Correlating messages from multiple IM networks to identify digital forensic artifacts

In recent years the usage of instant messaging (IM) has increased manifold. Recent reports show that law enforcement organizations are making requests for instant messaging information as a result of involvement in criminal activity. There can be multiple reasons for investigation of instant messenger histories. Among all issues, renown are involvement in fraudulent activities, social engineering, identity theft, spread of malicious software (worm) to circumvent innocent users or critical security devices, revealing IP address of correspondent for launching further attacks, IM spam and offensive material, in general for communicating with group members regarding corruption, target killing, gambling, kidnapping, theft, robbery, etc. In this paper, we focus on a unique case in which two group members of criminal network are communicating through IM aggregator (like Digsby) and using multiple IM protocols to complete a single conversation session instead of following a traditional single IM client such as Yahoo Messenger for whole conversation. We propose a method to identify that multiple IM protocols are used for single conversation session and describe how to establish a sequence of collected messages. An analysis of volatile memory is performed to collect the remnants of whole or partial conversation, as supportive or actual evidence.

[1]  Wouter S. van Dongen Forensic artefacts left by Pidgin Messenger 2.0 , 2007, Digit. Investig..

[2]  Wouter S. van Dongen Forensic artefacts left by Windows Live Messenger 8.0 , 2007, Digit. Investig..

[3]  Sangjin Lee,et al.  On-the-spot digital investigation by means of LDFS: Live Data Forensic System , 2012, Math. Comput. Model..

[4]  Konstantinos C. Fragkos,et al.  Critical review of the e-loyalty literature: a purchase-centred framework , 2012, Electron. Commer. Res..

[5]  Tianjie Cao,et al.  Memory Forensics for QQ from a Live System , 2010, J. Comput..

[6]  Mike Dickson An examination into MSN Messenger 7.5 contact identification , 2006, Digit. Investig..

[7]  Mike Dickson An examination into Yahoo Messenger 7.0 contact identification , 2006, Digit. Investig..

[8]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  Christopher Tucci,et al.  Fraudulent auctions on the Internet , 2006, Electron. Commer. Res..

[10]  Harlan Carvey Instant messaging investigations on a live Windows XP system , 2004, Digit. Investig..

[11]  Marcus K. Rogers,et al.  Yahoo! Messenger Forensics on Windows Vista and Windows 7 , 2011, ICDF2C.

[12]  Msn Messenger,et al.  The Forensic Recovery of Instant Messages from , 2008 .

[13]  Lynn Margaret Batten,et al.  E-commerce: protecting purchaser privacy to enforce trust , 2011, Electron. Commer. Res..

[14]  Anja Feldmann,et al.  An analysis of Internet chat systems , 2003, IMC '03.

[15]  Audun Jøsang,et al.  Technologies for Trust in Electronic Commerce , 2004, Electron. Commer. Res..

[16]  Mike Dickson An examination into Trillian basic 3.x contact identification , 2007, Digit. Investig..

[17]  S. Shenoi,et al.  Packet Sniffing for Automated Chat Room Monitoring and Evidence Preservation , 2001 .

[18]  Lakshmi Goel,et al.  If you build it will they come?—An empirical investigation of consumer perceptions and strategy in virtual worlds , 2009, Electron. Commer. Res..

[19]  Jessica Reust Case study: AOL instant messenger trace evidence , 2006, Digit. Investig..

[20]  Mike Dickson An examination into AOL Instant Messenger 5.5 contact identification , 2006, Digit. Investig..

[21]  Jianhua Shao,et al.  Privacy and e-commerce: a consumer-centric perspective , 2007, Electron. Commer. Res..

[22]  J. Alberto Castañeda,et al.  The effect of Internet general privacy concern on customer behavior , 2007, Electron. Commer. Res..

[23]  Marcus K. Rogers,et al.  Forensic Analysis of Volatile Instant Messaging , 2008, IFIP Int. Conf. Digital Forensics.

[24]  Mohammad Iftekhar Husain,et al.  iForensics: Forensic Analysis of Instant Messaging on Smart Phones , 2009, ICDF2C.