Correlating messages from multiple IM networks to identify digital forensic artifacts

Muhammmad Yasin, Firdous Kausar, Eisa Aleisa, Jongsung Kim*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

3 Citations (Scopus)


In recent years the usage of instant messaging (IM) has increased manifold. Recent reports show that law enforcement organizations are making requests for instant messaging information as a result of involvement in criminal activity. There can be multiple reasons for investigation of instant messenger histories. Among all issues, renown are involvement in fraudulent activities, social engineering, identity theft, spread of malicious software (worm) to circumvent innocent users or critical security devices, revealing IP address of correspondent for launching further attacks, IM spam and offensive material, in general for communicating with group members regarding corruption, target killing, gambling, kidnapping, theft, robbery, etc. In this paper, we focus on a unique case in which two group members of criminal network are communicating through IM aggregator (like Digsby) and using multiple IM protocols to complete a single conversation session instead of following a traditional single IM client such as Yahoo Messenger for whole conversation. We propose a method to identify that multiple IM protocols are used for single conversation session and describe how to establish a sequence of collected messages. An analysis of volatile memory is performed to collect the remnants of whole or partial conversation, as supportive or actual evidence.

Original languageEnglish
Pages (from-to)369-387
Number of pages19
JournalElectronic Commerce Research
Issue number3
Publication statusPublished - Dec 9 2014
Externally publishedYes


  • Forensic analysis
  • IM Aggregators
  • IM protocols
  • Instant message hopping
  • Instant messenger’s forensic

ASJC Scopus subject areas

  • Economics, Econometrics and Finance (miscellaneous)
  • Human-Computer Interaction

Cite this