We at Magnet Forensics are constantly trying to keep up with new artifacts that are relevant to the changing times to help assist in your examinations. Recently added into Magnet AXIOM was the support of Zoom application artifacts, which in recent times has become an extremely popular way for us to connect and communicate in the current world climate. The Zoom support in Magnet AXIOM includes artifacts for the Windows operating system, as well as for both iOS and Android mobile platforms.
After processing for Zoom data, you will see its artifacts under the chat category in AXIOM Examine. As of AXIOM 4.2, we support Zoom artifacts such as channels, contacts, chat messages, meeting messages, and user account data. Just as any other chats that AXIOM parses, the messages parsed from Zoom can be easily viewed threaded together in Conversation view, as well as in the Preview on the right side of the window in Examine. Note that to parse Zoom User Account data from a Windows device, AXIOM Process requires some additional steps to decrypt that data, detailed in the next section.
Decrypting Zoom User Data
Zoom User Account data uses DPAPI (Data Protection API) encryption, which is used by many applications to store encrypted data on a Windows operating system. Therefore, when processing for this artifact, you will need to put in the user’s Windows account password to decrypt it. After you load in your evidence in AXIOM Process, under the Artifact Details, you will see the ability to click for additional options under the Zoom artifact.
A new window will then open which will prompt you to input the user’s Windows password.
Once processing is complete with that additional data, you will notice that the Zoom User Data artifact in AXIOM Examine will be decrypted!
If you’re already using AXIOM, be sure to upgrade to the latest version from the Customer Portal to get all the latest artifact support, including support for Zoom! For those who want to give Magnet AXIOM a try, request a free trial today!