Correlating messages from multiple IM networks to identify digital forensic artifacts

In recent years the usage of instant messaging (IM) has increased manifold. Recent reports show that law enforcement organizations are making requests for instant messaging information as a result of involvement in criminal activity. There can be multiple reasons for investigation of instant messenger histories. Among all issues, renown are involvement in fraudulent activities, social engineering, identity theft, spread of malicious software (worm) to circumvent innocent users or critical security devices, revealing IP address of correspondent for launching further attacks, IM spam and offensive material, in general for communicating with group members regarding corruption, target killing, gambling, kidnapping, theft, robbery, etc. In this paper, we focus on a unique case in which two group members of criminal network are communicating through IM aggregator (like Digsby) and using multiple IM protocols to complete a single conversation session instead of following a traditional single IM client such as Yahoo Messenger for whole conversation. We propose a method to identify that multiple IM protocols are used for single conversation session and describe how to establish a sequence of collected messages. An analysis of volatile memory is performed to collect the remnants of whole or partial conversation, as supportive or actual evidence.