Blog >> Zoom

Investigating Zoom

25/06/2021 Friday

Zoom is one of the leading cloud-based video conferencing and messaging software. The video telephony software allows multiple participants to communicate concurrently. Its popularity spiked during the COVID-I9 pandemic period of 2019-2020 by gathering the interest of people on both personal and business levels. It is used by banks, schools, universities, and government agencies around the world.

The software is available for installation on desktop (Windows, macOS, Linux), as an application on mobile (Android and iOS), and via web browsers. This allows users to join and access the software from anywhere and on any device. Zoom provides its users with simplified features such as one-on-one meetings, group video conferences, screen sharing, meeting recording and transcription, team chats, collaboration tools, and much more.


Digital Forensics Value of Zoom Artifacts


The company (Zoom Video Communications) reported over 300 million meeting participants daily in April 2020 only. The high usage seen by this software makes it important to be able to extract and view its critical artifacts that will aid in investigations. Zoom artifacts keep information like ID's, email addresses, messages, and phone numbers. The time information within these artifacts such as meetings, call history, and messaging are very valuable. This information is vital in an investigation.


Location of Zoom Artifacts


When Zoom is used, it will create Artifacts in the following locations in the user's system:

Windows XP:


Windows 7/10:

MacOS: Users\[Username]\Library\Application Support\zoom.us\data


Structure of Zoom Artifacts


The structure of files containing Zoom Artifacts is SQLite Databases. Each contains multiple tables with information regarding the users' actions on the software.


Analyzing Zoom Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to extract Zoom artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Zoom Artifacts:




ArtiFast can analyze Zoom Chat Messages, Sent/Received Files, Call History, Sessions, Contacts, Groups, Meeting History, Meeting Messages, User Accounts, Subscription Requests, Active Devices, Action Logs and Settings. For demonstration purposes all the artifacts have been chosen, however you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Zoom artifacts in ArtiFast software.


Zoom Chat Messages Artifact

This artifact contains the texts exchanged between the user and his/her contacts. The details you can view include:


Zoom Sent/Received Files Artifact

This artifact shows information on all files that were sent or received by the user in a chat room. The details you can view include:


Zoom Call History Artifact

This artifact shows information on the Zoom calls the user participated in. The details you can view include:


Zoom Sessions Artifact

This artifact has information on the Zoom sessions the user has participated in. The details you can view include:


Zoom Searches Artifact

This artifact gets information on search queries made by the user on the software. The details you can view include:


Zoom Contacts Artifact

This artifact contains information on the users' contacts. The details you can view include:


Zoom Groups Artifact

This artifact contains information on groups the user is a part of. The details you can view include:


Zoom Meeting History Artifact

This artifact shows information on meetings the user has participated in. The details you can view include:


Zoom Meeting Messages Artifact

During a meeting, Zoom allows the participants to send messages within the session. The details you can view include:


Zoom User Accounts Artifact

This artifact contains Zoom encrypted information on the user accounts that have logged into the system using the software. The details you can view include:


Zoom Subscription Requests Artifact

This artifact contains information on subscription requests received or sent by the user. The details you can view include:


Zoom Active Devices Artifact

This artifact contains information on the devices where the user account is active. The details you can view include:


Zoom Action Logs Artifact

This artifact contains information from the Zoom action logs. The details you can view include:


Zoom Settings Artifact

This artifact contains information of settings made on the users' software. The details you can view include: