatsApp call signaling
This paper is organized as follows. Section 2 presents previous protocol (Karpisek et al., 2015). The researchers described how to
research and other related work. Section 3, outlines the tools used decrypt the network traffic and obtain forensic artifacts that relate
to conduct our research. Section 4, discusses the applied method- to: a) WhatsApp phone numbers, b) WhatsApp server IPs, c)
ology, while Section 5, discusses our analysis and results. Section 6, WhatsApp audio codec (Opus), d) WhatsApp call duration, and e)
provides SQL queries which aim to speed up relevant data acqui- WhatsApp's call termination.
sition during investigations. Lastly, Section 7, concludes our work Similarly, Anglano et al. (2017) investigated the Telegram
while Section 8 presents future work. application and showed that message history, contacts and other
user information may be reconstructed by forensic examiners.
2. Related work Lastly, Al Mutawa et al. (2012) conducted a primary analysis of
social networking applications on mobile devices. Their work
To the best of our knowledge, our methodical analysis of the demonstrated that user information such as user settings, chat
Zoom application is the first of its kind involving multiple device messages, and timestamps could be found in plaintext stored in
platforms. Existing research on related applications is also limited two of the examined devices, except for the Blackberry device.
to the Skype application, even though there are multiple types of
applications used by millions to communicate with others. 2.3. Other related applications
The next subsections highlight related research conducted on
similar applications. During the last decade, similar research has also been conducted
on other types of devices that may be used for communication.
2.1. Video conferencing applications Some examples include, Android vault applications (Zhang et al.,
2017), smartwatch devices (Baggili et al., 2015), portable web
Research shows that for the last ten years, Skype has emerged browsers (Marrington et al., 2012), drones (Clark et al., 2017),
from the rest as being one of the most forensically examined video Amazon Kindle (Iqbal et al., 2014), health and fitness applications
conferencing application. Skype was created sixteen years ago (Hassenfeldt et al., 2019), home IoT devices (Dorai et al., 2018),
(Whent, 2012). Amazon's Echo Dot (Chung et al., 2017), virtual reality (Casey,
For instance, Simon and Slay (2010) examined the process used Baggili and Yarramreddy, 2019; Casey, Lindsay-Decusati, Baggili
to acquire the physical memory locations and application data of and Breitinger, 2019; Yarramreddy et al., 2018) and more.
Skype within Android and Windows devices. Al-Saleh and Forihat
(2013) explored the flash memory Skype artifacts on Android 3. Apparatus
concluding that there is a persistence pattern used by the Skype
application. They found evidence of Skype calls, chats, and meeting The hardware and software used to conduct this research are
IDs in NAND and RAM many hours after the calls and chats took presented on Table A.4, Appendix A.
place.
On the other hand, Azab et al. (2012) characterized network 4. Methodology
traffic from the Skype application and demonstrated the difficulties
forensic experts face when trying to intercept or analyze this traffic. Forensic research of the Zoom application was conducted in four
The work also identified and discussed the differences discovered phases: scenario creation and setup, data acquisition, data analysis,
in the traffic between older and different versions of the Skype and SQLite database query creation. Due to experiments being
application. Subsequently, Majeed (2016) explored the behavior of conducted at a time when Zoom was constantly updating and
Skype, Facebook, and Twitter within the Windows 10 environment. patching the application's latest vulnerabilities in all OS platforms,5
It was discovered that Skype stored plaintext chat messages as well not all tests were conducted on the same version of the software. In
as other information pertaining to a user on disk. fact, it was decided not to update at all to the latest version, until all
In the last ten years, research related to the forensics of video tests were finalized. Nonetheless, even after declining to update the
conferencing applications heavily focused on Skype (Levinson et al., Zoom application after each use, Zoom forced an update to the
2011; Chang et al., 2013; Teng and Lin, 2012; Al Barghuthi and Said, newest version. Surprisingly, this happened only in the Android
2013). To elaborate on that literature is beyond the scope of our and Windows VM, and not the Apple devices. The newest version
work. tested at the time was 5.1.2, and was tested across all devices to
note any differences between Zoom versions. We note that only
2.2. Messaging & social media applications limited tests that yielded important results from previous versions
were conducted with the latest version of Zoom.
As mobile adoption increased, forensics research followed that Table A.4 in Appendix A demonstrates all tools used to conduct
trend and focused on social messaging mobile applications. Similar this research. The devices tested were used to simulate various use
to Skype, research has shown that these types of applications also cases of the Zoom platform. Details of these four phases and results
store important user information on the device. are found in the next two subsections and Sections 5 and 6.
For instance, Walnycky et al. (2015) investigated the security

5
https://support.zoom.us/hc/en-us/articles/201362233-Where-Do-I-Download-
4
https://agp.newhaven.edu. The-Latest-Version.

2
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

4.1. Setup & scenario creation generated root certificate into the current user's Trusted Root Cer-
tification Authorities store” (Lawrence, 2019). At the time of testing
This phase consisted of testing the Zoom application's features Fiddler, the latest version of Zoom was 5.0.2, and it was only suc-
on all devices by mimicking free Basic and Licensed account usage. cessfully tested on desktop applications. Unfortunately, Fiddler and
To acquire a complete dataset, all mobile devices were first reset Zoom did not work well together through the Fiddler proxy when
and rooted. Moreover, to test the desktop applications, a macOS using the mobile applications, thus, the mobile traffic captured
laptop was used and a clean Windows 10 Virtual Machine was turned out to be unfruitful for this research. Nevertheless, network
downloaded from the Microsoft Developer's website.6 Additionally, traffic packets containing critical data may be similar regardless of
all Zoom applications were downloaded from the Zoom website the type of device used as it was confirmed using two different
and respective mobile stores.7 operating systems, macOS and Windows.
Creating each scenario stemmed from testing common user Subsequently, FTK Imager was used at the end of each major
actions to more advanced features that Basic Zoom accounts did not round of testing in the Windows VM to capture its physical disk
include. Thus, Basic accounts were created and tested. Then, all image. FTK and Comae DumpIt tools were also used to acquire the
accounts were switched to Licensed University accounts that all VM's memory when the application was active and terminated.
students at the University of New Haven8 possess. These Licensed Finally, Magnet Acquire was used to collect a physical image of the
accounts are now used by the University to conduct remote online Android and a logical image of the iOS device. It is important to note
learning activities. that even though the iPhone was jailbroken, Magnet Acquire only
Within these test environments, different application features offered support to acquire a logical image of the device (Magnet
and settings were examined. Tests were conducted with the de- Forensics, 2020). After conducting preliminary tests, it was
vices communicating as a group, one-on-one, and individually to concluded that the macOS and iOS application data were similar
allow for an understanding of the interactions between different and therefore the decision was made not to physically image the
device platforms. All of the tests were conducted by creating macOS device. The macOS data directory was then acquired logi-
meetings that used a mix of each device's Personal Meeting IDs and cally using the file system.
General Meeting IDs generated by Zoom. These meetings were
created through the Zoom application, scheduled using the Outlook 5. Analysis & experimental results
Calendar plugin, and started through the contacts page of Zoom.
The following tested features yielded the most important results: In order to analyze and extract relevant artifacts from all the
forensic acquisitions, different tools shown in Table A.4 in Appendix

