Summary

1. Artefacts left behind on Macs, PCs and mobile devices by the Zoom application are varied over time.
2. In the Spring of 2020 we discerned these artefacts had been reduced on the client-side.
3. Recent research suggests databases on our devices contain a lot more data points and thus useful information to investigators and litigators alike, however; it appears accessing these data has become very difficult as of now (Winter 2021) owed to new encryption.

Investigators, regulators, litigators, and all those concerned know that Zoom is so heavily utilised that it has and will continue to be a focal point in data triage exercises for some time to come. In the autumn of 2020 Zoom announced it would be rolling out proper end-to-end encryption for all of its traditional computer and mobile device users.  As a quick reminder, end-to-end (E2E) encryption is the method whereby data are not only encrypted in transit at all stages, but also at rest on their end points (computers, mobile devices etc.,).  This is the principal reason many millions of people flocked to Signal and Telegram in January.

Research

Thanks to work of data forensic researchers in the community, artefacts from the Zoom platform client-side have been more rigorously isolated amongst several environments ranging from mobile phones to PC’s and Macs (Credit: University of New Haven Cyber Investigation and Research Group).  This research reflects artefacts and data stored by the Zoom application/programme on the client-side; if there is interest on data housed by Zoom on the server-side, I’ve started to investigate and look into this, however; my efforts have had little return.

The research paper looked at Windows PC versions (as well as Macs and mobiles) as recent as version 5.1.2. and we are already up to 5.5.0, with my assessment being done on 5.49.  Needless to say, Zoom are making weekly or even twice-weekly updates to their client-side application.  If you’re on the Windows side of things, I believe this happens automatically, whereas Mac users have to manually elect to do so, unless it’s a major patch and is forced.

Technical Bits

Back in the summer many of the computer-side database files seemed to store very little information, which appeared to be a departure from version 3.x variants in which electronic investigators were able to derive a good deal of information about meetings sessions.  My initial thought was that Zoom were storing less of this on the computers as endpoints because of a relatively week encryption stance at the end-point level. In late Spring or early Summer of 2020, as the lockdowns were becoming normalised and more people lived in Zoom, the company purchased Keybase for encryption key management and to generally bolster the information security aspect of their operation (if I had to guess).  The recent research and efforts by the University seem to indicate a shift back towards client-side data storage and the advent of encryption-at-rest, which I will touch upon in a moment.  In the paper, various databases tied to individual Zoom user accounts (e.g. if both my wife and I used Zoom on this computer, both of our accounts would have their own ‘profile ID’ and databases stored therein), there appeared to be heaps of data I had not witnessed since much earlier versions of Zoom.  I had wrongly decided that Zoom were keeping all data on the server-side indefinitely, but this move towards localised, private/secret-key encryption is more in line with the trends in the market (Apple et al.,). 

I wanted to see some of this data for myself (why wouldn’t I?!), so I parsed these data on one of my Macs running my Zoom profile to isolate databases, all the meanwhile smacking my lips in anticipation.  Much to my dismay, these data were encrypted –but as a data privacy and security advocate, I was also pleased.  Zoom also took the liberty of naming the now-encrypted database files in an intuitive and transparent manner by affixing ‘encks’ to each.

Nice.

Does this look like rubbish to you? It should. This is your encryption at work.
SQL Cipher 4?  That’s my wager.

I am now in the midst of a great and garbled data exploitation journey, the results of which I cannot predict.  If we are at all successful in accessing these data artefacts now that they are encrypted, we are keen to share that success.  If you don’t hear back from me in the weeks and months ahead, you can rightly assume I am marinating in defeat.  Watch this space.

iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.