DOCSLIB.ORG

Forensic Analysis of Communication Records of Web-Based Messaging Applications from Physical Memory

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Forensic Analysis of Communication Records of Web-Based Messaging Applications from Physical Memory Forensic Analysis of Communication Records of Web-based Messaging Applications from Physical Memory Diogo Barradas, Tiago Brito, David Duarte, Nuno Santos, and Lu´ıs Rodrigues INESC-ID, Instituto Superior Tecnico,´ Universidade de Lisboa, Portugal fdiogo.barradas, tiago.de.oliveira.brito, david.duarte, nuno.m.santos, [email protected] Keywords: Digital Forensics, Instant-Messaging, Memory Forensics, Web-Applications Abstract: Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by web-based instant messaging and email applications. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application- independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications, even when executed in different browsers. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analyzing communication records left behind in physical memory by instant-messaging and email web clients. 1 INTRODUCTION isting tools tend to be highly application-dependent. For example, Wong et al. present techniques that al- Instant-messaging (IM) and email applications such low for the recovery of digital artifacts for the Face- as Facebook’s chat and Gmail clients, respectively, book messaging service (Wong et al., 2011). How- are widely used communication services that allow ever, the proposed techniques cannot directly be ap- individuals to exchange messages over the Internet. plied to multiple other applications due to the het- Given the nature of the exchanged data, digital arti- erogeneity of data formats implemented by each ap- facts left by such applications may hold highly rele- plication. Furthermore, the fact that web-based ap- vant forensic value. This is particularly true if, from plications run inside a browser may interfere with such artifacts, it is possible to recover communication the durability of applications’ artifacts in memory, records of past conversations providing information for example due to the memory management pol- about the content of exchanged messages, identity of icy implemented by the browser. Existing works on communicating parties, or time-related information. browser forensics concentrate only on the extraction To assist forensic analysts in recovering such ar- of browser-specific artifacts (e.g., browsing history, tifacts, we aim to develop a forensic tool for extrac- web cache) leaving aside the recovery of application- tion of conversation records left by web-based mes- specific artifacts (Ohana and Shashidhar, 2013). saging applications in physical memory dumps. As In this paper we make three key contributions. opposed to their native counterparts, web-based ap- First, we present a digital forensics study aimed plications run inside a browser and are becoming in- to systematically analyze the digital artifacts left creasingly popular because users do not need to in- in memory by several popular IM and email web- stall them on their computers; all they need to do is to applications when executed on various browsers. We open a browser and visit a URL. By focusing on phys- successfully identified and retrieved IM communica- ical memory analysis, our goal is to complement the tion records from web-applications such as Facebook, functionality of existing forensic tools which focus on Twitter and Skype, as well as email records from the analysis of persistent state, e.g., local logs (Yang Outlook and a generic Roundcube email web-client. et al., 2016; Al Mutawa et al., 2011), and to address a Our study helps to characterize how the communi- latent need for the analysis of high-level data present cation records of web-based messaging applications in such memory dumps (Simon and Slay, 2009). are typically represented and to identify how browser- Although some prior work employs memory specific mechanisms may affect the durability of such forensic techniques on messaging applications, ex- records in memory (Section 2). Second, we introduce the design and implementa- in data representation and platforms may impact the tion of a forensic tool called RAMAS, which consists way communication records are loaded into memory of a collaborative and extensible framework for anal- and contribute for the absence of a common model of ysis of communication records from volatile memory. the structure of communication records among differ- RAMAS is able to extract such records from mul- ent implementations of browsers and operating sys- tiple web-based messaging applications and display tems. This implies that a tool developed for analyz- the extracted records on a user-friendly timeline. RA- ing this kind of evidence would exhibit the additional MAS is designed in a modular fashion so as to accom- complexity of having to take into account such differ- modate an ever-growing number of applications and ences between record structures, even when analyzing allow collaborative development and maintenance of a single application. We aim to assess whether there is the system by independent forensic analysts. This a common model which allows for the interpretation goal is achieved through the implementation of ex- of textual web-application data lingering in memory. traction modules: each module contains a set of (sim- How long do messages persist in memory? The ple) rules that allow RAMAS to extract the records of persistence of in-memory data structures may be af- a specific application and represent them on a com- fected by the browser where the web-based messag- mon application-independent format (Section 3). ing application runs. First, we must ascertain whether Lastly, we present an experimental evaluation the browser runtime environment imposes limitations of our framework. To this end, we used RAMAS on the ability to recover communication records from for conducting analysis over the data extracted from physical memory. In particular, to provide the inter- memory chips with sizes typically found in commod- action with web-applications, web-browsers rely on ity hardware. Our evaluation shows that RAMAS is different layout engines (ex. Blink, Gecko) which af- efficient, e.g., it can process communication records fect the way a browser hosts, renders or executes web spawning from six different applications, in an 8 GB content. Similarly, several implementations of oper- memory dump, in roughly about three minutes. We ating systems target different platforms (ex. worksta- also enact a use case for demonstrating the usefulness tion, mobile) and are expected to apply disparate low- of our framework’s evidence presentation capabilities level mechanisms for performing memory manage- which may help digital investigators in uncovering so- ment. Furthermore, different user interactions may phisticated correlations among evidence from several trigger the erasure or replacement of potential evi- applications or across memory images (Section 4). dence in volatile memory. For instance, data pertain- ing to a given web-application may be evicted shall a user navigate to a different browser tab or terminate 2 DIGITAL FORENSICS STUDY her browsing session. Finally, modern browsers im- plement private browsing execution modes which en- This section presents the digital forensics study that ables users to browse the web while disabling both the we carried out in order to assess the existence of com- browsing history and web cache. This feature is im- munication records in physical memory produced by plemented by popular browser vendors and is known web-based messaging applications. This study lays under different aliases, such as Incognito, InPrivate or the ground for the subsequent development of a foren- PrivateBrowsing. We must evaluate whether the use sic tool for automatic extraction of such records. of private browsing may compromise the existence of digital artifacts lingering in memory. 2.1 Goals of the Forensics Study 2.2 Experimental Methodology More concretely, the goal of this study is to check whether and in which conditions communication To investigate whether and in which conditions mes- records can be obtained from memory dumps. In par- sages can be obtained from memory, we performed ticular, our research is driven by two key questions: an experimental study of several web-based messag- How are messages represented in memory? The ing applications. In particular, we analyzed digi- programmers of web-based messaging applications tal artifacts concerning IM records for Facebook’s are free to implement them using a range of differ- chat, Facebook Messenger’s chat, Skype, Twitter’s ent technologies. Some design decisions comprise the Direct Messages, Google Hangouts, WhatsApp, Tele- choice of front-end and back-end programming lan- gram, and Trillian. We also analyzed communication guages (ex. Javascript, PHP), others involve select- records of three email web-clients: Outlook, a generic ing the data representation format of communication Roundcube email client, and Gmail. records (ex. JSON, XML, binary). This heterogeneity These applications were tested on different 2 Table 1: Feasibility of recovering web-based messaging application records from different browsers. Web-Application Browser Google Chrome Mozilla Firefox Opera Microsoft Edge v55.0 v50.0.1 v42.0 v38.14393.0.0 Facebook
Load more

Recommended publications
  • Arabic Domain Names
    Arabic Domain Names SaudiNIC’s Experiences and Initiatives Relate to UA Raed Alfayez, SaudiNIC ICANN 55, Marrakech, March 2016 Agenda • About SaudiNIC • SaudiNIC Previous Work – IDN Assessment reports – Raseel – An Arabic Email System • What's Next? About SaudiNIC • Administering the domain name space under: – (.sa) since 1995 .2010 since (.ﺔﯾدوﻌﺳﻟا) – • Operated by a government organization: – CITC (Communication and Information Technology Commission) • Coordinating with regional and international bodies in order to present the local community needs • Leading the local and regional communities efforts towards supporting Arabic language in Domain Names since 2001 (more than 15 years of experience) SaudiNIC Previous Work Arabic IDN pilot projects • GCC Pilot Project (2004-2005) • Arab League (2005 - 2009) Tools, algorithms and solutions to manage variants: • Master Key Algorithm • Filters • Variant Management System (VMS) IDN Assessment Reports Arabic Email Project (Raseel) IDN Assessment Reports Conducted and Published a number of IDN Assessment Reports: • IDN Top Level Domain Evaluations and Testing Report 2007 • with the cooperation of the Arabic Domain Name Pilot Project Team. • Arabic IDN Test Results for Browsers 2010 • Mozilla Firefox & Microsoft IE 2014 • IDN Assessment Report IDN Assessment Reports - 2014 • Goal: –to study and assess end-user experiences regarding IDNA implementations for Arabic domain names. • Covered many areas and behaviors • Developed –methodology for Test Case Modeling and Generation –online system to capture results IDN Assessment Reports - 2014 • IDNA support ≠ browsers’ address bars support. • User acceptance for IDNA is less than 1% (Excluding address bar in some web browsers) – It’s been more than 10 years since the publication of IDNA RFCs, and still less than 1%! • How long do we need for Internationalized Email (IDN Email) to be fully deployed! – Do we need to wait 10+ years to get a 1% acceptance! • RFCs are not enough, we need accelerators.
