Forensic Acquisition of IMVU: a Case Study

Journal of Digital Forensics, Security and Law

Volume 10 Number 4 Article 6

2015

Forensic Acquisition of IMVU: A Case Study

Robert van Voorst National Police of the Netherlands

M-Tahar Kechadi University College Dublin

Nhien-An Le-Khac University College Dublin

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, and the Information Security Commons

Recommended Citation van Voorst, Robert; Kechadi, M-Tahar; and Le-Khac, Nhien-An (2015) "Forensic Acquisition of IMVU: A Case Study," Journal of Digital Forensics, Security and Law: Vol. 10 : No. 4 , Article 6. DOI: https://doi.org/10.15394/jdfsl.2015.1212 Available at: https://commons.erau.edu/jdfsl/vol10/iss4/6

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Forensic Acquisition of IMVU: A Case Study JDFSL V10N4

FORENSIC ACQUISITION OF IMVU: A CASE STUDY Robert van Voorst National Police of the Netherlands Rotterdam, Netherlands [email protected]

M-Tahar Kechadi, Nhien-An Le-Khac University College Dublin Dublin 4, Ireland {tahar.kechadi,an.lekhac}@ucd.ie

ABSTRACT There are many applications available for personal computers and mobile devices that facilitate users in meeting potential partners. There is, however, a risk associated with the level of anonymity on using instant message applications, because there exists the potential for predators to attract and lure vulnerable users. Today Instant Messaging within a Virtual Universe (IMVU) combines custom avatars, chat or instant message (IM), community, content creation, commerce, and anonymity. IMVU is also being exploited by criminals to commit a wide variety of offenses. However, there are very few researches on digital forensic acquisition of IMVU applications. In this paper, we discuss first of all on challenges of IMVU forensics. We present a forensic acquisition of an IMVU 3D application as a case study. We also describe and analyse our experiments with this application. Keywords: Instant messaging, forensic acquisition, Virtual Universe 3D, forensic process, forensic case study INTRODUCTION IM applications available for download today [1]. Besides, IM applications (apps) also allow Instant messaging (IM) is one of the most users to create a detailed personal profile popular digital communication technologies including name, email address, age, home and is widely used today. In fact, IM belongs address, phone number, school and hobbies. If to the category of Internet based users do not verify carefully during the sign-up communication services. Traditionally the IM process, they could reveal more information was designed to transfer text messages only, than they should. Easy accessible profiles can but now it has been enhanced with additional allow anyone to contact IM users. Indeed, features such as voice/video message, file some IM apps offer users the option of joining transfer, etc. Moreover, IM can be accessible in chat with strangers. As a consequence, using through cell phones or other mobile devices, as of IM apps can encourage gossiping and well as on a computer. It is estimated that bullying. Children could receive pornographic there are several millions of IM users who use "spam" through IM apps or become victim of IM for various purposes. There are numerous Sexual grooming of children [2]. In the recent

