Collecting from Microsoft Teams using PowerShell

There are two means by which to ingest Microsoft Teams information into Magnet Axiom for processing. The first approach uses Axiom Process. If you’re collecting in this manner you will need to have the credentials of the user you are collecting from. Axiom will use those credentials to log into O365 and retrieve the user’s data. Depending on the conditions of the investigation, you may have the option of resetting the password to gain access.

Magnet Axiom Cyber Teams Collection

If you don’t have the user’s credentials, but you do have administrative access to the Exchange environment, you can run a search from the Microsoft Security and Compliance center. Once the search completes you can export/download the results as a PST. To ingest the PST into Axiom just ‘add evidence’ , ‘files & folders’ and then browse to the PST file.

To speed up the process, I’ve written a small PowerShell script to build and run the Compliance Center search. The script depends on the ExchangeOnlineManagment module being installed. In this script we’re connecting to Security & Compliance PowerShell using MFA and modern authentication.

TeamsSearch.ps1

The script prompts for:

  • the identity (admin ID) of the investigator
  • a name to save the Compliance search
  • the email address of the user to collecting

Once this information is provided the script will build and run the Compliance Search in O365. From this point you can log into Compliance Center, navigate to the search and then export the contents as a PST.

<# MS Teams Security & Compliance Search
author: Doug Metz https://github.com/dwmetz
Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.#>
[string]$user = Read-Host -Prompt 'Exchange Credentials'
Connect-IPPSSession -UserPrincipalName $user
[string]$name = Read-Host -Prompt 'Enter a name for the search'
[string]$email = Read-Host -Prompt 'Enter the users email address'
new-compliancesearch -name $name -ExchangeLocation $email -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
Start-ComplianceSearch $name
Get-ComplianceSearch $name
New-ComplianceSearchAction -SearchName $name -Export
Write-Host "Search initiated"-ForegroundColor Blue
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Blue

Either copy the code from here, or download from my GitHub repository.

CSIRT-Collect

A PowerShell script to collect memory and (triage) disk forensics for incident response investigations

There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they actually work, may not be the same. What I wanted was a repeatable pre-defined collection mechanism, that could scale out to be supported by non-forensics team members to participate in forensic evidence collection for incident response examinations. The intent is that the collection process can be distributed among remote team members, be it site support or Security Operations Center (SOC). The script can also be integrated into SOAR and EDR platforms.

CSIRT-Collect was written to fill that role.

https://github.com/dwmetz/CSIRT-Collect

CSIRT-Collect leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.

Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). In the demonstration code, a network location of \\Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.

The Collections folder will need to include:
– subdirectory KAPE; copy the directory from any existing install
– subdirectory MEMORY; 7za.exe command line version of 7zip and winpmem.exe

CSIRT-Collect Operations:

  • Maps to existing network drive –
  • Subdir 1: “Memory” – Winpmem and 7zip executables
  • Subdir 2: ”KAPE” – directory (copied from local install)
  • Creates a local directory on asset
  • Copies the Memory exe files to local directory
  • Captures memory with Winpmem
  • When complete, ZIPs the memory image
  • Renames the zip file based on hostname
  • Documents the OS Build Info (no need to determine profile for Volatility)
  • Compressed image is copied to network directory and deleted from host after transfer complete
  • New temp Directory on asset for KAPE output
  • KAPE !SANS_Triage collection is run using VHDX as output format [$hostname.vhdx] **
  • VHDX transfers to network
  • Removes the local KAPE directory after completion
  • Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis.

** Note: you can build different KAPE collection profiles by modifying just one line of code. Profiles can be chosen to support the requirements of the investigation.

CSIRT-Collect_USB

This is a separate script that performs essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intended to be run from a USB device. There is no need for a temporary host directory as the information is written direct to the USB device. The extra compression operations on the memory image and KAPE .vhdx have also been omitted. There is a slight change noted below to the folder structure for the USB version. On the root of the USB:

  • CSIRT-Collect_USB.ps1
  • folder (empty to start) titled ‘Collections’
  • folders for KAPE and Memory – same as above
  • Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1

To see a demonstration of CSIRT-Collect in action please register for my talk this Thursday, PowerShell Tools for IR Forensics Collection as part of the Enterprise Pulse lecture series hosted by Magnet Forensics.

Q&A will be live on Discord during the event.