Title

An Empirical Study of Skype Data Retrieval from Physical Memory

Campus

Dahlonega

Publication date

7-18-2019

Publisher

Foundation of Computer Science

Book or Journal Information

International Journal of Computer Applications

Keywords

Data recovery; physical memory; software tools; hardware tools; client-based; web-based

Abstract

Instant messaging technology is increasingly becoming popular among individuals, businesses, as well as criminals. Technologies such as Skype is widely used due to its secure and cheap services. Traditional static media computer forensics approach is not effective in retrieving traces of instant messaging activity. This research presents the findings from physical memory forensics examination of Skype communication. We examined both client-based Skype as well as web-based Skype to determine whether the forensics data remnants in memory would be different for each case. For each case, we evaluated the forensics artifacts at both the operating system level and the application level. At the operating system level, we examined active processes, terminated processes, hidden processes and open files related to Skype activity. At the application level, we evaluated Skype activity artifacts such as logins credentials, audio and video conversations, transferred files, emails, and geographical location of the caller. In addition, we found some differences in the client-based and web-based Skype data remnants in memory. Overall, we confirm that physical memory forensics is the most effective technique for retrieving forensics artifacts of instant messaging technology.

Author Biography

Dr. Ahmad Ghafarian is a full time Professor of Computer Science & Cybersecurity at the University of North Georgia, UNG. His educational credentials include a Postdoctoral Fellowship in Information Security, Ph.D. & M.S. in Computer Science, and B.S. in Mathematics. He is specialized and conduct research in various areas of cybersecurity including but not limited to malware analysis, various aspects of digital forensics, cloud computing security, VoIP security, and social computing security. He has about forty peer reviewed publications to his credit.

Share

COinS
 

An Empirical Study of Skype Data Retrieval from Physical Memory

Instant messaging technology is increasingly becoming popular among individuals, businesses, as well as criminals. Technologies such as Skype is widely used due to its secure and cheap services. Traditional static media computer forensics approach is not effective in retrieving traces of instant messaging activity. This research presents the findings from physical memory forensics examination of Skype communication. We examined both client-based Skype as well as web-based Skype to determine whether the forensics data remnants in memory would be different for each case. For each case, we evaluated the forensics artifacts at both the operating system level and the application level. At the operating system level, we examined active processes, terminated processes, hidden processes and open files related to Skype activity. At the application level, we evaluated Skype activity artifacts such as logins credentials, audio and video conversations, transferred files, emails, and geographical location of the caller. In addition, we found some differences in the client-based and web-based Skype data remnants in memory. Overall, we confirm that physical memory forensics is the most effective technique for retrieving forensics artifacts of instant messaging technology.