Call for Paper - May 2021 Edition
IJCA solicits original research papers for the May 2021 Edition. Last date of manuscript submission is April 20, 2021. Read More

An Empirical Study of Skype Data Retrieval from Physical Memory

Print
PDF
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2019
Authors:
Ahmad Ghafarian, Ash Mady, Charlie Wood
10.5120/ijca2019919115

Ahmad Ghafarian, Ash Mady and Charlie Wood. An Empirical Study of Skype Data Retrieval from Physical Memory. International Journal of Computer Applications 178(29):4-12, July 2019. BibTeX

@article{10.5120/ijca2019919115,
	author = {Ahmad Ghafarian and Ash Mady and Charlie Wood},
	title = {An Empirical Study of Skype Data Retrieval from Physical Memory},
	journal = {International Journal of Computer Applications},
	issue_date = {July 2019},
	volume = {178},
	number = {29},
	month = {Jul},
	year = {2019},
	issn = {0975-8887},
	pages = {4-12},
	numpages = {9},
	url = {http://www.ijcaonline.org/archives/volume178/number29/30717-2019919115},
	doi = {10.5120/ijca2019919115},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}
}

Abstract

Instant messaging technology is increasingly becoming popular among individuals, businesses, as well as criminals. Technologies such as Skype is widely used due to its secure and cheap services. Traditional static media computer forensics approach is not effective in retrieving traces of instant messaging activity. This research presents the findings from physical memory forensics examination of Skype communication. We examined both client-based Skype as well as web-based Skype to determine whether the forensics data remnants in memory would be different for each case. For each case, we evaluated the forensics artifacts at both the operating system level and the application level. At the operating system level, we examined active processes, terminated processes, hidden processes and open files related to Skype activity. At the application level, we evaluated Skype activity artifacts such as logins credentials, audio and video conversations, transferred files, emails, and geographical location of the caller. In addition, we found some differences in the client-based and web-based Skype data remnants in memory. Overall, we confirm that physical memory forensics is the most effective technique for retrieving forensics artifacts of instant messaging technology.

References

  1. Yang, T., Y., Dehghantanha A., Choo K. K. R., and Muda Z. Windows Instant Messaging App Forensics: Facebook and Skype as Case Studies. PLoS ONE 11(3), 2016.
  2. Simon, M. and Slay J. Recovery of Skype Application Activity Data from Physical Memory. International conference on availability, reliability and security. IEEE Explore 2010, pages 283-288, 2010.
  3. Bajwa, D., S. and Kumar S. A Comprehensive Review of Volatile Data Forensics. International Journal of Computer Technology & Applications, Vol 7(3), 357-367, 2016.
  4. Dodge, R., C. Skype Fingerprint. Proceedings of the 41st Hawaii International Conference on System Sciences, 2008.
  5. Irwin, D, Dade A, Slay J. Extraction of Electronic evidence from VoIP: Identification & Analysis of Digital Speech. Journal of Digital Forensics, Security and Law, Vol 7, No 3, 2012.
  6. Meißner, T., Kröger K., and Creutzburg R. Client-side Skype Forensics - An Overview. Brandenburg University of Applied Sciences, Department of Informatics and Media, P.O.Box 2132. D-14737 Brandenburg, Germany, 2014.
  7. Ligh, M., H., Case A., Levy, J., Walters A. The Art of memory Forensics, Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley book, 2014.
  8. Azab, A., Watters P, and Layton. Characterizing Network Traffic for Skype Forensics. Third Cybercrime and Trustworthy Computing Workshop, 2012.
  9. Castle. D. Skype Forensics. University of Derby School of Computing & Mathematics, 2014.
  10. Mrdovic, S., Huseinovic A., and Zajko E. Combining Static and Live Digital Forensic Analysis in Virtual Environment. Faculty of Electrical Engineering University of Sarajevo Sarajevo, Bosnia and Herzegovina, 2009.
  11. Nagy. Z., Using Forensic Techniques for Internet Activity Reconstruction. Institute of Mathematics and Computer Science, College of Nyiregyhaza, Nyiregyhaza, Sostoi u. 31/B, Hungry, 2014.
  12. Nelson, B., Phillips, A. and Steuart, C. Guide to Computer Forensics and Investigation, 5th Ed. Cengage Pub, 2015.
  13. Chang, Y., T., Chung M-J, and Lee, C-F. Memory Forensics for Key Evidence Investigation in Case Illustration. 2013 8th Joint Conference on Information Security, 2013.
  14. Karayiannis, S., and Katos V. Practical Password harvesting from Volatile Memory. Information Security and Incident Response Unit, Democritus University of Thrace (retrieved from research gate), 2012.
  15. Skype Forensics: shows geographical location http://resources.infosecinstitute.com/skype-forensics-2/#gre
  16. Svoboda P. Hyyti E., Ricciato F, Rupp M., and Karner M. Detection and Tracking of Skype by exploiting Cross Layer Information in a live 3G. Network. INTHFT Department, Vienna University of Technology, Vienna, Austria.
  17. Rahman, S and Khan M.N.A. Review of Live Forensic Analysis Techniques. International Journal of Hybrid Information Technology.Vol.8, No.2, pp.379-388, 2015.
  18. Baset, S. A. and Schulzrinne, H. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol. Department of Computer Science, Columbia University, New York NY 10027, 2012.
  19. Cai L., Sha J. and Qian W. Study on Forensic Analysis of Physical Memory. 2nd International Symposium on Computer, Communication, Control and Automation, 2013.
  20. Mohemmed M. Sha, Manesh T. and Abd El-atty, S. M. Forensic Framework for Skype Communication. Department of Computer Science and Information, Prince Sattam Bin Abdul Aziz University, 2014.
  21. Magnet RAM Capture, Retrieved March 2017 from https://www.magnetforensics.com/free-digital-forensics-software-tools/
  22. Device cleanup, retrieved, April 2017 fromhttps://www.askdavetaylor.com/erase-wipe-old-flash-drive/
  23. Volatility foundation, retrieved January 2017 fromhttp://www.volatilityfoundation.org/25
  24. Sysinternal retrieved January 2017 fromhttps://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
  25. Process monitor, retrieved February 2017 fromhttps://www.cse.wustl.edu/~jain/cse567-06/ftp/os_monitors/ https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
  26. WinHex Hex Editor, retrieved February 2017 fromhttp://www.winhex.com/winhex/hex-editor.html
  27. HashMyFile utility, retrieved February 2017 frohttp://www.nirsoft.net/utils/hash_my_files.html
  28. Suh, K., Figueiredo D. R., Kurose J. and Towsley D. Characterizing and detecting relayed traffic: A case study using Skype. Department of Computer Science University of Massachusetts Amherst, 2005.
  29. XML editor, retrieved frohttps://www.liquid-technologies.com

Keywords

Skype; forensics; instant messaging; artifacts; geographic location; operating systems; IM