Forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications

Digital forensic analysis of videoconferencing applications has received considerable attention recently, owing to the wider adoption and diffusion of such applications following the recent COVID-19 pandemic. In this contribution, we present a detailed forensic analysis of Cisco WebEx which is among the top three videoconferencing applications available today. More precisely, we present the results of the forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications. We focus on three digital forensic areas, namely memory, disk space, and network forensics. From the extracted artifacts, it is evident that valuable user data can be retrieved from different data localities. These include user credentials, emails, user IDs, profile photos, chat messages, shared media, meeting information including meeting passwords, contacts, Advanced Encryption Standard (AES) keys, keyword searches, timestamps, and call logs. We develop a memory parsing tool for Cisco WebEx based on the extracted artifacts. Additionally, we identify anti-forensic artifacts such as deleted chat messages. Although network communications are encrypted, we successfully retrieve useful artifacts such as IPs of server domains and host devices along with message/event timestamps.