© 2015 ADFSL Page 69 JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study years, police investigators have noticed that networks is rapidly tainted with child IM apps have been directly or indirectly pornography as stated in [6]. involved in criminal activities. Due to their In fact, there are many tools available for popularity, IM apps have the potential of collecting artefacts, some of them specific for being a rich source of evidential value in all chat/IM such as Paraben chat examiner [7] or kinds of criminal investigations. Indeed, Belkasoft Evidence Centre 2015 [8]. However, Europol has identified the threat of misused at the time of writing this paper, none of them IM communications by criminals to facilitate supports the investigation of IMVU apps. their illegal activities due to the fact that it is Despite that IMVU exists a while, has millions harder to monitor or to regulate these services of users worldwide and it is associated with [3]. child abuse (material), to the best of our On the other hand, a virtual universe is a knowledge there is no technique or software computer-based simulated environment. In a tool for forensic acquisition and analysis of 3D virtual universe, the users can take the IMVU artefacts. Therefore, the objective of form of 3D avatars (virtual character) visible this paper is to investigate whether it is to others. Today, Instant Messaging within a possible to forensically acquire and analyse Virtual Universe (IMVU) combines custom artefacts on a computer after the installation avatars, chat/IM, community, content and use of the IMVU application. The rest of creation, commerce, and anonymity [4]. IMVU this paper is structured as follows: Section 2 contains its own economy with a currency shows the background of this research system based on IMVU "credits" and including related work in this domain. We "promotional credits". IMVU members use the present IMVU apps and forensic process in credits to purchase virtual items like fashion Section 3. We describe our case study in pieces (hair, clothes, skins, and accessories), Section 4 and discuss on experiment results in pets, and 3D scenes such as homes, clubs and Section 5 and 6. We conclude and discuss on open landscapes. Except ‘VIP users’, everyone future work in Section 7. has “Guest_” in front of his/her avatar name. It is also possible to buy an ‘Access Pass’. The RELATED WORK Access Pass is available for those 18 years old In fact, we have tried to find in literature and older. It grants access to more risqué about this specific subject, but to the best of clothing and slightly more intimate furniture our knowledge, there is no published research and poses. It also allows chatting to adults regarding forensic artefacts of IMVU. Hence, only. IMVU was also mentioned as a common we present some literature survey on the Virtual World addressing ‘Crime and Policing forensic acquisition and analysis of IM in Virtual Worlds’ (2010) by Marc Goodman applications in general. A more traditional [5]. He concludes that criminals can exploit investigation method of IM has been described this new technology to commit a wide variety in [9]. Kiley et al [10] conducted some research of offenses. Almost any types of crime in the on IM forensic artefacts and they also pointed real world can also be found in virtual spaces out that IM is being exploited by criminals due from child abuse to terrorist attacks. Besides, to its popularity and privacy features. One of the presence of child pornography in chat has the conclusions from this work is that forensic also been denounced in 3D social networks like evidence is recoverable after these programs IMVU. Indeed, the emerging of 3D social have been used, but investigators must know

Page 70 © 2015 ADFSL Forensic Acquisition of IMVU: A Case Study JDFSL V10N4 certain elements of the conversations in order IMVU AND FORENSIC to perform string searches. PROCESS Lun [11] describes the popularity of IMs and the challenges by extracting information In this section, we describe our forensic process from these IMs by Law Enforcement. His for investigating IMVU apps for Windows. The finding indicated that the forensic tool was objective of this paper is to forensically able to aid the forensic examiner to extract examine significant artefacts present on a digital evidence from instant messenger, but it computer after the installation and use of the was not comprehensive enough at that forensic IMVU app. Therefore, the approach chosen is examiners could not rely on one tool during an empirical or experimental research and investigation. differential forensic analysis. While there is no available technique or software tool to evaluate Dickson [12] describes the examination of and there is very little known about IMVU AOL Instant Messenger (AIM) 5.5. This artefacts, our approach includes the collection research focuses on the contact information of data during experiments and try to discover (identification) and the ability to trace back significant forensic artefacts by observing and from a known suspect’s computer system to analysing the data. In fact, with an IMVU identify contact with his alleged victims. This app, apart from the typical conversation log is specifically interesting when an allegation of showing on screen, and possible (log) files grooming is made. According to the author, saved on the logical drive, evidence of one of the first things an examiner should do is conversation could also be found in page files to determine the suspect’s computer system and unallocated hard disk space, the windows that was used to contact the informant’s registry or volatile data in the internal memory account in the first place. (RAM). There are two main steps in our Husain et al. [13] describe the Forensic forensic process: data collection and data Analysis of Instant Messaging on Smart analysis. Phones. Their results have shown that various IMVU data collection: in this phase data is useful artefacts, related to IMs, can be collected during the running time of an IMVU recovered, including username, password, app. The contents of the IMVU application buddy list, last log-in time, and conversation and data directory, unallocated disk space, the timestamp as well as conversation details. Windows registry, volatile data from the In [14], authors observed that the relevant internal memory and network traffic are research on the topic of evidence collection acquired. We attempt moreover to infer the from IM services was limited. Authors behaviour of the IMVU application through presented the forensic acquisition and analysis the reverse engineering process. The objective of WhatsApp, Viber, Skype and Tango IMs is to trace user activities, like the history of and VoIPs for both iOS and Android platforms performed activities such as instant messages and authors tried to answer on how evidence sent or received (chat logs), date and time can be collected when IM communications are stamp of the communication, sender, receiver used. This work provides useful information and password. All experiments were carried that assists us in developing our case study in out several times to ensure that results are this paper. More precisely the authors have repeatable. provided a very useful taxonomy of target IMVU data analysis: This phase gives artefacts. meaning to the data that have been collected