    [Show full text]
  • Servicio De Mensajería De Correo Utilizando Software Libre Para
    Servicio de mensajería de correo utilizando software libre para mejorar el tiempo de respuesta de atención Tesis para optar el Título de Ingeniero de Sistemas y Cómputo Presentado por César Antonio Rojo López Asesor Dr. Santiago Raúl Gonzales Sánchez Lima – Perú Noviembre de 2020 DEDICATORIA Dedico este trabajo a mi familia particularmente a mis padres Mercedes López de Rojo y César Rojo Fernando como también a mi prometida Ximena Veliz que dia a dia me dan fuerza y motivacin para seguir adelante, como también al Gerente General de TecnoWeb Latam Diego Benavente por brindarme todas las herramientas para la implementación tecnologcia. 2 ÍNDICE ÍNDICE DE FIGURAS ............................................................................................................................. 5 INDICE DE TABLAS ............................................................................................................................... 7 RESUMEN ................................................................................................................................................. 8 ABSTRACT ............................................................................................................................................... 9 INTRODUCCIÓN ................................................................................................................................... 10 CAPÍTULO I: PLANTEAMIENTO DEL PROBLEMA ..................................................................... 12 1.1. Situación Problemática ..........................................................................................................
    [Show full text]
  • Forensic Analysis of Communication Records of Messaging Applications from Physical Memory
    ARTICLE IN PRESS JID: COSE [mNS; October 24, 2018;11:47 ] computers & security xxx (xxxx) xxx Available online at www.sciencedirect.com j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e Forensic analysis of communication records of messaging applications from physical memory ∗ Diogo Barradas , Tiago Brito, David Duarte, Nuno Santos, Luís Rodrigues INESC-ID, Instituto Superior Técnico, Universidade de Lisboa, Portugal a r t i c l e i n f o a b s t r a c t Article history: Inspection of physical memory allows digital investigators to retrieve evidence otherwise Received 2 May 2018 inaccessible when analyzing other storage media. In this paper, we analyze in-memory com- Accepted 23 August 2018 munication records produced by instant messaging and email applications, both in desktop Available online xxx web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communica- Keywords: tion records can be represented in a common application-independent format. This format Digital forensics can then be used as a common representation to allow for general analysis of digital ar- Instant-messaging tifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool Memory forensics which aims to ease the process of analysing communication records left behind in physical Mobile applications memory by instant-messaging and email clients. Web-applications © 2018 Elsevier Ltd.
    [Show full text]
  • Efail: Breaking S/MIME and Openpgp Email Encryption Using Exfiltration Channels
    Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak and Christian Dresen, Münster University of Applied Sciences; Jens Müller, Ruhr University Bochum; Fabian Ising and Sebastian Schinzel, Münster University of Applied Sciences; Simon Friedberger, NXP Semiconductors, Belgium; Juraj Somorovsky and Jörg Schwenk, Ruhr University Bochum https://www.usenix.org/conference/usenixsecurity18/presentation/poddebniak This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak1, Christian Dresen1, Jens Muller¨ 2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, and Jorg¨ Schwenk2 1Munster¨ University of Applied Sciences 2Ruhr University Bochum 3NXP Semiconductors, Belgium Abstract is designed to protect user data in such scenarios. With end-to-end encryption, the email infrastructure becomes OpenPGP and S/MIME are the two prime standards merely a transportation service for opaque email data and for providing end-to-end security for emails. We de- no compromise – aside from the endpoints of sender or scribe novel attacks built upon a technique we call mal- receiver – should affect the security of an end-to-end en- leability gadgets to reveal the plaintext of encrypted crypted email. emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails. These snippets S/MIME and OpenPGP. The two most prominent stan- abuse existing and standard conforming backchannels to dards offering end-to-end encryption for email, S/MIME exfiltrate the full plaintext after decryption.
