Zoom Team Chat Decrypted to Uncover User Activities

In a significant development for digital forensics investigators, new research has revealed comprehensive methods to decrypt Zoom Team Chat databases, potentially exposing sensitive user communications and activities. 

As organizations worldwide continue to rely on Zoom for remote collaboration, these findings highlight important security considerations for the platform’s estimated 300 million daily users.

Zoom Team Chat employs a sophisticated encryption system using SQLCipher with custom parameters (page size 1024 and KDF iterations set to 4000) to protect user conversations.

According to forensic expert Muhammad Haidar Akita Tresnadi, Zoom stores its application data in two critical encrypted databases:

Main database (zoomus.enc.db) – Located in C:\Users$$username]\AppData\Roaming\Zoom\data\

User-specific database (zoomus.async.enksdb) – Stored in C:\Users$$username]\AppData\Roaming\Zoom\data\<XMPP JID>\

“This layered key setup makes analyzing Zoom Team Chat data more complex than typical app data,” researcher said.

Multi-Key Decryption Process

The decryption process requires obtaining multiple cryptographic elements:

• main_key: Retrieved from a DPAPI-protected string in the zoom.us.ini file
• kwk (Key Wrapping Key): A server-side key unique to each user
• user_key: Derived through a series of cryptographic operations

The following Python code demonstrates the final derivation of the user_key:

Successful decryption can reveal extensive user activities, including:

• Complete chat message histories
• User account information (email addresses, usernames)
• Contact lists and relationship data
• File sharing records and metadata
• Meeting participation details

While Zoom offers Advanced Chat Encryption (ACE) as an additional security layer, it comes with significant limitations. 

When ACE is enabled, “keys are generated by the user’s device and shared only with the other chat participants’ devices”. However, this restricts features including message archiving, data loss prevention, and AI capabilities.

“Since the encryption key is only stored on the devices of recipients, Zoom is also unable to assist with recovery,” according to Zoom’s support documentation.

Security Implications

The ability to decrypt Zoom Team Chat has substantial implications for both legitimate digital forensics and potential security risks. 

Organizations should be aware that communications might be recoverable through forensic methods, even when using Zoom’s encryption features.

Security experts recommend organizations implement:

• Proper user access controls
• Multi-factor authentication
• Regular security audits of communication platforms
• Clear policies about sensitive information sharing

As remote work continues to be standard practice, understanding the security architecture of communication platforms like Zoom becomes increasingly crucial for maintaining organizational data protection.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.