© 2015 ADFSL Page 71 JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study so that the research question can be answered. Windows registry. Another computer was Differential forensic analysis [15] is carried out setup as a man-in-the-middle proxy using by comparing the collected data (snapshot) MITMproxy, running on the Ubuntu 14.04.1 before and after the experiments with IMVU LTS, this computer is used to monitor and to observe the differences between them such intercept network traffic as shown in Figure 1. as report the files that have been added, Next, an IMVU client program, version 514.0, deleted, renamed, and altered, the difference was installed. In order to use IMVU, firstly a between Windows registry hive files. The user has to create an account. For this case objective of the analysis is to understand the study, we create three IMVU accounts changes and to determine if it contains any (InspectorAlgar, LadyElizabethSmall and relevant information or not. A taxonomy of missycanaryyellow). We conduct different target artefacts is defined in order to guide and conversations to create test data. The structure subsequent forensic analysis. The conversations were in public rooms but also taxonomy used in our analysis is described in limited by two participants. We created [14]. moreover an AutoIt [16] script that simulated an IMVU user. On beforehand a text file was IMVU FORENSICS: A created containing the conversation text of one CASE STUDY of the discussion partners. A chat message was send to the IMVU application within a fixed In our case study, we used computers with (pre-adjustable) interval. By starting two network access (using a static IP address). The scripts on different machines in appropriate testing was conducted using Windows 7 time, we can simulate a chat conversation. The Enterprise, SP1. Besides, the monitoring tool chat messages contained the chat text and a SysTracer was installed onto the system to UNIX timestamp. An example from the chat record file activity and changes made to the messages is shown in Figure 2.

Figure 1. MITM proxy setup

Figure 2. Chat script usage example

IMVU: FILE SYSTEM FlashPlayerTrust folder normally contain a list of directory paths. We also observe that FORENSICS application shortcuts are added to IMVU In this section, we describe our forensic folder: C:\Users\%USERNAME% acquisition results of IMVU file systems \AppData\Roaming\Microsoft\Windows\Start including application file, log files, profile data Menu\Programs\IMVU\. We found moreover and location data. the IMVU application is written in Python and the compiled script files are stored in Application Files library.zip: C:\Users\ IMVU application files are stored in: %USERNAME%\AppData\Roaming\IMVUCli C:\Users\%USERNAME%\AppData\Roaming ent\library.zip. We also decompiled these files \IMVUClient\ folder. This path is fixed during using Easy Python Decompiler and to explore the installation. During the installation a the IMVU application through reverse shortcut to IMVUQualityAgent.exe is added engineering. into the Windows Start-up folder as well on Log Files the user's desktop. We also found that IMVU uses Mozilla's Gecko rendering engine and the IMVU log files are stored in C:\Users\ XML User Interface Language (XUL) for %USERNAME%\AppData\Roaming\IMVU\ building its user interface [17]. folder including cpp.log, IMVUQualityAgent.log, IMVULog.log, etc. Besides, a configuration file imvu.cfg is The cpp.log contains information related to added into the user Flash Player Trust folder: user interface and this file is created every time C:\Users\%USERNAME%\AppData\Roaming the application starts. The \Macromedia\FlashPlayer\#Security\FlashPla IMVUQualityAgent.log file is also created yerTrust\. Configuration files inside this