    [Show full text]
  • E-Mail Konten Einrichten Und Benutzen
    Tim Reeves Internet Services E-Mail Konten einrichten und benutzen Inhaltsverzeichnis 1 Vorweg: Webmail oder E-Mail Programm?..........................................................................2 1.1 Webmail anbinden......................................................................................................3 2 Anbindungsprotokoll: IMAP statt POP3...............................................................................3 3 Standard IMAP-Ordner........................................................................................................4 3.1 Als Kinder oder Geschwister vom Posteingang...........................................................4 3.2 Spam vs. Junk (am Beispiel Thunderbird)...................................................................5 4 Thunderbird........................................................................................................................5 5 Ein E-Mail Konto im E-Mail Programm einrichten................................................................6 5.1 Die Zugangsdaten.......................................................................................................6 5.2 Thunderbird – Konto anbinden....................................................................................7 5.3 Thunderbird – Konto-Einstellungen.............................................................................9 5.3.1 Allgemeine Einstellungen....................................................................................9 5.3.2 Server-Einstellungen..........................................................................................10
    [Show full text]
  • Best Php Webmail Software
    Best php webmail software Get the answer to "What are the best self-hosted webmail clients? in your config/ file) if you need messages to appear instantly. Free and open source webmail software for the masses, written in PHP. Install it on your web servers for personal or commercial use, redistribute, integrate with other software, or alter the source code (provided that. These clients can work under many types of platforms such as PHP, ASP Here, we have compiled a collection of seven webmail. SquirrelMail is one of the best webmail clients written purely in PHP. It supports basic email protocols such as SMTP, IMAP, and others. Webmail's software's are scripts which run on your servers and give you browser based mail client interface like Gmail, Yahoo etc. There are. For this roundup we have compiled a list of Best Webmail Clients for both T-dah is a free PHP webmail application which is built from the. Hastymail2 is a full featured IMAP/SMTP client written in PHP. Our goal is to create a fast, secure, compliant web mail client that has great usability. Hastymail2 is much more lightweight than most popular web based mail applications but still. RainLoop Webmail - Simple, modern & fast web-based email client. Also known as “Horde IMP”, Horde Mail is a free and open source web-mail client written in PHP. Its development started in , so it's a. Check out these 10 amazing webmail clients worth considering and see how In today's article, we're going to highlight some of the best webmail clients It's free to use and can be installed on any server that supports PHP.
    [Show full text]
  • State Council Email – Webmail Instructions
    Indiana State Council – Knights of Columbus Webmail Instructions – January 2013 State Council Email – Webmail Instructions Below are instructions and best practices for the use of the email account provided by the Indiana State Council of Knights of Columbus in conducting Indiana State Council business. Instructions Accessing Webmail Online Application o “Webmail” link found on Indiana State Council web page (http://www.indianakofc.org) o Direct URL Access through the following URLs . http://webmail.indianakofc.org . http://www.indianakofc.org/webmail Webmail Login o Access Webmail Online Application from a method described above. o You will be prompted with a login screen. o Enter your email address provided by Indiana State Council o Enter your password for the account o Press Login o Once logged in, you will be shown a screen (Webmail Control Panel) where you can manage your email account and read your email by choosing from 3 online email clients. Indiana State Council Knights of Columbus Sunday, January 13, 2013 Indiana State Council – Knights of Columbus Webmail Instructions – January 2013 Webmail Control Panel o Screenshot o Icons . Horde / Roundcube / SquirrelMail – Online Email Clients Recommended Email Client – Roundcube o You can read your email by using 1 of the 3 online email clients. Roundcube is the recommended email client to read your email online. While the other 2 have the same options and capabilities. Roundcube is far better graphically. o Enable AutoLoad . Use this option if you would like to automatically go to your email client. Follow the link below the email client of choice to automatically transport you to that email client.
    [Show full text]
  • New Paradigm of Webmail Interfaces
    FACULDADE DE ENGENHARIA DA UNIVERSIDADE DO PORTO New Paradigm of Webmail Interfaces Felipe Ávila da Costa Report of Project Master in Informatics and Computing Engineering Supervisor: Prof. André Monteiro de Oliveira Restivo 3rd March, 2009 New Paradigm of Webmail Interfaces Felipe Ávila da Costa Report of Project Master in Informatics and Computing Engineering Approved in oral examination by the committee: Chair: João Carlos Pascoal de Faria (Assistant Professor at FEUP) ____________________________________________________ External Examiner: Pavel Pereira Calado (Assistant Professor at IST) Internal Examiner: André Monteiro de Oliveira Restivo (Assistant Lecturer at FEUP) 19 th March, 2008 ii Abstract This document describes the project, developed in Portugalmail – Comunicações S.A., called “New Paradigm of Webmail Interfaces”. The initial motivation for this project was the development of new features and components to be added to the current Portugalmail webmail solution. However, while researching and analysing other existent solutions, many innovative ideas compelled the aim of this project to evolve to a completely new application. This new application includes many innovative components over the common email functionalities, such as a smart contact manager, which integrates aspects of social networks; a system of small applications, aiming to expand the usefulness of the webmail; a files and attachments manager, which allows the user to easily access existing documents in the application; and a humanized personal assistant that uses intelligent ways to help the user to use and get the maximum benefits from the system. The application is technically based in LAPP (Linux operative system, Apache web server, PostgreSQL database and PHP programming language) architecture, LDAP directory and Horde Platform.