Added contacts A were utilized along with some manual analysis. In this section,

Deleted contacts details on artifacts found across all devices are summarized in their

Searched for keywords using the application's Search feature own subsections related to disk, network, and memory. It is

Chatted through the Chat feature only important to note that most of the artifacts found were similar
- Exchanged text files and other types of files, such as pictures across tested devices. We will elaborate on any artifacts that were
- Exchanged screenshots taken in the chat deemed unique to a specific device. All major artifacts and their file
- Exchanged URLs paths found within the tested devices are highlighted in Tables 1

Conducted a Zoom video meeting and sent and received chat and 2.
messages and files Table 1 contains details regarding the location of important ar-

Saved in video meetings locally and to the cloud tifacts found on the disk of their corresponding device. Table 2 lists

Installed the Zoom Outlook plugin to schedule meetings important data found within the files stored on disk, memory

Implemented the Twitter application from the Zoom Market- dumps, and network traffic.
place and tested the following:
- Sent tweets 5.1. Zoom data directory structure
- Started meeting through Twitter chat bot

Attended a webinar as an attendee and panelist To identify major artifacts and the location they were stored in
all devices, it is critical to understand how the Zoom application
organizes this data. In each device's respective Zoom data directory,
there were numerous folders created containing different types of
4.2. Data acquisition
files. It appears the application names main directories, some
database files and some of its tables after the account's Jabber ID
In this phase, network and disk forensics were performed on all
(JID), such as “9z4z2l54qbswpudnk0r_ba@xmpp.zoom.us”; . This
devices with some limitations, while memory dumps were
JID uniquely identifies individual users, as well as user chat groups
captured only on the Windows Virtual Machine.
within the stored Zoom data. JIDs are the user's Extensible
To acquire network traffic from exchanged Zoom communica-
Messaging and Presence Protocol (XMPP) chat addresses. JID values
tions, a unique wireless hotspot was created to isolate each device's
are constructed first with the “localpart”, which in this case would
network. To confirm all Zoom's network traffic was encrypted,
be “9z4z2l54qbswpudnk0r_ba”, the domain part, and resource part
Wireshark was used to capture the packets while each test took
followed after the “@” character (Saint-Andre, 2011). It is uncertain
place. We used Fiddler9 to also capture, decrypt, and decode HTTPS
what type of encoding or encryption Zoom uses to create the JID's
network traffic. Fiddler decrypts HTTPS traffic by generating a root
local values.
certificate that the user is required to trust on the device under
Analysis of the Zoom directory on each device confirmed that
analysis. For example, when using Windows, it imports “the
Zoom creates separate data folders for each account that was log-
ged into the device. Since two types of user accounts were tested, a
6 Basic and a Licensed school account, separate file folders were
f.
7
https://zoom.us/download#client_4meeting. found for both accounts. Note, some of these actions do not occur
8
https://www.newhaven.edu/. unless the user is logged into the Zoom application. If no account is
9
https://www.telerik.com/fiddler. logged-in, then Zoom uses its default zoomus.db and
3
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Table 1
Important data path directories and files found in disk across device.

File Path Account Device Description

ID

1.1 vol_vol20/data/us.zoom.videomeetings/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.asyn.db Any Android Chats

1.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/“USER JID”.xmpp.zoom.us/ Any iOS …
“USER JID”@zoom.us.asyn.db
1.3 Library/Application Support/zoom.us/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.asyn.db Any macOS …
1.4 /AppData/Roaming/Zoom/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.asyn.db Any Windows …
2.1 vol_vol20/data/us.zoom.videomeetings/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.db Any Android Contacts
2.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/“USER JID”.xmpp.zoom.us/ Any iOS …
“USER JID”@xmpp.zoom.us.db
2.3 Library/Application Support/zoom.us/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.db Any macOS …
2.4 /AppData/Roaming/Zoom/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.db Any Windows …
3.1 vol_vol20/data/us.zoom.videomeetings/data/“USER JID”@xmpp.zoom.us.idx.db Any Android Index Information and
Cached Data
3.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/“USER JID”.xmpp.zoom.us/ Any iOS …
“USER JID”@xmpp.zoom.idx.db
3.3 Library/Application Support/zoom.us/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.idx.db Any macOS …
3.4 /AppData/Roaming/Zoom/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.idx.db Any Windows …
4.1 vol_vol20/data/us.zoom.videomeetings/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.sync.db Any Android Msg Invitations and Contact
Requests
4.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/“USER JID”.xmpp.zoom.us/ Any iOS …
“USER JID”@xmpp.zoom.us.sync.db
4.3 Library/Application Support/zoom.us/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.sync.db Any macOS …
4.4 /AppData/Roaming/Zoom/data/“USER JID”@xmpp.zoom.us/”; USER JID”@xmpp.zoom.us.sync.db Any Windows …
5.1 vol_vol/data/us.zoom.videomeetings/data/zoommeeting.db Any Android In-Meeting Encoded or
Encrypted Chats
5.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/zoommeeting.db Any iOS …
5.3 Library/Application Support/zoom.us/data/zoommeeting.db Any macOS …
5.4 /AppData/Roaming/Zoom/data/zoommeeting.db Any Windows …
6.1 vol_vol20/data/us.zoom.videomeetings/data/zoomus.db Any Android User Account Information
6.2 private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/zoomus.db Any iOS …
6.3 Library/Application Support/zoom.us/data/zoomus.db Any macOS …
6.4 /AppData/Roaming/Zoom/data/zoomus.db Any Windows …
7.1 /vol_vol20/data/data/us.zoom.videomeetings/data/“Hashed File Name”.db Any Android Temporary Webinar
Database
7.2 /private/var/mobile/Containers/Data/Application/“Container ID”/Documents/data/“Hashed File Name” Any iOS …
7.3 Library/Application Support/zoom.us/data/“Hashed File Name”.db Any macOS …
7.4 /AppData/Roaming/Zoom/data/“User JID”@xmpp.zoom.us/“; Hashed File Name”.db Any Windows …
8.1 vol_vol20/data/us.zoom.videomeetings/files/data/SSBAvatarCacheIndex.ini Any Android Avatar URL Cache Index
8.2 private/var/mobile/Containers/Data/Application/“Application ID”/Library/Preferences/Avatar Cache Index.plist Any iOS …
8.3 Library/Preferences/Avatar Cache Index.plist/ Any macOS …
8.4 /AppData/Roaming/Zoom/data/SSBAvatarCacheIndex.ini Any Windows …
9 /private/var/mobile/Containers/Data/Application/“Container ID”/Library/Preferences/ Any iOS Recent Meeting Settings and
us.zoom.videomeetings.plist Actions
10 /private/var/moible/Containers/Shared/AppGroup/“App Group ID”/Library/Caches/contacts.db Any iOS bpList File of Contact Names
& JIDS
11 /AppData/Roaming/Zoom Plugin/ex2smtp.json Licensed Windows Outlook Plugin JSON
12 /AppData/Roaming/Zoom Plugin/userSetting.json Licensed Windows Outlook Plugin JSON
13 /AppData/Roaming/Zoom Plugin/alternateHosts.json Licensed Windows Outlook Plugin JSON