© 2015 ADFSL Page 73 JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study every time the application starts. It contains 'DEBUG', 'INFO', 'WARNING', 'E ‘application validation’ information and local RROR', 'CRITICAL'. time stamp. Regarding to IMVULog.log file, 6. The log message: String value. from the digital forensics examination point of view, this file contains the most valuable Moreover, we notice that the maximum information. In fact, this log file is generated length of an entire log record (attributes 1-6) is by a round-robin process based on session and 512 characters. If the length exceeds 512 file size. A new log file is created every time characters, it is truncated to the first 509 the application starts. When the size of the log characters and three dots (‘…’) are added to file is greater than 2MB (2097152 bytes), this the end of the record. Besides, if the length of process successively creates new files with the the log message (attribute 6) is greater than a same pathname as the first file, but with defined length this log message is truncated different extensions started with ".1", ".2" and and three dots are also added to the end. We so on. If it is greater than “.5”, the extension have also observed that the log message restarts from “.1”, older files will be deleted. regarding to logging level ‘ERROR’, and Each record in IMVULog.log file contains the ‘INFO’ consists of multiple lines, while other following attributes (Figure 3): log messages only contain a single line. 1. The number of seconds since When analysing the log files, we noticed start of application: Floating that the IMVULog file also stores information point decimal value. The length is 6 related to text communications. To analyse an characters minimum including the IMVU chat, it is necessary to understand the dot and 3 decimals (milliseconds following important aspects of a chat rounded). If the length is less than conversation: (i) Who says what to whom; (ii) 6, a leading 0 is added. In which chat session the conversation takes 2. The thread id: String value, place, note that an user can be present in minimum length 5 characters, multiple rooms (chat sessions) at the ‘same’ padded by spaces if necessary. time; (iii) Timestamp of the messages. 3. File name of the source file The text of a single message appears more where the logging call was than once in different log records. Besides, in a issued: String value, minimum chat room, it is possible to have a private conversation with just a single person in that length 30 characters, padded by room (at least one of users is a VIP). Whisper spaces if necessary is a special feature available exclusively for 4. Source line number where the VIPs. A VIP member can whisper to anyone logging call was issued: Signed and vice-versa, anyone can whisper to a VIP. integer decimal value, minimum Two non-VIP users however cannot use this length 4 digits, padded by spaces if feature to chat with each other. Moreover, the necessary. log message contains a list of several elements. ‘userId’ 5. The logging level for the The first element is the member id ( ), the second one is a chat id (‘chatId’) and the message: String value, minimum last one contains dictionary data with keys and length 7 characters, padded by values. The value ‘0’ of the key ‘to’ indicates spaces if necessary. Possible values that the message was sent to the participant(s) are of a room. There are one or more participants

Page 74 © 2015 ADFSL Forensic Acquisition of IMVU: A Case Study JDFSL V10N4 in a room. The value of the key ‘message’ data allocated by IMVU. Besides, objects in contains the actual chat message. We also note IMVU are identified by a unique id such as, for that the value sometimes contains an asterisk example, Member ID, Room(Instance) ID, followed by a chat command. Besides, if the Session ID, Product ID or Chat ID. message exceeds the maximum length, as User authentication data mentioned previously, it is truncated and three dots are added to the end. By investigating the Windows registry, we found that IMVU authenticate users by using The value of the key ‘userId’ contains the username and password. The password is member id of the sender of the text message. stored in the registry if the option ‘Save The value of the key ‘chatId’ contains a unique Password’ is selected. Indeed, the relevant id for each chat session. Concurrent chat password can be retrieved from the registry sessions in different rooms therefore have where it is stored as a hexadecimal Unicode different IDs. This log record does not contain character notation. The user’s avatar name a timestamp. To determine the date and time associated with the IMVU account is also of the message for these log records, there are present in the IMVULog file. The IMVULog two possibilities: file also contains information about contacts 1. Calculate the approximate such as ‘Friends”, “Buddies” or “Fans”. Besides, timestamp using the number of we also found that the buddystate.pyo script seconds since the start of the implements the logging process. application. This number is listed at the beginning of the log record. Location data 2. Combine it with the log records There is limited information on location in the derived from the file user profile data as has been described in SessionDispatcher.pyo. Section 5.3, where the ‘country’ key referrers to the geo-location of the IP address used and User profile data ‘country_code’ refers to the location specified The IMVULog file only contains user profile by the user in the profile settings. In the data when the status is ‘Running’ (i.e. the IMVULog file the client and server IP application is running and the user is logged addresses are listed. When the system is in). The following information can be retrieved directly connected to the Internet and receives from the user profile data: the user’s an external Wide Area Network (WAN) public avatarname associated with the IMVU IP address, this IP address is listed in the log account, eight (8) asterisks of the user’s file. password. Note that the real user password is IMVU INTERNAL always replaced by eight asterisks. It is independent on the actual length of the MEMORY FORENSICS password. Indeed, the most comprehensive In this test, authors have explored the Python information can be retrieved from the multi- source code to understand how log records are line log message started with self.userInfo_ buffered in memory. Whenever a record is and followed by multiple lines of dictionary added into the buffer, a check is made to see (pairs of ) data. whether the buffer should be flushed to file or The above information is based on the data not. In fact, the buffer is periodically flushed entered by the user (Account Settings) and whenever the buffer is full, or when an event of

