Parse Zoom Team Chat Encrypted Databases

[calilkhalil]

Summary

Proposing a new parser to decrypt and analyze Zoom Team Chat encrypted databases (zoomus.enc.db and zoomus.async.enksdb), enabling forensic investigators to extract chat messages, user contacts, file transfers, and meeting history from Zoom artifacts.

Motivation

Zoom has become one of the most widely used communication platforms globally, especially after 2020. Currently, IPED lacks native support for Zoom's encrypted database artifacts, which contain critical evidence in:

• Corporate investigations (insider threats, data exfiltration)
• Incident response (ransomware negotiations, threat actor communications)
• Legal discovery and compliance audits
• Criminal investigations

The encryption architecture makes manual analysis extremely complex, requiring specialized knowledge of DPAPI, SQLCipher, and Zoom's custom key derivation process.

Technical Background

Zoom uses a three-layer encryption architecture:

1. Main key: 42-byte base64 key encrypted with Windows DPAPI (stored in zoom.us.ini)
2. Key-wrapping key (kwk): 44-byte server-side key (requires runtime capture)
3. User key: Derived from SHA256 operations on both keys

Databases use SQLCipher with non-standard parameters:

• Page size: 1024 bytes (not default 4096)
• KDF iterations: 4000 (not default 64000)
• HMAC: SHA1 (legacy compatibility)
• Cipher: AES-256-CBC

Proposed Implementation

Phase 1: Detection & Categorization

<!-- CustomSignatures.xml -->
<mime-type type="application/x-zoom-encrypted-db">
    <magic priority="50">
        <match value="SQLite format 3" type="string" offset="0"/>
        <!-- Check for SQLCipher encryption header -->
        <match value="\x00\x00\x00\x00" type="string" offset="16"/>
    </magic>
    <glob pattern="zoomus.enc.db"/>
    <glob pattern="zoomus.async.enksdb"/>
    <glob pattern="zoomus.tmp.enc.db"/>
</mime-type><mime-type type="application/x-zoom-config">
    <glob pattern="zoom.us.ini"/>
</mime-type><mime-type type="application/x-zoom-mmkv">
    <glob pattern="mmkv.db"/>
    <glob pattern="*.mmkv"/>
</mime-type>

Phase 2: Parser Architecture

public class ZoomChatParser extends AbstractParser {
    // Parse zoom.us.ini for encrypted key
    // Attempt DPAPI decryption (Windows)
    // Check for cached/stored kwk
    // Derive user key if possible
    // Decrypt SQLCipher database
    // Extract artifacts as subitems
}

Phase 3: Extracted Artifacts

The parser would create subitems for:

• Chat messages (HTML formatted with timestamps, sender info)
• Contact lists (CSV/Table format)
• File transfer logs (with file hashes, paths)
• Meeting history (participants, duration, IDs)
• User account info (emails, profile data)

Phase 4: Handling Decryption Challenges

Scenarios:
1. Full decryption (both keys available) → Extract all data
2. Partial decryption (only main_key) → Extract account info
3. No decryption possible → Extract metadata, flag for manual analysis

Key Features

1. Automatic DPAPI handling using JNI/JNA for Windows systems
2. kwk recovery from memory dumps or cached sessions
3. Cross-platform support (Windows primary, macOS/Linux when feasible)
4. Report generation with timeline visualization
5. Integration with existing parsers (correlation with browser history, Discord, etc.)

Implementation Approach

I plan to:

1. Start with Windows implementation (most common in forensics)
2. Use existing DPAPI libraries (dpapick/jdpapi)
3. Integrate SQLCipher through existing Java bindings
4. Create comprehensive test cases with sample databases

Dependencies

• SQLCipher Java bindings (already used in other IPED parsers)
• DPAPI library for Java (evaluate best option)
• Standard Java crypto libraries

Questions for the Community

1. Priority: Is Zoom artifact analysis a priority for IPED users?

2. Scope: Should we focus only on Team Chat or include other Zoom artifacts (meeting recordings, logs)?

3. Key Management: How should we handle the kwk challenge?

   • Option A: Manual input field for investigators who captured it
   • Option B: Integration with memory analysis tools
   • Option C: Dictionary of known test keys (for research)

4. DPAPI Integration: What's the preferred approach for Windows DPAPI?

   • JNI/JNA calls to Windows API?
   • Pure Java implementation?
   • External tool integration?

5. Similar Work: Has anyone attempted Zoom parsing before? Any code to build upon?

6. Output Format: Preference for extracted data format?

   • Individual HTML reports per conversation?
   • Single consolidated timeline?
   • Export to standard formats (EML, CSV)?

Testing & Validation

I can provide:

• Test databases from controlled environments
• Validation against manual analysis results
• Performance benchmarks with large databases
• Documentation with forensic methodology

Timeline

If there's interest, I estimate:

• 2-3 weeks for basic Windows implementation
• 1-2 weeks for testing and refinement
• 1 week for documentation

I'm willing to implement this feature and maintain it. Looking forward to community feedback on approach and priority.

References

• Zoom Team Chat Decryption Research

---

Note: This would be my first major IPED contribution. Happy to adjust approach based on project standards and maintainer preferences.