    [Show full text]
  • Intermediate Wordpress Training
    1 Intermediate WordPress Training Email Every library has two email addresses created by CNS and associated with the WordPress install. Both addresses use the email password sent in when the websites were set up. Individual email addresses for other staff members can be requested from the CNS Department. Log into email using a web browser with the address: www.yourlibrarywebsite.org/webmail where domain is the address of your website, ex. www.lamontlibrary.org/webmail. [email protected] Set to receive Contact Us form submissions and associated with the WordPress admin user ID [email protected] Used as the “from” id for Contact Us form submissions After entering your email id and password, you’ll be prompted to choose your web email client. There are 3 choices; Horde, Roundcube, and SquirrelMail. Each email client is slightly different but Horde and Roundcube are the two most robust clients and the most similar to other webmail sites such as Gmail, Yahoo, or Hotmail. We recommend trying each to see which you like better. Each time you log in you can choose which client to use or if you’ve picked the one you like the best, you can click the link “[ Enable AutoLoad ]” below the client name. If you enable autoload you can also choose how many seconds to delay before displaying your email. If you set this to 1 you will be logged in with almost no delay on subsequent logins. Google Login Information The same user ID is used for both Google calendar Google Analytics. Libraries that had existing Google calendars will continue to use the same userid and password combination.
    [Show full text]
  • Webmail (Roundcube)
    Instrukcja obsługi Panelu Hostingowego Spis treści Logowanie do panelu zarządzania usługami........................................................................................4 Strona główna.......................................................................................................................................6 Twoje konto..........................................................................................................................................9 Konfiguracja domen........................................................................................................................9 Dodawanie Domeny..................................................................................................................10 Modyfikacja domeny.................................................................................................................11 Zmiana nazwy domeny.............................................................................................................12 Usuwanie/Zawieszanie domen..................................................................................................13 Zmiana hasła do konta...................................................................................................................14 Pytania zabezpieczające.................................................................................................................15 Dwustopniowe uwierzytelnienie....................................................................................................16 Historia
    [Show full text]
  • Handbuch Roundcube Webmail
    Handbuch Roundcube Webmail http://webmail.webhost-germany.de http://webhost-germany.de Handbuch Roundcube Webmail Inhaltsverzeichnis 1. Erste Schritte ......................................................................................................................... 3 1.1. Aufruf und Login ................................................................................................................. 3 1.2. Der erste Login .................................................................................................................... 3 1.3. Ansicht und Aufbau ............................................................................................................ 4 2. Einstellungen und Funktionen ................................................................................. 5 2.1. Einstellungen ....................................................................................................................... 5 2.1.1. Benutzeroberfläche ............................................................................................................. 6 2.1.2. Mailbox-Ansicht ................................................................................................................... 6 2.1.3. Nachrichtendarstellung ....................................................................................................... 6 2.1.4. Nachrichtenerstellung ......................................................................................................... 6 2.1.5. Adressbuch .........................................................................................................................
    [Show full text]
  • Managing Email on More Than One Computer
    November 2011 Staying connected through the Cloud There are advantages and downsides to both proto- Managing Email cols. POP3 is simple and fast, but if you lose emails on your computer, it can be hard or impossible to on More Than One Computer recover them. IMAP mail takes up more server space, and being more interactive, can be slower and there- By Bill Slade fore managing can be more difficult. The great Maybe it’s between your computer at work and a lap- advantage is that you can access email from any- top at home or an email-enabled iPhone, or maybe where, but that might not be a help unless you clean even a public PC in a hotel lobby, but wherever you out the inevitable build-up occasionally. need to do it, juggling your email among different IMAP makes managing your email more functional devices can be hard. but it can require more work. Keeping email on the That is one reason why some people simply choose server and never deleting any may also mean that to use webmail like our convenient Roundcube you may accumulate charges for storing it online. online client to access their email messages, as it’s Another problem can arise if you use POP3 on one accessible from any browser. However, there is an device – say, your PC at work – and use IMAP on your alternative that will allow you to use a modern email smartphone for when you’re away. If you forget to program like Thunderbird, Apple Mail, or Outlook, to turn off your PC client when you leave the office, you manage your email messages between different plat- may have access to the messages only briefly from forms.
    [Show full text]