Forensic Analysis of the Cisco WebEx Application

Abstract

The COVID-19 pandemic has triggered a surge in the usage of videoconferencing applications around the globe. While this trend provided a convenient alternative to face-to-face meetings, it has also opened the door for new scenarios of malicious attacks. The security and privacy of the (vidéoconférence) participants' data has therefore become a major concern. Despite its importance, the forensic analysis of videoconferencing applications remains a relatively under researched area. This paper presents a detailed analysis of the Cisco WebEx videoconferencing application on a Windows OS in the areas of memory forensics, disk-space forensics and network forensics. From the extracted artifacts, it is evident that valuable user data can be retrieved from different sources. These include user emails, user IDs, profile photos, sent and deleted chat messages, shared media, meeting information including meeting passwords, Advanced Encryption Standard (AES) keys, keyword searches, timestamps, and log files. Although network communications are encrypted, some useful artifacts can be retrieved such as IPs of server domains and host devices along with message/event timestamps. Digital certificates of the videoconferencing communications are also retrieved.