[lfcnassif]

Hi @calilkhalil! Thank you very much for contributing to this project, it will be very very welcome!

I'll try to answer some of your questions:

1. Priority: Is Zoom artifact analysis a priority for IPED users?

I think maybe Instagram chat, Facebook Messenger or Signal applications could be more important to our users. But Zoom decoding would be welcome, for sure!

2. Scope: Should we focus only on Team Chat or include other Zoom artifacts (meeting recordings, logs)?

Chats usually are the more important artifacts, I would focus on them in an initial implementation.

3. Key Management: How should we handle the kwk challenge?

• Option A: Manual input field for investigators who captured it
• Option B: Integration with memory analysis tools
• Option C: Dictionary of known test keys (for research)

I would vote on C, it covers A and B seems more complex.

4. DPAPI Integration: What's the preferred approach for Windows DPAPI?

• JNI/JNA calls to Windows API?
• Pure Java implementation?
• External tool integration?

Since we have Linux users, a pure java solution or integration with an external tool that exists on Windows and on Linux would be much better. Today all modules works on Windows and on Linux systems, we would like to continue to deliver all results to Linux users.

5. Similar Work: Has anyone attempted Zoom parsing before? Any code to build upon?

Not in this project to my knowledge.

6. Output Format: Preference for extracted data format?

• Individual HTML reports per conversation?
• Single consolidated timeline?
• Export to standard formats (EML, CSV)?

Individual HTML reports per conversation and one subitem artifact per chat message to be used in the tool global timeline, like other chat parsers do today.

[calilkhalil]

Hi @lfcnassif!

Thank you for the warm welcome and clear guidance! Based on your feedback, I'll proceed with:

1. Pure Java DPAPI implementation for cross-platform compatibility
2. Dictionary of known keys as fallback
3. Individual HTML reports per conversation + subitems for timeline
4. Focus on Team Chat messages initially

I'll start working on a proof-of-concept and will update this issue with progress. I'll look at WhatsApp and Telegram parsers as reference for the structure.

If I have any specific questions during implementation, I'll ask here. Thanks again!

[calilkhalil]

Just a heads up:

I have a working CLI that does the complete Zoom decryption/extraction process!

Currently porting it to IPED's architecture (AbstractParser, proper subitem extraction, etc.), which is why it's taking a bit longer.

The forensic logic is proven, just need to integrate it properly with IPED's codebase.

[calilkhalil]

Hi team!

Being transparent here: I have the Zoom decryption working perfectly in a standalone Java CLI, but I'm hitting some walls adapting it to IPED's architecture.

The good: All the forensic logic works - DPAPI, SQLCipher, extraction, everything.

The challenge: I'm struggling with:

• The AbstractParser/EmbeddedDocumentExtractor patterns
• Stream processing
• How to properly structure subitems for the timeline

Would anyone be willing to:

• Do a quick review of my approach?
• Point me to the best reference parser for this use case?
• Maybe pair on the integration for an hour?

I can share my working CLI code and where I'm stuck with the integration. Would really appreciate another set of eyes on this!

Happy to contribute back by documenting the parser creation process for future contributors once I understand it better!

[lfcnassif]

Thank you very much for your work on this feature, @calilkhalil!

Currently I'm on vacation and I'll return just on Januray 2026, then I can help you on this integration. But maybe @marcosammoura, @aberenguel or @hauck-jvsh could help you before me. Do any of you guys have available time?

[calilkhalil]

Hi @lfcnassif, @marcosammoura, @hauck-jvsh and @aberenguel!

Thank you for the support! Here's the working CLI implementation.

Files

I've prepared two packages with everything needed:

zoom_forensics-source.tar.gz

• Complete Java source code (16 files)
• ECJ compiler (ecj-3_36_0.jar)
• SQLite JDBC driver (sqlite-jdbc-3_49_1_0.jar)
• Sample wordlist for password cracking
• Size: 21M
• SHA256: a7e745c96b7a61ba1f675ed6ed980e9073bb9c487e2cc5d8f18b7217826da494

zoom_forensics-full.tar.gz

• Same as source, plus:
• Pre-compiled Java classes (28 files)
• Ready to run (no compilation needed)
• Does not include ECJ compiler
• Size: 18M
• SHA256: 41e11ea53619f6ee4406c7f518cc377fa920bb347983aec9f66f8defffc60c74

Artifacts download link: C_Zoom_Artifacts.zip

How to run

java -cp "bin;lib/*" com.dpapi.orchestrator.DPAPIOrchestrator \
    "C:\Evidence\Users" \
    "C:\Evidence\Users\Target\AppData\Roaming\Microsoft\Protect" \
    "wordlist.txt" \
    "local" \
    "zoom_report.html"

This will decrypt and extract all Zoom Team Chat messages, contacts, and file transfers into an HTML report.

Once you guys approve the integration approach, I'll handle all the documentation properly. Sorry for the delay - this was one of my first serious Java projects!

Let me know if you need any clarification or help with the integration!

[calilkhalil]

Hello everyone,

I would like to know if anyone is taking care of the CLI. I would love to hear your opinions and help with commits and documentation on everything.

Any updates would be great!

Happy New Year, by the way!