© 2015 ADFSL Page 75 JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study a certain severity happened. After making a exploited by criminals due to its popularity memory dump of a running system, authors and privacy features. So it is important that were able to retrieve log record data as we are able to collect artefacts of IM apps. previously described above. Besides, because a While most IM apps use a well-known record consists of isolated fragments, it is formatted history file (also known as IM log or difficult to link the messages to a date and chat log) and there are tools available for time, a chat ID or the participants. IMVU also digital evidence collection, this is not the case creates a SQLite database in memory. Authors with IMVU. IMVU has a set of fixed number were able to modify the source code and save log files that contain not only chat messages, this database to hard disk. The database but also identifiable data. IMVU app also consists of only a single table and contains deletes old log files when the number of log information about the HTTP cached files. files reaches a limit number. Forensic artefacts IMVU (log) files are nonvolatile and normally can also be found in user profile data, available for investigation. authenticated data and location data. Indeed, we can also retrieve IMVU artifact from the Authors were also able to retrieve the internal memory by explore its SQLite IMVU password in clear text from memory, databases. even when the option ‘Save Password’ not was used and therefore the password not could be We are working on the acquisition and retrieved from the registry. analysis more forensic artefacts of an IMVU app such as registry information, network CONCLUSION traffic data and unallocated disk space. In the In this paper, we present a forensic acquisition case of analysing large amount of forensics process of IMVU apps for Windows. IM is one data, we also look at using data mining and of the most popular digital communication knowledge map techniques [18][19]. technologies and widely used, but also being

Figure 3. Partial IMVU.log file

REFERENCES Wikimedia Foundation, Inc. (2014) M. Kiley, S. Dankner and M. Rogers (2008) Comparison of instant messaging clients. Forensic Analysis of Volatile Instant Retrieved on December 17 from Messaging Advances in digital forensics IV, http://en.wikipedia.org/wiki New York, Springer, 2008 /Comparison_of_instant_messaging_clien B. Lun (2012) Forensic Investigation for ts Instant Messenger, School of Computing Wikimedia Foundation, Inc., (2013) Child and Mathematical Sciences, Auckland, New grooming. Retrieved on December 3 from Zealand, 2012 http: M. Dickson (2006), “An examination into AOL //simple.wikipedia.org/wiki/Child_groomi Instant Messenger 5.5 contact ng identification,” Elsevier Ltd., 2006 Europol (2013) Threat Assessment - Italian M. I. Husain and R. Sridhar (2009) iForensics: Organised Crime. Retrieved on January 19 Forensic Analysis of Instant Messaging on from Smart Phones Digital Forensics and Cyber https://www.europol.europa.eu/sites/ Crime, Albany, NY, USA, Springer, p. 182 default/files/publications/italian_organised _crime_threat_assessment_0.pdf C. Sgaras, M.-T. Kechadi and N.-A. Le-Khac (2014) Forensics Acquisition and Analysis IMVU (2014) About IMVU. Retrieved on of instant messaging and VoIP applications December 17 from Springer Verlag LNCS 3850, 2011 http://nl.imvu.com/about/ S. Garfinkel, A. J. Nelson and J. Young (2012) M. Goodman (2014) Crime and Policing in A general strategy for differential forensic Virtual Worlds, Retrieved on December 17 analysis Elsevier Ltd. from http://f3magazine.unicri.it/? p=360 AutoIt Consulting Ltd (2014) AutoIt, M. Garcia-Ruiz et al. (2011) An Overview of Retrieved on December 20 from Child Abuses in 3D Social Networks and https://www.autoitscript.com/site/autoit/ Online Video Games. Investigating Cyber Law and Cyber Ethics, Issues, Impacts and Mozilla Developer Network, (2015) “Retrieved Practices, Hershey, Information Science on February 5 from Reference (IGI Global), p. 321 https://developer.mozilla.org/en-US/ Paraben Corporation (2014) Paraben Chat L. M. Aouad, N-A. Le-Khac and M-T. Examiner. Retrieved on December 18 from: Kechadi, "Lightweight Clustering https://www.paraben.com/chat- Technique for Distributed Data Mining examiner.html. Applications", Springer LNAI 4597, 2007, Belkasoft (2014): http://belkasoft.com/ N-A. Le-Khac, L. M. Aouad and M-T. Kechadi "A new approach for Distributed Density National Institute of Justice (2007) Based Clustering on Grid platform", Investigations Involving the Internet, Springer LNCS 4587, 2007. Retrieved from https://www.ncjrs.gov/pdffiles1/nij/