zoommeeting.db databases to store information. Details about devices. The average entropy was determined to be 7.910 (rounded),
these files are discussed on Section 5.2. which suggests file encryption.
Consequently, in the latest Zoom application (5.1.2) and previ-
ous ones tested, it was discovered that Zoom created one folder for 5.2. Major artifacts found in disk
each account identified by its JID. For example, one folder named
“1i-y1fdkqskijzvp3uidhq@xmpp.zoom.us,” which contained data- In this subsection, all of our main artifacts are discussed. Note, a
bases of interest, the user's profile avatar picture, and other con- place holder such as “USER JID” was used in Tables 1 and 2, and this
tacts' avatars the user has communicated with directly or indirectly results section to identify path location names and Jabber ID (JID)
as being part of a Zoom session. Moreover, this directory also values as they are unique to an individual device and Zoom user
contains a folder that stores any media files that are exchanged in account.
Zoom.
On the other hand, Zoom application versions tested prior to the 5.2.1. “USER JID”@xmpp.zoom.us.asyn.db - Zoom Chat feature
latest used to create another folder “1i-y1fdkqsijzv- This database (Tables 1 and 2, File ID 1) stores numerous tables
p3uidhq@xmpp.zoom.us_sip,” which contained a possible with information pertaining to devices associated with the Zoom
encrypted database file named zoom.sip.enc.db. According to account, as well as chat session information such as messages, files,
Zoom, any VoIP media is encrypted with AES-128 encryption emojis exchanged through the Zoom Chat feature, devices status,
(Zoom Video Communications, 2020). This file is possibly related to some information about other contacts, in Chat feature calls, and
Zoom's H.323 and Session Initiation Protocol (SIP) device support more.
for Zoom Rooms (Zoom, 2020a). Note, no SIP devices were tested in
this investigation. To speculate this type of file was encrypted, the
Shannon Entropy was calculated for each file found across all 10
https://github.com/mattnotmax/entropy.

4
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Table 2
Important artifacts extracted across all forensic acquisition Type.

The first data of interest was stored in the “mmkv” table, which contact information of these users was found in the database
contains configuration settings about the Zoom session. For despite having no direct communication with most of them.
example, this table stores the end-to-end encryption public cer- Moreover, the amount of users found in the database depends on
tificate and a private Privacy Enhanced Mail (PEM) text block which the type of account a user possesses, i.e., student, faculty, etc. This
we assume could contain the private key. Additionally, this table may potentially be a security risk as anyone who gains illegal access
stores the PEM password. The text was found to be encoded or to a domain account could acquire information about users without
encrypted with an algorithm we were unable to decipher. Never- their knowledge. This also includes alumni who have no active
theless, according to Zoom, they use Advanced Encryption Standard access to the University, however, by using their student email
(AES) 256 GCM algorithm at the application layer to encrypt pre- address they could still login into Zoom and access this information.
sentation content (Zoom Video Communications, 2020). Similar to During the analysis of the iPhone image, a binary pList file titled
the previous table, the “msg_active_devices” also stores an enco- “contacts.db” was also found masquerading as a database and
ded/encrypted certificate, PEM, and password for each active de- contains a simplified list of the names and JIDs of a Zoom user's
vice the account was logged into. contacts.
Other tables of interest involve chat messages exchanged
through the Chat feature (see Appendix B; Figure B.1). A new table 5.2.3. “User JID”@xmpp.zoom.us.idx.db - cache
is created in this database named after either a group ID, if more This database (Tables 1 and 2, File ID 3) combines cached data
than two people are messaging, or the JID of the user the chats are about the two previously mentioned databases above. The two
exchanged with. This also includes messages exchanged when us- main tables of interest include the “mm_buddy_index_cache_t-
ing the Twitter bot feature. The messages are stored in plain text able” which includes a more simplified list of information for a
along with timestamps and names of the users in the chat, among user's contacts such as the contacts JIDs, names, nicknames, and
other things. More importantly, these messages are stored in all of emails. The “mm_msg_cache_table” also contains a recent history
the devices users utilize in the chat. Thus, providing extra venues of of messages that were exchanged on Zoom's Chat feature. Conse-
interest when looking for this type of evidence. quently, partial fragments of chat messages, file names of files that
Subsequently, details on the different types of files exchanged were exchanged through the Chat feature, and users' contact in-
through the chat, such as images and screenshots, are stored in the formation were found in some tables stored in blobs.
“zoom_mm_file” and “zoom_mm_file_download_table” tables (see
Appendix B; Figure B.2). It is important to note that these tables also 5.2.4. “USER JID”@xmpp.zoom.us.sync.db - contact requests
contain the local path names where the files are stored in the de- In order to make and maintain connections inside and outside of
vice and the “zoom_mm_file”, specifically, contains partially a Zoom's user account domain, a user must make a request to
Base64 encoded URLs of where those files are stored in a Zoom become a contact. Zoom stores these contact requests in this
server. Decoding those revealed data to be partially a combination database (Tables 1 and 2, File ID 4). When a user sends or receives a
of the sender's JID, Zoom's web file ID, and something else that it is contact request, this database stores information about the JID of
believed to be Zoom's domain name. Moreover, this database stores the requesting user or target contact, the timestamp associated
emojis and any HTTPS URLs that were exchanged through the Chat with the request, and a request message. This message may contain
feature. Finally, Zoom stores a call history with user names and a an email address, the display name of the user, and other contact
Zoom assigned number in this database along with information of information. Note, this database does not delete the contact request
any type of searches conducted within the application using the when deleting a contact from the Zoom application. This is a way to
Search feature. verify that at some point a user that was deleted had contact with
such user.
5.2.2. “USER JID”@xmpp.zoom.us.db & Contacts.db - contacts
The Zoom application stores a user's contacts in this database 5.2.5. zoommeeting.db - zoom video meetings
(Tables 1 and 2, File ID 2). The main table of interest is the This database (Tables 1 and 2, File ID 5) stores important
“zoom_mm_buddy” table which contains the names, JIDs, emails, encrypted and plain text information about the most recent video
phone numbers, profile picture active URLs and the path where meeting conducted through Zoom desktop applications only. The
those were stored locally in the device, work departments, job important data was stored in two tables. Table “zoom_conf_cc_gen2”
positions, and other private user information in plain text. When contains information about recorded meetings saved locally on the
analyzing the same database found in the Licensed University ac- device and any closed captioned plain text that has been provided
count, a large directory of students, staff, and faculty was found. The during the meeting. Data of interest includes timestamps, plain text
5
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

