Forensic analysis of communication records of messaging applications from physical memory
•RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actio...
Gespeichert in:
| Veröffentlicht in: | Computers & security 2019-09, Vol.86, p.484-497 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 497 |
|---|---|
| container_issue | |
| container_start_page | 484 |
| container_title | Computers & security |
| container_volume | 86 |
| creator | Barradas, Diogo Brito, Tiago Duarte, David Santos, Nuno Rodrigues, Luís |
| description | •RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actions impact record durability the most.
Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by instant messaging and email applications, both in desktop web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application-independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analysing communication records left behind in physical memory by instant-messaging and email clients. |
| doi_str_mv | 10.1016/j.cose.2018.08.013 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2287978217</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404818311313</els_id><sourcerecordid>2287978217</sourcerecordid><originalsourceid>FETCH-LOGICAL-c328t-f47ddd8f2f34e04e4a58d3851bedd57e2872a76b80b9c42eef07b4195af4dc4c3</originalsourceid><addsrcrecordid>eNp9kMFKxDAQhoMouK6-gKeC59YkTZsseJHFVWHBix48hTSZrCltU5Ou0Lc36-5ZGJjDfN8w8yN0S3BBMKnv20L7CAXFRBQ4FSnP0IIITvOaYnGOFgniOcNMXKKrGFuMCa-FWKDPjQ8wRKczNahuji5m3mba9_1-cFpNzg9ZAO2D-Rv0EKPauWGXqXHsTkDMbPB9Nn4lXasuQb0P8zW6sKqLcHPqS_SxeXpfv-Tbt-fX9eM21yUVU24ZN8YIS23JADNgqhKmFBVpwJiKA01PKF43AjcrzSiAxbxhZFUpy4xmulyiu-PeMfjvPcRJtn4f0jNR0iSvuKCEJ4oeKR18jAGsHIPrVZglwfIQoWzlIUJ5iFDiVKRM0sNRgnT_j4Mgo3YwaDAuZTJJ491_-i-yFnx7</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2287978217</pqid></control><display><type>article</type><title>Forensic analysis of communication records of messaging applications from physical memory</title><source>ScienceDirect Journals (5 years ago - present)</source><creator>Barradas, Diogo ; Brito, Tiago ; Duarte, David ; Santos, Nuno ; Rodrigues, Luís</creator><creatorcontrib>Barradas, Diogo ; Brito, Tiago ; Duarte, David ; Santos, Nuno ; Rodrigues, Luís</creatorcontrib><description>•RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actions impact record durability the most.
Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by instant messaging and email applications, both in desktop web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application-independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analysing communication records left behind in physical memory by instant-messaging and email clients.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2018.08.013</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Communication ; Computer memory ; Digital forensics ; Electronic devices ; Format ; Inspection ; Instant messaging systems ; Instant-messaging ; Memory forensics ; Mobile applications ; Product development ; Software reviews ; Web-applications</subject><ispartof>Computers & security, 2019-09, Vol.86, p.484-497</ispartof><rights>2018 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Sep 2019</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c328t-f47ddd8f2f34e04e4a58d3851bedd57e2872a76b80b9c42eef07b4195af4dc4c3</citedby><cites>FETCH-LOGICAL-c328t-f47ddd8f2f34e04e4a58d3851bedd57e2872a76b80b9c42eef07b4195af4dc4c3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.cose.2018.08.013$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3549,27923,27924,45994</link.rule.ids></links><search><creatorcontrib>Barradas, Diogo</creatorcontrib><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Duarte, David</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><creatorcontrib>Rodrigues, Luís</creatorcontrib><title>Forensic analysis of communication records of messaging applications from physical memory</title><title>Computers & security</title><description>•RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actions impact record durability the most.
Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by instant messaging and email applications, both in desktop web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application-independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analysing communication records left behind in physical memory by instant-messaging and email clients.</description><subject>Communication</subject><subject>Computer memory</subject><subject>Digital forensics</subject><subject>Electronic devices</subject><subject>Format</subject><subject>Inspection</subject><subject>Instant messaging systems</subject><subject>Instant-messaging</subject><subject>Memory forensics</subject><subject>Mobile applications</subject><subject>Product development</subject><subject>Software reviews</subject><subject>Web-applications</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><recordid>eNp9kMFKxDAQhoMouK6-gKeC59YkTZsseJHFVWHBix48hTSZrCltU5Ou0Lc36-5ZGJjDfN8w8yN0S3BBMKnv20L7CAXFRBQ4FSnP0IIITvOaYnGOFgniOcNMXKKrGFuMCa-FWKDPjQ8wRKczNahuji5m3mba9_1-cFpNzg9ZAO2D-Rv0EKPauWGXqXHsTkDMbPB9Nn4lXasuQb0P8zW6sKqLcHPqS_SxeXpfv-Tbt-fX9eM21yUVU24ZN8YIS23JADNgqhKmFBVpwJiKA01PKF43AjcrzSiAxbxhZFUpy4xmulyiu-PeMfjvPcRJtn4f0jNR0iSvuKCEJ4oeKR18jAGsHIPrVZglwfIQoWzlIUJ5iFDiVKRM0sNRgnT_j4Mgo3YwaDAuZTJJ491_-i-yFnx7</recordid><startdate>201909</startdate><enddate>201909</enddate><creator>Barradas, Diogo</creator><creator>Brito, Tiago</creator><creator>Duarte, David</creator><creator>Santos, Nuno</creator><creator>Rodrigues, Luís</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>201909</creationdate><title>Forensic analysis of communication records of messaging applications from physical memory</title><author>Barradas, Diogo ; Brito, Tiago ; Duarte, David ; Santos, Nuno ; Rodrigues, Luís</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c328t-f47ddd8f2f34e04e4a58d3851bedd57e2872a76b80b9c42eef07b4195af4dc4c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Communication</topic><topic>Computer memory</topic><topic>Digital forensics</topic><topic>Electronic devices</topic><topic>Format</topic><topic>Inspection</topic><topic>Instant messaging systems</topic><topic>Instant-messaging</topic><topic>Memory forensics</topic><topic>Mobile applications</topic><topic>Product development</topic><topic>Software reviews</topic><topic>Web-applications</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Barradas, Diogo</creatorcontrib><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Duarte, David</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><creatorcontrib>Rodrigues, Luís</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers & security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Barradas, Diogo</au><au>Brito, Tiago</au><au>Duarte, David</au><au>Santos, Nuno</au><au>Rodrigues, Luís</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Forensic analysis of communication records of messaging applications from physical memory</atitle><jtitle>Computers & security</jtitle><date>2019-09</date><risdate>2019</risdate><volume>86</volume><spage>484</spage><epage>497</epage><pages>484-497</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>•RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actions impact record durability the most.
Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by instant messaging and email applications, both in desktop web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application-independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analysing communication records left behind in physical memory by instant-messaging and email clients.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2018.08.013</doi><tpages>14</tpages></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0167-4048 |
| ispartof | Computers & security, 2019-09, Vol.86, p.484-497 |
| issn | 0167-4048 1872-6208 |
| language | eng |
| recordid | cdi_proquest_journals_2287978217 |
| source | ScienceDirect Journals (5 years ago - present) |
| subjects | Communication Computer memory Digital forensics Electronic devices Format Inspection Instant messaging systems Instant-messaging Memory forensics Mobile applications Product development Software reviews Web-applications |
| title | Forensic analysis of communication records of messaging applications from physical memory |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T10%3A27%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Forensic%20analysis%20of%20communication%20records%20of%20messaging%20applications%20from%20physical%20memory&rft.jtitle=Computers%20&%20security&rft.au=Barradas,%20Diogo&rft.date=2019-09&rft.volume=86&rft.spage=484&rft.epage=497&rft.pages=484-497&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2018.08.013&rft_dat=%3Cproquest_cross%3E2287978217%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2287978217&rft_id=info:pmid/&rft_els_id=S0167404818311313&rfr_iscdi=true |