TY - JOUR
T1 - Correlating messages from multiple IM networks to identify digital forensic artifacts
AU - Yasin, Muhammmad
AU - Kausar, Firdous
AU - Aleisa, Eisa
AU - Kim, Jongsung
N1 - Funding Information:
Acknowledgments This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (grant number 2013R1A1A2059864).
Publisher Copyright:
© 2014, Springer Science+Business Media New York.
PY - 2014/12/9
Y1 - 2014/12/9
N2 - In recent years the usage of instant messaging (IM) has increased manifold. Recent reports show that law enforcement organizations are making requests for instant messaging information as a result of involvement in criminal activity. There can be multiple reasons for investigation of instant messenger histories. Among all issues, renown are involvement in fraudulent activities, social engineering, identity theft, spread of malicious software (worm) to circumvent innocent users or critical security devices, revealing IP address of correspondent for launching further attacks, IM spam and offensive material, in general for communicating with group members regarding corruption, target killing, gambling, kidnapping, theft, robbery, etc. In this paper, we focus on a unique case in which two group members of criminal network are communicating through IM aggregator (like Digsby) and using multiple IM protocols to complete a single conversation session instead of following a traditional single IM client such as Yahoo Messenger for whole conversation. We propose a method to identify that multiple IM protocols are used for single conversation session and describe how to establish a sequence of collected messages. An analysis of volatile memory is performed to collect the remnants of whole or partial conversation, as supportive or actual evidence.
AB - In recent years the usage of instant messaging (IM) has increased manifold. Recent reports show that law enforcement organizations are making requests for instant messaging information as a result of involvement in criminal activity. There can be multiple reasons for investigation of instant messenger histories. Among all issues, renown are involvement in fraudulent activities, social engineering, identity theft, spread of malicious software (worm) to circumvent innocent users or critical security devices, revealing IP address of correspondent for launching further attacks, IM spam and offensive material, in general for communicating with group members regarding corruption, target killing, gambling, kidnapping, theft, robbery, etc. In this paper, we focus on a unique case in which two group members of criminal network are communicating through IM aggregator (like Digsby) and using multiple IM protocols to complete a single conversation session instead of following a traditional single IM client such as Yahoo Messenger for whole conversation. We propose a method to identify that multiple IM protocols are used for single conversation session and describe how to establish a sequence of collected messages. An analysis of volatile memory is performed to collect the remnants of whole or partial conversation, as supportive or actual evidence.
KW - Forensic analysis
KW - IM Aggregators
KW - IM protocols
KW - Instant message hopping
KW - Instant messenger’s forensic
UR - http://www.scopus.com/inward/record.url?scp=84916601609&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84916601609&partnerID=8YFLogxK
U2 - 10.1007/s10660-014-9145-4
DO - 10.1007/s10660-014-9145-4
M3 - Article
AN - SCOPUS:84916601609
SN - 1389-5753
VL - 14
SP - 369
EP - 387
JO - Electronic Commerce Research
JF - Electronic Commerce Research
IS - 3
ER -