closed captioning, and a 1/0 code to denote when the recording results depending on the type of user attending the webinar.
started and ended respectively. If there were any messages Moreover, the main database of interest, with a name that is always
exchanged within the video meeting chat while it was recording, the encoded/encrypted such as “cxPKzMaNQUWBFd9HwEr3Ig ¼ ¼ .db”,
application saved this recording in the local disk along with a plain and that we believe is the meeting ID, is no longer stored perma-
text transcript of the messages exchanged and the closed captioning nently in the Zoom data directory. The last Zoom version tested
text. The “zoom_conf_chat_gen2” table stores the encrypted in- where the database remained in the directory was 4.6.2; however,
meeting chat messages exchanged from the most recent meeting the latest version we have tested (5.1.2) does not store this database
session. Data of interest includes, encrypted messages, plain text anymore and it actually removes it from the Zoom data directory
timestamps, encrypted sender and receiver names, and entries once the webinar ends. Unfortunately, our attempts to recover this
denoting whether the meeting started recording and when it ended. database from a the Windows VM forensic acquired image were not
On the other hand, Zoom mobile applications are not capable of successful, as it was not found using the Autopsy tool. Nevertheless,
saving recorded meetings locally to the device, but only to the cloud as an attendee or panelist of a webinar, one has always the chance to
with a Licenced account. Therefore, it is believed that this may be acquire the live database while the webinar is taking place.
one of the reasons why this database was found with no data when Consequently, this database contains two main tables of inter-
testing the mobile devices. est, the table “zoom_qa_buddies” which stores a list of all the
people who attended the meeting to include panelists and normal
5.2.6. zoomus.db & avatar cache - user, device configurations & attendees. The table stores the name of the user, whether it is the
more original user name or one the user assigned themselves for the
This database (Tables 1 and 2, File ID 6), stores important data webinar, and a unique JID generated for the webinar such as
pertaining to user account and Zoom account configurations. For “wu_92104247635_zo0i6r1uqgqntrp0cyef6g#159228971773 433@
instance, the “z_cert_info” table stores certificate data from certif- xmpp.zoom.us”; . This JID includes three unique strings of interest
icates that have been trusted by the Zoom application. assigned by Zoom, such as the webinar's meeting ID, the user's
The “zoom_conf_avatar_image_cache” table stores cached webinar's JID, and a timestamp of the time the user joined the
active profile pictures’ URLs, their path location on the device, and webinar. It is important to note that users who join the webinar
timestamps. This table stores this information only when users without providing a name or signing in are still identified, but only
conduct in video Zoom meetings and the information that is saved by their unique webinar JID.
belongs to all of the users that have taken part of the meeting. It is The fields of interest in this table are viewable depending on the
essential to note that this information also appears in the “USER type of attendee and Zoom account (Licensed or Basic). As a normal
JID”@xmpp.zoom.us.db - Contacts database previously mentioned attendee, users never see any other attendee's names on the
above; however, that information updates every time a user interface while conducting a webinar, however, panelists do. Thus,
changes their profile picture. Moreover, there is another avatar attending the webinar as a panelist, this table stores all of the users'
cache index file that Zoom creates in all devices (Tables 1 and 2, File names in the database. As a normal user, the only names stored in
ID 8). This file updates every time a user changes their profile the database are the ones from the panelists that the user can see
picture as well, and it only includes the URL and timestamp when on the application. Nevertheless, the latter does not a apply to
the picture was downloaded to the device. Consequently, our re- Licensed accounts belonging to the same organization. As a normal
sults so far indicate these URLs do not expire and one can easily user, one is able to see all of the names of attendees stored in the
access them on a web browser. However, if a user does change the database even when they were not viewable in the Zoom webinar
profile picture, then the link previously stored on the mentioned interface.
files would become invalid. The final table of interest, “zoom_qa_messages”, stores a list of
The “zoom_kv” table contains important account configurations all the questions and answers in the webinar, their timestamps, a
such as Zoom application version, the last time the client was unique sender JID, and sender name of the person who asked or
connected, IPs, ports, URLs Zoom uses to connect on each session answered the question. The table also stores flags pertaining to
(Zoom Video Communications, 2020), the token refresh URL Zoom whether the question was answered live, read, dismissed, or
uses every time it needs to update the session token, encoded/ deleted, and whether the question was marked by a user to be
encrypted Security Assertion Markup Language (SAML) single sign- asked as “anonymous” or sent in private. It is interesting to note
on (SSO) login with password, meeting ID, and more. that even when users opt to ask a question as “anonymous” in the
The “zoom_meet_history” table stores information about webinar, the names of the users are still stored in the database
meeting sessions that were recorded to the device using the providing no anonymity. Subsequently, the database stored in a
desktop application. Important artifacts include the host ID, the panelist device would contain all of the questions submitted, while
path location where the recording was saved, the name of the the normal attendee would only contain the questions that had
meeting, the time the recording started, and its duration. been answered by panelists.
The final table of interest in this database is the “zoom_-
user_account_enc” table which stores encrypted user information 5.2.8. Zoom Outlook plugin - scheduled meetings
about the account that is logged-in. This includes username, Zoom The Zoom plugin for Microsoft Outlook was tested on the
refresh token, email, profile picture URL, first name and last name Windows VM with a Zoom Licensed account as part of this
of the account owner, and more. research. This plugin is part of the tools Zoom provides to imple-
ment it with the Zoom desktop application. This plugin allows users
5.2.7. Zoom webinars - attendees and Q & A to schedule meetings through the Outlook application with one
To obtain a better perspective of the features that Zoom offers, click (Zoom, 2020b).
attending a webinar as a normal attendee and as a panelist was Important artifacts discovered through experiments revealed
necessary. However, being able to achieve these tasks was one of that JSON files are created when meetings are scheduled depending
the hardest tests to conduct in this research. Webinars are a paid on the settings of the meeting. Three of those files were deemed
feature of Zoom and most of the time one has to be invited or important and discussed in this section (Tables 1 and 2, File IDs
registered to an event in order to attend one. 11e13). For instance, the “ex2smtp.json” stores Outlook Simple
Nevertheless, the outcomes from these tests yielded different Mail Transfer Protocol (SMTP) data and meeting participants' email
6
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

