Open in app

Sign in

Write

Sign in

Forensics: Finding slack chat artifacts

Jeroen Verhaeghe
2 min readFeb 4, 2024

--

Finding Slack artifacts on Windows

This article describes where the data of Slack is stored and how it could be used for forensics.

User and chat history

<usersFolder> is the folder on Windows where the user data resides. Most of the time it’s in “c:\users”.
<username> is the username of the user.

In the file location below the most recent chats are stored in a LevelDb database. All of the data in this file is unencrypted. You can open it with Notepad to view the most recent chats but it’s better to use a levelDb reader.

These files contain data stored from chrome indexedDB. Slack underlyingly uses Chromium (google chrome based browser). Slack stores the recent chats and the recently viewed user data in these files.

<usersFolder>\<username\AppData\Roaming\Slack\IndexedDB\https_app.slack.com_0.indexeddb.leveldb

This file contains the user configuration as a levelDb file.

<usersFolder>\<username>\AppData\Roaming\Slack\Local Storage\leveldb

Send images

Send images are cached in the “Cache_data” folder of Slack. This folder contains all cached data, including Javascript files and CSS files. The files are stored in the data_0, data_1, data_2 disk format. This is the same file format that is used by Chrome to cache browser data.

💀 Yes, all this data is unencrypted

This is the folder structure:

\Users\<username>\AppData\Roaming\Slack\Cache\Cache_Data

The cache can be read with the “ChromeCacheViewer” tool. Point in the tool to this folder and read the cache.

Download: ChromeCacheView — Cache viewer for Google Chrome Web browser (nirsoft.net)

Interesting files, files start with:

  • https://files.slack.com/files > send files
  • https://ca.slack-edge.com > profile avatars
  • https://slack-imgs.com > image thumbnail from send websites

Even after an uninstall of Slack the folder and files persist.

Coming soon

I’m working on a tool to automate this process and will update this article with the details. For now, we can extract artifacts from Slack manually.

Update: a tool already exists, https://github.com/0xHasanM/Slack-Parser

Forensics

--

--

Jeroen Verhaeghe

Written by Jeroen Verhaeghe

56 Followers

Hobby security researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams