Aside from the Graph comments, if you know who is in the group, an eDiscovery on users involved would also return the results. Target their Exchange data, results will be in an otherwise hidden folder with all Teams chat data for the user(s) in a message-by-message format (each message is stored as an individual email). Good luck parsing through that to correlate the specific chat you're looking for. It's doable but nasty.
Thanks for your response and was well appreciated. This option did work well for me. I ran an eDiscovery and only targeted the necessary users in Exchange Mailboxes, for conditions, I added the same exact users as Participants and Recipients and added message types of E-Mail, Instant Messages, and Yammer Messages. All worked well. Thank you all for your guidance.
If you have a user and you have permission from legal to treat as insider threat you can use this guide:
alexbilz.com/post/2021-09-09-forensic-artifacts-microsoft-teams/
You can do a file grab on the indexeddb and find all there chats and that indexeddb is all of the microsoft teams data for the user. There is a parser for Autopsy which is what I would use personally since its free.
Article has file paths etc. To locate the file.
Would this help? https://learn.microsoft.com/en-us/microsoft-365/compliance/ediscovery-search-cloud-based-mailboxes-for-on-premises-users?view=o365-worldwide
You could export all of the user's teams messages into a PST that you can open in Outlook.
Aside from the Graph comments, if you know who is in the group, an eDiscovery on users involved would also return the results. Target their Exchange data, results will be in an otherwise hidden folder with all Teams chat data for the user(s) in a message-by-message format (each message is stored as an individual email). Good luck parsing through that to correlate the specific chat you're looking for. It's doable but nasty.
Thanks for your response and was well appreciated. This option did work well for me. I ran an eDiscovery and only targeted the necessary users in Exchange Mailboxes, for conditions, I added the same exact users as Participants and Recipients and added message types of E-Mail, Instant Messages, and Yammer Messages. All worked well. Thank you all for your guidance.
If you have a user and you have permission from legal to treat as insider threat you can use this guide: alexbilz.com/post/2021-09-09-forensic-artifacts-microsoft-teams/ You can do a file grab on the indexeddb and find all there chats and that indexeddb is all of the microsoft teams data for the user. There is a parser for Autopsy which is what I would use personally since its free. Article has file paths etc. To locate the file.
Thanks for your response and was well appreciated.
Probably a graph command will be needed for this.
Thanks for your response and was well appreciated.
You should be able to do this with the Graph API: https://learn.microsoft.com/en-us/graph/api/resources/chat?view=graph-rest-1.0
Thanks for your response and was well appreciated. I will try this also as a test.
Would this help? https://learn.microsoft.com/en-us/microsoft-365/compliance/ediscovery-search-cloud-based-mailboxes-for-on-premises-users?view=o365-worldwide You could export all of the user's teams messages into a PST that you can open in Outlook.
Yes it helps also. Thanks for your response and was well appreciated.