addresses. This file updates every time a meeting is scheduled, performed on the Windows Virtual Machine while testing different
updated, or canceled. The “alternateHosts.json” file stores the features of the Zoom application. This analysis was limited as our
display names and email addresses of users that have been added main intent was to investigate the difference between memory
as co-hosts when scheduling meetings. Lastly, the “userSetting.j- captures taken when the Zoom application was actively open and
son” file contains user information, meeting invitation details, and after the application had completely exited the system. The goal
settings pertaining to the user's personal default meeting. Critical was to search for critical data (i.e., chat messages) that we had
artifacts found in this file include, the account owner's name, first already found on disk and network traffic and how much of that
and last name, email address, personal meeting ID, personal JID, data would be removed from memory when exiting the applica-
and the local path of the device where the user's profile avatar tion. Major tools used in this analysis are Volatility and Strings
picture was stored along with the active avatar URL. Additionally, (Appendix A; Table A.4).
this file contains more important data already found in plain text, Results from this analysis demonstrated that system Random
but was also encoded in Base 64. It appears this encoded data Access Memory (RAM) stores a plethora of information that could
contains invitation information that could be sent to users who be very useful for investigators, especially when conducting in-
may not have Zoom installed. vestigations in the field based on triage. Important data found in
memory before and after the Zoom application was terminated
5.3. Major artifacts found in network traffic includes user and contacts' information such as plain text and
encrypted names, email addresses, and JIDs, profile avatar's URLs,
According to Zoom, they secure network traffic by using Hy- and encrypted and plain text chat messages, webinar information,
pertext Transfer Protocol Secure (HTTPS) and encrypting it with and more. Moreover, it is believed that since Zoom does fetch ac-
256-bit Transport Layer Security (TLS) encryption standard (Zoom count history when first connecting to the application, a lot more
Video Communications, 2020). Our research proved this to be information is passed through memory that is already stored in the
correct when capturing network packets using the Wireshark tool. databases in the disk; this includes end-to-end encryption certifi-
Nevertheless, our investigation went a step further to discover the cates, PEM key and passwords, chat history and call history, file
types of encrypted artifacts Zoom transfers over the network. As names that have been exchanged during chat sessions, scheduled
stated in Section 4.2, the Fiddler tool was used to capture and meeting information such as meeting ID's and passwords, key-
decrypt this traffic when conducting tests on the desktop words searched in the Zoom application, and much more. It is
applications. important to note that the encrypted messages exchanged in an in-
Our results were successful for the most part as the Fiddler tool video meeting could also be found in plain text in memory if the
was able to decrypt most traffic (Table 2, File ID NET). Results meeting is being recorded. This is due to Zoom storing a transcript
include login credentials (username and password) that were of the video recording with the messages. Moreover, if Closed
transferred in the network when attempting to login to the appli- Captioning (CC) is enabled, a transcript in plain text is also stored in
cation using a Basic account and a Licensed account (Appendix B; disk and could be found in memory.
Figure B.3). The only difference between these accounts is the fact Nevertheless, our results differed based on the type of tool used
that Zoom uses SAML single-sign-on (SSO) through the browser to analyze the memory. As in the case of Volatility, all major arti-
when logging into a Licensed account. This is a less secure way to facts were found in the memory acquired when the application was
sign in compared to using the Zoom application because the opened; this makes sense since the process was active (see
password is transferred through HTTPS on the network as well Appendix B; Figure B.4). However, when analyzing the memory
which allowed the Fiddler tool to decrypt it. Moreover, other acquired after the application was terminated, most of the infor-
important artifacts that are fetched by the Zoom application while mation could not be located using the “yarascan” plugin. Addi-
logging in include account email, JIDs (Jabber IDs), cookies, session tionally, the Strings tool was run on the memory captures and
access tokens, device ID, MAC address, profile picture, personal surprisingly, Strings proved to be a powerful tool as it extracted the
meeting room invitation containing the personal meeting ID and artifacts Volatility could not find (see Appendix B; Figure B.5). Thus,
meeting password, a list of recorded meetings saved on the cloud, it is important to note that there is still a difference in terms of the
any Outlook plugin data and calendar implementation, any chat amount of data that is collected when a process is running as
history that took place using the Zoom Chat feature, and more. opposed to when is closed. Nevertheless, even when terminating
Consequently, other tests performed during video meetings and the process a lot of evidence could still be found and help
in-meeting chats revealed that no messages were found in the immensely in an investigation.
network traffic. However, file names of files that were sent through
the chat did appear in the network traffic. Moreover, this was also 5.5. Anti-forensic techniques
true when testing the Zoom Chat feature only. However, the Zoom
Chat feature has more capabilities than the in-video meeting chat, This section highlights interesting anti-forensic techniques
thus, additional artifacts were discovered in the traffic. This in- discovered when two people communicate through the Zoom
cludes, any HTTPS links that were sent in the chat and were acti- application interface, and one person deletes a contact, causing an
vated through Zoom's link preview feature, Graphics Interchange effect in both devices. These tests were conducted in all devices
Format (GIFs), and any other type of files that were received. Lastly, using different versions11 of the Zoom application at the time.
scheduled meeting information, recorded meeting information, Table 3, shows more details of these results. The first four devices in
keywords searched through the Search feature in Zoom, and file the table belong to the contact that was deleted, while the two at
history could be viewed in the network traffic when using these the bottom belong to the user who deleted the contact from the
features in the Zoom application. Zoom interface. Results to the right of the table show that in the
case of the Android and macOS devices, the chat history and con-
5.4. Artifacts found in memory tacts were removed from the Zoom application interface, while in
the Windows and iOS devices, only the contact was removed.
This section discusses a preliminary memory forensic analysis

