JOURNAL OF COMPUTERS, VOL. 5, NO. 4, APRIL 2010 541 Memory Forensics for QQ from a Live System Yuhang Gao, Tianjie Cao School of Computer, China University of Mining and Technology Sanhuannanlu, Xuzhou, Jiangsu, 221116, China Email:
[email protected],
[email protected] Abstract—Our paper details the techniques to collect Besides, QQ promises good security on individual sensitive information of the QQ client, which is the most privacy by encrypting. All files related to privacy are popular instant messaging (IM) in China. We have managed encrypted and not readable without a successful login. to acquire the contact list, the QQ account, the chats Even if we are able to acquire these files, it takes great records, the QQ discussion group, the display names and the efforts to parse them. However, we can collect sensitive contents of network notepad. They are of great interest to the examiners. Besides, as the techniques we use to search information from the physical memory. The QQ client for process are able to reveal terminated and hidden would decrypt all received messages. Therefore, the processes, we are very likely to find sensitive information as physical memory would contain the plaintext of these long as somebody has logged in the QQ client. What’s more, messages. we propose the method of reconstructing the process space Thus it can be seen that the forensics for the QQ client by integrating paging file into memory dump file. We have is different from other instant messaging. The examiners reconstructed the process space of the QQ client in this way need new techniques.