Memory Forensics for Key Evidence Investigations in Case Illustrations

Abstract

Typically instant messaging software has to install inside the computer. By this way, the evidence could be therefore probed from the relative paths after operating it by the forensic procedures. Accompanying the appearance of the Web version of the instant messaging, this situation is changed accordingly. It has become a new challenge about the Information-volatile attributes and the data generated by the Web version of instant messaging. The chat messages will not leave any records in the hard disk by the Web version of instant messaging. The methods of forensic investigation are bound to change. However, during the running process, part of or the entire records will be dumped in the memory, the paging file and unallocated hard disk space. In this paper, we use the common instant messaging software "Skype" and Web version of "Facebook Messenger" as the target-cases. Because of the memory features mentioned above, some temporary volatile data will be collected by memory forensic technology. We illustrate our memory forensic technology by the two cases and show how to collect key-evidence in the forensic procedures step by step. In our scheme, we propose the forensic procedure to obtain the effective evidence such as the user's login account, password, contact list, and conversation records, etc. We turn out that the crime scene is able to be reconstructed by the key-evidence we seize in the Web version of instant messaging.