11
Windows, macOS & Android (5.1.2, 5.0.2) & iOS (5.1.1).

7
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Moreover, in the case of the Android, some of the critical data was social distance. We believe the COVID-19 pandemic makes our
also removed from important databases and data directory, such as work even more relevant as utilizing this application has become a
chat messages and exchanged media files. Nevertheless, it was necessity to society. Therefore, to the best of our knowledge, this is
noted that the Android device only experiences this momentarily as the primary forensic analysis of the Zoom Video Conferencing
the server pulls all of the chat history back to the application's application. This was accomplished by conducting tests on different
interface when exiting and reopening the Zoom application. All devices centered around disk, memory, and network forensic ac-
other data remained in the devices as normally expected. It is quisitions. The goal of this research was to measure Zoom appli-
important to note that in Zoom version 5.0.2, the Windows device cation's level of security and privacy granted to protect users' data
had a similar effect as the Android device in removing the infor- and whether any findings would be beneficial for forensic in-
mation from the interface. vestigators and adversaries alike.
On the other hand, the two devices shown at the bottom of the Our findings demonstrate that even when the Zoom organiza-
table belonging to the user who deleted the other contact were tion has been continuously patching their application to fix and
affected mostly as expected in the Zoom interface, databases, and prevent security risks as presented in their blog (Zoom, 2020c), a
media directory. However, there were a lot of traces of data left plethora of user information could still be found in different parts of
behind about interactions between both contacts, such as contact a system. This includes, plain text user information, such as chat
information, traces of files and chat messages that were exchanged messages, profile pictures, files exchanged, user contact informa-
and more. This could still be useful to identify who the user was tion, and much more. Additionally, some of this data was still found
communicating with and some of the interactions between them. to be stored in the system even when a user had opted to delete a
As noted, this is an alarming breach of trust as critical infor- contact from their application. Notwithstanding, Zoom did use
mation could be removed without the user's permission, even if it is secure methods when storing some information in disk and when
momentarily as in the case of the Android device. No information transferring user account information through the network, such as
should ever be deleted from the application and device of the user encrypted passwords and in-video meeting chat messages.
who was being removed from someone else's contact list. In the case of the network traffic however, it was proven that
HTTPS could be decrypted using the tool Fiddler, this could be rare,
6. Creation of SQLite database queries but in certain cases could still pose a threat to user privacy if access
to the device falls in the wrong hands. Furthermore, in terms of the
Due to relevant data being stored mostly in SQLite databases, a memory analysis, it was concluded that plenty of the evidence
helpful way to identify this data is through the use of database already discussed could be found in memory even after the appli-
queries which can be found in Table A.5 of Appendix A. cation had completely exited the system. This information could be
All of the queries aim to simplify the acquisition of information useful to investigators on the field needing to prioritize collection
that can be used during forensic examinations. The following and analysis of evidence.
queries will provide examiners a brief overview of the chat inter- Consequently, this research demonstrated some techniques
action between Zoom users. Queries 1, 2, and 3 deal with simpli- carried out through the Zoom application that could be possibly
fying the acquisition of the most recent cached message bodies, flagged as anti-forensic. While these techniques were not true for
user information, and timestamps from the chat cache table of the all tested devices, knowing that there are certain Zoom application
“USER JID@zoom.us.idx.db”; file. However, this table does not list versions that could possibly cause a user to lose their chat and
the files or images that may have been sent in chats. Additional contact history due to someone deleting them from their contacts
queries have been developed, specifically Query 7, which can be list without their permission is problematic. Only the account
modified to search the above mentioned by utilizing the “USER owner should be able to delete any information in their Zoom
JID@xmpp.zoom.us.asyn.db”; database's tables for the images and application and device.
files sent within the target chat session identified by its “JID”. Finally, our work contributed a series of SQLite Queries aimed at
Queries 4 and 5 deal with acquiring information about the assisting investigators to triage the Zoom databases for all valuable
contacts a user account has and what group chats they may belong information that may be useful in a case. Moreover, all digital ar-
to from the “User JID@xmpp.zoom.us.db”; database file. Query 4 tifacts collected in this investigation can be found in the Artifact
selects all of the information pertaining to the entire contact base of Genome Project12 repository.
the user. Query 5 identifies any group chats the user belongs to or
hosts as well as the contact information for the chat owner. Queries
6 through 9 provide investigators a list of the chats within a “Target
Chat Session” found in the “Chats” database. Query 6 provides a list
of the relevant information for a Chat Session such as the name of
8. Future work
the sender, the body of the message and the message timestamp.
Query 7 selects the sender information as well as the name of the
Future work should be conducted in this rapidly changing field.
multimedia files sent and their timestamps. Query 8 selects the
As noted research, it was difficult to forensically examine Zoom
messages that were commented on by using emojis while Query 9
while trying to keep up with constant software updates. This shows
selects the messages where files were sent and had been com-
that data changes constantly, and while our results may be valid
mented on. Query 10 provides investigators with the start date and
now, they may become outdated. Furthermore, Zoom is not the
the “messageID” for the last message sent for each non-meeting
only video conferencing application that needs forensic analysis.
chat session a user device may have.
Future work should explore other applications such as Google
Meet, CISCO Webex Meetings, Bluejeans, and Microsoft Teams13.14
7. Conclusion/discussion

Zooming through the pandemic was something most of us 12

agp.newhaven.edu.
never imagined to happen in our lifetime. Even at this moment, 13
https://www.howtogeek.com/661906/the-6-best-free-video-conferencing-
Zoom still is the primary application people use to communicate apps/.
14
and conduct businesses through a screen while having to maintain https://www.techradar.com/best/best-video-conferencing-software.

8
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Table 3
Anti-forensic findings.

Zoom Interface Chats Db Contact & Cached Db Files in

Requests Dbs Directory

Affected Data - Device Belonging to the Contact that Got Deleted

Deleted Deleted Chat Emojis/ Exchanged Last Call Contact Contact File Chat History/ Avatars Exchanged
Contacts Chats Messages GIFs Files Session History History History History Segments Media
b a a
Android ✓ ✓ ✓ ✖/✖ ✓/✖ ✖ ✖ ✖ ✖ ✖ ✓/✖ ✖ ✓
b
macOS ✓ ✓ ✖ ✖/✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖/✖ ✖ ✖
Windows ✓ ✖ ✖ ✖/✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖/✖ ✖ ✖
b
iOS ✓ ✖ ✖ ✖/✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖/✖ ✖ ✖
Affected Data - Device Belonging to the User Deleting the Contact
a
Windows ✓ ✓ ✓ ✖ ✓/✖ ✓ ✖ ✖ ✖ ✖ ✓/c✓ ✖ ✓
a
iOS ✓ ✓ ✓ ✖ ✓/✖ ✓ ✖ ✖ ✖ ✖ ✓/✖ ✖ ✓

Key: ✓: Yes Deleted ✖: Not Deleted.

a
Note: Files were deleted from one table or folder but remain in one or more tables/folder.
b
Note: The Windows VM was the one used to delete the contacts in these devices while the iOS was used to delete the Windows.
c
Note: The results in this field apply to Windows when interacting with the Android device.

Acknowledgements Appendix C. Supplementary data

This material is based upon work supported by the National Supplementary data to this article can be found online at
Science Foundation under Grant Number 1900210. Any opinions, https://doi.org/10.1016/j.fsidi.2021.301107.
findings, and conclusions or recommendations expressed in this
material are those of the author(s) and do not necessarily reflect the
views of the National Science Foundation. Appendix A. Apparatus & SQLite Queries

