6

I am creating a digital forensic tool that gets all data of user from different platforms. I successfully have done extraction for Teams website but I am unable to do so for the desktop app. So far, I know that the cookies are stored in Local/Microsoft/Teams folder. The file has no extension although it is an SQLite3 database. It shows all the cookies but these are in encrypted form. Is there any way I can get the actual decrypted cookies?

  1. If the server encrypts cookies, it does not mean that the client is able to decrypt them. The client must just send back all the cookies to the server.

The server is not encrypting instead the client desktop app is. The Microsoft API use plain cookies. And I can not use the encrypted ones in browser as that will not start session.

  1. Why do you think they are encrypted in the first place instead of just being some identifier into a backend database with the actual data?

  2. What makes you think that the client (and thus your tool) would have access to the key to decrypt the data - wouldn't this defeat the purpose of encryption in the first place?

I think they are encrypted because they are under the column "encrypted value".

enter image description here

I have found a library that decrypts cookies stored by chrome and other browsers. I think we can decrypt the MS Teams cookies if we have the keys for it using the following code

import browser_cookie3

c = browser_cookie3.chrome(cookie_file=r"C:\Users\Farhan Ahmed\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Network\Cookies",
                            key_file="Key file")


for cookie in c:
    print(cookie.name, end=" ")
    print(cookie.value)

The code does not work for now and give some errors. I am checking why that is happening.

I will appreciate if someone shares a better way of doing it.

farhan jatt
  • 111
  • 4
  • 2
  • Why do you think they are encrypted in the first place instead of just being some identifier into a backend database with the actual data? 2. What makes you think that the client (and thus your tool) would have access to the key to decrypt the data - wouldn't this defeat the purpose of encryption in the first place?
    • –  Feb 25 '23 at 07:09
  • Electron has the safeStorage function for such things. I'd look into what Edge webview2 provides. –  Feb 25 '23 at 08:51
  • If the server encrypts cookies, it does not mean that the client is able to decrypt them.The client must just send back all the cookies to the server. – mentallurg Feb 25 '23 at 11:45
  • @SteffenUllrich I think I have access to browser cookies so why not the App session cookies stored in disk. The root should have access to his cookies when he wants. I think they are encrypted because they under the column encrypted value. I am new to cyber security and recently started my degree, so I do not have enough knowledge –  Feb 26 '23 at 01:45
  • @mentallurg The server is not encrypting instead the client desktop app is. The microsoft api use plain cookies. And I can not use the encrypted ones in browser as that will not start session. Still I will try once to confirm –  Feb 26 '23 at 01:48
  • Please add this statement to the question. 2) See the question of Steffen Ulrich above: Why do you think they are encrypted? Again, please add the answer to you question.
    • – mentallurg Feb 26 '23 at 01:58
  • @vidarlo I have done a edit. It might help you –  Feb 26 '23 at 05:37
  • @mentallurg I have done a edit. It might help you –  Feb 26 '23 at 05:37
  • @SteffenUllrich I have done a edit. It might help you –  Feb 26 '23 at 05:38