Forensic Analysis of Communication Records of Web-based Messaging Applications from Physical Memory Diogo Barradas, Tiago Brito, David Duarte, Nuno Santos, and Lu´ıs Rodrigues INESC-ID, Instituto Superior Tecnico,´ Universidade de Lisboa, Portugal fdiogo.barradas, tiago.de.oliveira.brito, david.duarte, nuno.m.santos,
[email protected] Keywords: Digital Forensics, Instant-Messaging, Memory Forensics, Web-Applications Abstract: Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by web-based instant messaging and email applications. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application- independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications, even when executed in different browsers. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analyzing communication records left behind in physical memory by instant-messaging and email web clients. 1 INTRODUCTION isting tools tend to be highly application-dependent. For example, Wong et al. present techniques that al- Instant-messaging (IM) and email applications such low for the recovery of digital artifacts for the Face- as Facebook’s chat and Gmail clients, respectively, book messaging service (Wong et al., 2011). How- are widely used communication services that allow ever, the proposed techniques cannot directly be ap- individuals to exchange messages over the Internet. plied to multiple other applications due to the het- Given the nature of the exchanged data, digital arti- erogeneity of data formats implemented by each ap- facts left by such applications may hold highly rele- plication.