Table A.4
Apparatus

Hardware/Software Use Company Software Version

Galaxy S6 Zoom Account Samsung Nougat 7.0

iPhone 5s Zoom Account Apple iOS 12.4.5, 12.4.6
Windows Virtual Zoom Account Windows Windows 10
Machine
MacBook Pro Zoom Account Apple Catalina 10.15.4, 10.5.5
VirtualBox Hosted Windows Virtual Machine Oracle VM VirtualBox 6.1.4
Zoom Mobile Android Zoom Account Zoom Video Communications 4.6.9, 4.6.10, 4.6.11, 5.0.2 (25692.0524), 5.1.2 (28652.0706)
Application
Zoom Mobile iOS Zoom Account Zoom Video Communications 4.6.9 (19213.0327), 5.0.2 (24042.05.09), 5.1.1 (28562.0629)
Application
Zoom Desktop Windows Zoom Account Zoom Video Communications 4.6.9 (19213.0327), 4.6.10 (20033.0407), 5.0.2 (24046.0510), 5.1.2
Application (28642.0705)
Zoom Desktop macOS Zoom Account Zoom Video Communications 4.6.11(20561.0413), 5.0.2 (24030.0508), 5.1.2 (28648.0705)
Application
Zoom Outlook Plugin Schedule Meetings in Windows Zoom Video Communications 5.1.2 (27830.0612)
Desktop
Wireshark Observe Live Network Traffic (all Wireshark 3.2.3
devices)
Magnet Acquire Full Image Creator (Android & iOS) Magnet Forensics 2.25.0.20236
DumpIt Memory Acquisition Comae 3.0.20200224.1
FTK Imager Full Image Creator and Memory AccessData 4.3.0.18
Capture
Autopsy Full Image Viewer The Sleuth Kit 4.14.0
Android Debug Bridge Android Data Extraction Tool Android Studio Developers 1.0.41, Version 29.0.6e6198805
(ADB)
DB Browser for SQLite View Sqlite/DB files DB 3.11.2
checkra1n iOS Jailbreak Tool checkra1n 0.9.7 BETA
SuperSU Android Jailbreak Tool Senior Recognized XDA Developer V2.82
Chainfire
Volatility Desktop Memory Analysis Volatility Foundation Volatility 2.6.1 & Volatility 3 1.0.0-beta.1
GNU Strings String Finder Free Software Foundation, Inc. 2.33.1
Fiddler 4 Decrypt Network Traffic Progress Software Corporation 5.0.20202.18177
Base64 Encoder/ Decryption Tool Base64 Online
Decoder
Entropy File Entropy Calculator GitHub user: mattnotmax N/A
Filza File Manager File System Manager TIGI Software 3.7 Build 7

9
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Table A.5
SQLite Queries

Query Query Database Result

ID

1 Select senderName, groupID, buddyID, body, strftime(’%Y-%m-%d %H:%M:% USERJID@xmpp.zoom.us.idx.db Lists Recent Cached Chat Messages by
S’,messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as timeStamp from Timestamp
mm_msg_cache_table ORDER by timeStamp asc;
2 Select senderName, groupID, buddyID, body, strftime(’%Y-%m-%d %H:%M:% USERJID@xmpp.zoom.us.idx.db Lists Recent Cached Messages ONLY
S’,messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as timeStamp from sent BY Account User
mm_msg_cache_table where sentByMe ¼ 1 ORDER by timeStamp asc;
3 Select senderName, groupID, buddyID, body, strftime(’%Y-%m-%d %H:%M:% USERJID@xmpp.zoom.us.idx.db Lists Recent Cached Messages ONLY
S’,messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as timeStamp from sent TO Account User
mm_msg_cache_table where sentByMe ¼ 0 ORDER by timeStamp asc;
4 Select jid, firstName, lastName, phoneNo, phoneNumber email, picPath, avatarUrl, USERJID@xmpp.zoom.us.db Selects ALL Relevant Contact
meetingNumber from zoom_mm_buddy order by firstName; Information from Contacts Table
5 Select groupID, name as participants, firstName as ownerFirstName, lastName as USERJID@xmpp.zoom.us.db Lists Group Chat Participants and
ownerLastName, email as ownerEmail from zoom_mm_buddy, zoom_mm_group where Group Chat Owner Contact
zoom_mm_buddy.jid ¼ zoom_mm_group.ownerID; Information
6 Select messageID, senderName, body, strftime(‘%Y-%m-%d %H:%M:%S0 , USERJID@xmpp.zoom.us.asyn.db Lists All Chat Messages from Target
messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as messageTimestamp from “TARGET Chat Table
CHAT TABLE” order by messageTimestamp;
7 Select A.messageID, A.senderName, A.body, strftime(‘%Y-%m-%d %H:%M:%S0 , USERJID@xmpp.zoom.us.asyn.db Lists All Files Sent and Local Paths for
A.messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as messageTimestamp, B.name, Target Chat Table
B.localpath from “TARGET CHAT TABLE” as A, zoom_mm_file as B WHERE
A.messageID ¼ B.messageID order by messageTimestamp;
8 Select A.messageID, senderName, body, strftime(‘%Y-%m-%d %H:%M:%S0 , USERJID@xmpp.zoom.us.asyn.db Selects ALL Chats from Target Thread
messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as messageTimestamp, emoji as with Emoji Comments
emojiComment, strftime(‘%Y-%m-%d %H:%M:%S0 , first_emoji_t/1000, ‘unixepoch’,
‘localtime’) as commentTimestamp from “TARGET CHAT TABLE” as A,
emoji_comment_table as B where A.messageID ¼ B.msgid
9 Select A.messageID, A.senderName, A.body, strftime(‘%Y-%m-%d %H:%M:%S0 , USERJID@xmpp.zoom.us.asyn.db Selects Messages with Files AND
A.messageTimeStamp/1000, ‘unixepoch’, ‘localtime’) as messageTimestamp, B.emoji, Emoji Comments
B.contain_mine as emojiSentByMe, C.name as fileName, C.localPath from “TARGET CHAT
TABLE” as A, emoji_comment_table as B, zoom_mm_file as C WHERE
A.messageID ¼ B.msg_id AND A.messageID ¼ C.messageID order by messageTimestamp;
10 Select sessionID, lastMsgID, strftime(‘%Y-%m-%d %H:%M:%S0 ,readedMsgTime/1000, USERJID@xmpp.zoom.us.asyn.db Selects Chat Session Start Date and
‘unixepoch’, ‘localtime’) as chatStartDate from zoom_mm_session; Last MessageID

Appendix B. Artifact Figures

Fig. B.1. Windows VM “USER JID”@zoom.us.asyn.db Database - Displays Zoom Chat Feature Group Messages

10
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

Fig. B.2. Windows VM “USER JID”@zoom.us.asyn.db Database - Displays Files Exchanged Within the Zoom Chat Feature

Fig. B.3. Zoom Account User Credentials Found when Decrypting Network Traffic

Fig. B.4. Chat Message, Sender and Receiver Names Found in Memory through Volatility

Fig. B.5. Chat Messages, Sender/Receiver Names and JIDs Found in Memory Acquired After the Zoom Application had Exited the System through Strings Tool

11
A. Mahr, M. Cichon, S. Mateo et al. Forensic Science International: Digital Investigation 36 (2021) 301107

References Sciences. IEEE, pp. 1e9.

