Now more than ever organizations are faced with the need for remote collaboration, and many have turned to Microsoft Teams to fill that need. Utilizing Magnet AXIOM Cyber to process Office 365 evidence gives examiners the flexibility to acquire and examine Teams data directly via an API or by loading the Office 365 Security & Compliance Center exports. In this blog, we’ll focus on how to export Teams data from the Security & Compliance Center for use in AXIOM Cyber.
AXIOM Cyber’s Microsoft Teams API allows examiners to login with account credentials to acquire evidence directly from Teams for that account. In the case where the investigator doesn’t have the specific Teams user’s account credentials it will be necessary to export the data from the Microsoft Security and Compliance center. For easy to follow and straightforward assistance with configuring AXIOM Cyber to allow for Teams acquisitions please refer to this blog post from Trey Amick.
To Export From Compliance Center
Login to https://protection.office.com/permissions and validate that the eDiscovery Manager permission has been granted to your profile. If permission needs to be granted, it can be created for you by following the instructions described in Microsoft’s Getting Started with Core eDiscovery document.
Once permissions have been validated, navigate to the eDiscovery link in the menu on the left side of the page. If cases are created for you simply select the appropriate case to open it. If you are creating cases, click on the Create a Case link to create a new eDiscovery case.
When your case opens you have the option to view or create holds and searches relevant to the case. To create a new simple search, click on New Search:
At the bottom of the New Search column select Specific Locations and then click the modify…link. The Modify locations dialogue box allows you to select the individual users, groups, teams, or sites you wish to search:
Once you have added the locations associated with your search you’ll be brought back to the search column. From here, click Save and Run and then name your search.
After your search has run you will be able to export the results. In the list of searches, select the search that you want to export and then click Export results.
After you select your preferences for the export click export.
Once the export completes it will be available for download in the Exports tab in your case. Select the name of the export you wish to download, copy the export key, and download the results. The results of your export, when downloaded, will be provided as .pst file(s) which can be zipped into one archive container and loaded into AXIOM as a computer image.
NOTE: *Microsoft Edge must be used to download the results*
Once Download results has been selected the Microsoft Office Client Discovery Application will download, which will then allow for the archive of the files requested to be acquired.
Lastly, users can then open a new AXIOM Cyber case, loading the archive as a file and folder for processing and analysis.
If you have any questions regarding processing Microsoft Teams data in AXIOM Cyber, or have an idea on a new artifact please don’t hesitate to reach out at Lynita.firstname.lastname@example.org.