Abstract
Older instant messaging programs typically require some form of installation on the client machine, enabling forensic investigators to find a wealth of evidentiary artifacts. However, this paradigm is shifting as web-based instant messaging becomes more popular. Many traditional messaging clients (e.g., AOL Messenger, Yahoo! and MSN), can now be accessed using only a web browser. This presents new challenges for forensic examiners due to the volatile nature of the data and artifacts created by web-based instant messaging programs. These web-based programs do not write to registry keys or leave configuration files on the client machine. Investigators are, therefore, required to look for remnants of whole or partial conversations that may be dumped to page files and unallocated space on the hard disk. This paper examines the artifacts that can be recovered from web-based instant messaging programs and the challenges faced by forensic examiners during evidence recovery. An investigative framework for dealing with volatile instant messaging is also presented.
Chapter PDF
Similar content being viewed by others
References
Australian IT, E-Buddy gets growth message (www.ebuddy.com/press/auit article.pdf ), November 7, 2006.
M. Dickson, An examination into AOL Instant Messenger 5.5 con- tact identification, Digital Investigation, vol. 3(4), pp. 227-237, 2006.
A. Ghag, Top 10 web-based instant messengers (www.tech2.com/india/topstuff/websites-internet/top-10-webbased-instant-messeng ers/2892/0), 2006.
W. Gillam, Instant messaging artifacts for cyber investigations, Unpublished manuscript, Department of Computer and Information Technology, Purdue University, West Lafayette, Indiana, 2006.
A. Grossman, No don’t IM me: Instant messaging, authentication, and the best evidence rule, George Mason Law Review, vol. 13(6), pp. 1309-1340, 2006.
K. Jones and R. Belani, Web browser forensics, Part 1 (securityfoc us.com/infocus/1827), 2005.
D. Juhnke and D. Stenhouse, Instant messaging: What you can’t see can hurt you (in court) (www.forensics.com/pdf/InstantMessaging.pdf ), 2005.
Meebo, Meebo Forum (forum.meebo.com/viewtopic.php?t=12476).
Microsoft Corporation, How to clear the Windows paging file at shutdown, Microsoft Help and Support, Redmond, Washington (sup port.microsoft.com/kb/314834), 2007.
New York State Computer Forensic Workgroup, Messaging: A forensic view, presented at the Ninth Annual New York State Cyber Security Conference (www.cscic.state.ny.us/security/conferences/security/2006/Presentations/hurbanek.swf ), 2006.
J. Reust, Case study: AOL Instant Messenger trace evidence, Digital Investigation, vol. 3(4), pp. 238-243, 2006.
Techweb, Instant messaging (www.techweb.com/encyclopedia/defineterm.jhtml?term=instantmessaging), 2007.
H. Tschabitscher, Top 10 free email services (email.about.com/cs/freeemailreviews/tp/free email.htm).
D. Waddington and D. Hutchison, Resource partitioning in general purpose operating systems: Experimental results in Windows NT, ACM SIGOPS Operating Systems Review, vol. 33(4), pp. 52-74, 1999.
Yahoo! IP address (info.yahoo.com/privacy/us/yahoo/ipaddress/de tails.html), 2008.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kiley, M., Dankner, S., Rogers, M. (2008). Forensic Analysis of Volatile Instant Messaging. In: Ray, I., Shenoi, S. (eds) Advances in Digital Forensics IV. DigitalForensics 2008. IFIP — The International Federation for Information Processing, vol 285. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-84927-0_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-84927-0_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-84926-3
Online ISBN: 978-0-387-84927-0
eBook Packages: Computer ScienceComputer Science (R0)