Lorenz, T., Alba, D., 2020. ‘’zoombombing’ becomes a dangerous organized effort’.
https://www.nytimes.com/2020/04/03/technology/zoom-harassment-abuse-
Abbott, T., 2020. Best video conferencing apps: the best platforms for video calls.
racism-fbi-warning.html.
https://www.reviews.org/internet-service/best-video-conferencing-apps/.
Magnet Forensics, 2020. Magnet acquire. https://www.magnetforensics.com/
Al Barghuthi, N.B., Said, H., 2013. Social networks im forensics: encryption analysis.
resources/magnet-acquire/.
J. Commun. 8 (11), 708e715.
Majeed, A., 2016. Forensic analysis of social media apps in windows 10. NUST
Al Mutawa, N., Baggili, I., Marrington, A., 2012. Forensic analysis of social
Journal of Engineering Sciences 10.
networking applications on mobile devices. Digit. Invest. 9, S24eS33.
Marrington, A., Baggili, I., Al Ismail, T., Al Kaf, A., 2012. Portable web browser fo-
Al-Saleh, M.I., Forihat, Y.A., 2013. Skype forensics in android devices. Int. J. Comput.
rensics: a forensic examination of the privacy benefits of portable web
Appl. 78 (7).
browsers. In: Computer Systems and Industrial Informatics (ICCSII), 2012 In-
Anglano, C., Canonico, M., Guazzone, M., 2017. Forensic analysis of telegram
ternational Conference on. IEEE, pp. 1e6.
messenger on android smartphones. https://www.sciencedirect.com/science/
Office, F.N.P., 2020. Fbi warns of child sexual abuse material being displayed during
article/abs/pii/S-1742287617301767.
zoom meetings. https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-
Azab, A., Watters, P., Layton, R., 2012. Characterising network traffic for skype fo-
of-child-sexual-abuse-material-being-displayed-during-zoom-meetings.
rensics. In: 2012 Third Cybercrime and Trustworthy Computing Workshop,
O'Flaherty, K., 2020. Beware Zoom Users: Here's How People Can ’zoom-Bomb’ Your
pp. 19e27.
Chat. https://www.forbes.com/sites/kateoflahertyuk/2020/03/2-7/beware-
Baggili, I., Oduro, J., Anthony, K., Breitinger, F., McGee, G., 2015. Watch what you
zoom-users-heres-how-people-can-zoom-bomb-your-chat/#27016316618e.
wear: preliminary forensic analysis of smart watches. In: Availability, Reliability
Saint-Andre, P., 2011. Extensible Messaging and Presence Protocol (Xmpp): Address
and Security (ARES), 2015 10th International Conference on. IEEE, pp. 303e311.
Format, Technical Report, RFC 6122, March.
Casey, P., Baggili, I., Yarramreddy, A., 2019a. Immersive virtual reality attacks and
Setera, K., 2020. Fbi warns of teleconferencing and online classroom hijacking
the human joystick. IEEE Trans. Dependable Secure Comput. 1e1 https://
during covid-19 pandemic. https://www.fbi.gov/contact-us/field-offices/
ieeexplore.ieee.org/document/8675340.
boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-
Casey, P., Lindsay-Decusati, R., Baggili, I., Breitinger, F., 2019b. ‘Inception: virtual
classroom-hijacking-during-covid-19-pandemic.
space in memory space in real spaceememory forensics of immersive virtual
Simon, M., Slay, J., 2010. Recovery of skype application activity data from physical
reality with the htc vive’. Digit. Invest. 29, S13eS21.
memory. In: 2010 International Conference on Availability, Reliability and Se-
Chang, Y.-T., Chung, M.-J., Lee, C.-F., Huang, C.-T., Wang, S.-J., 2013. Memory forensics
curity. IEEE, pp. 283e288.
for key evidence investigations in case illustrations. In: 2013 Eighth Asia Joint
Teng, S.-Y., Lin, Y.-L., 2012. Skype chat data forgery detection. In: International
Conference on Information Security. IEEE, pp. 96e101.
Conference on Future Generation Communication and Networking. Springer,
Chung, H., Park, J., Lee, S., 2017. Digital forensic approaches for amazon alexa
pp. 108e114.
ecosystem. Digit. Invest. 22, S15eS25.
Walnycky, D., Baggili, I., Marrington, A., Moore, J., Breitinger, F., 2015. Network and
Clark, D.R., Meffert, C., Baggili, I., Breitinger, F., 2017. Drop (drone open source
device forensic analysis of android social-messaging applications. https://www.
parser) your drone: forensic analysis of the dji phantom iii. Digit. Invest. 22,
sciencedirect.com/science/article/pii/S1742-287615000547.
S3eS14.
Whent, R., 2012. A Brief History of Skype. https://www.itbusiness.ca/blog/a-brief-
Dorai, G., Houshmand, S., Baggili, I., 2018. I know what you did last summer: your
history-of-skype/20750.
smart home internet of things and your iphone forensically ratting you out. In:
Yarramreddy, A., Gromkowski, P., Baggili, I., 2018. Forensic analysis of immersive
Proceedings of the 13th International Conference on Availability, Reliability and
virtual reality social applications: a primary account. In: 2018 IEEE Security and
Security. ARES 2018, Association for Computing Machinery, New York, NY, USA.
Privacy Workshops (SPW). IEEE, pp. 186e196.
https://doi.org/10.1145/3230833.3232814.
Zhang, X., Baggili, I., Breitinger, F., 2017. Breaking into the vault: privacy, security
Grajeda, C., Sanchez, L., Baggili, I., Clark, D., Breitinger, F., 2018. Experience con-
and forensic analysis of android vault applications. https://www.sciencedirect.
structing the artifact genome project (agp): managing the domain's knowledge
com/science/article/pii/S01674-04817301529.
one artifact at a time. Digit. Invest. 26, S47eS58.
Zoom, 2020a. Getting started with h.323/sip room connector. https://support.zoom.
Hassenfeldt, C., Baig, S., Baggili, I., Zhang, X., 2019. Map my murder. In: Proceedings
us/hc/en-us/articles/201363273-Getting-Started-With-H-323-SIP-Room-
of the 14th International Conference on Availability, Reliability and Security -
Connector.
ARES ’19.
Zoom, 2020b. Microsoft outlook plugin (desktop). https://support.zoom.us/hc/en-
Iqbal, A., Alobaidli, H., Baggili, I., Marrington, A., 2014. Amazon kindle fire hd fo-
us/articles/200881399-Microsoft-Outlook-plugin-desktop-.
rensics, 132, 39e50.
Zoom, 2020c. Security. https://support.zoom.us/hc/en-us/sections/201728933-
Karpisek, F., Baggili, I., Breitinger, F., 2015. Whatsapp network forensics: decrypting
Security.
and understanding the whatsapp call signaling messages. Digit. Invest. 15,
Zoom Video Communications, I., 2020. Zoom security guide. https://zoom.us/docs/
110e118.
doc/Zoom-Security-White-Paper.pdf.
Lawrence, E., 2019. Faq - certificates in fiddler. https://www.telerik.com/blogs/faq-
ZoomBlog, 2020. 90-day security plan progress report: april 22. https://blog.zoom.
certificates-in-fiddler.
us/wordpress/2020/04/22/90-day-security-plan-progress-report-April-22/.
Levinson, A., Stackpole, B., Johnson, D., 2011. Third party application forensics on
apple mobile devices. In: 2011 44th Hawaii International Conference on System

12