WormHex: A Volatile Memory Analysis Tool for Retrieval of Social Media Evidence
Social media applications are increasingly being used in our everyday communications. These applications utilise end-to-end encryption mechanisms which make them suitable tools for criminals to exchange messages. These messages are preserved in the volatile memory until the device is restarted. Therefore, volatile forensics has become an important branch of digital forensics. In this study, the WormHex tool was developed to inspect the memory dump files for Windows and Mac based workstations. The tool supports digital investigators by enabling them to extract valuable data written in Arabic and English through web-based WhatsApp and Twitter applications. The results confirm that social media applications write their data into the memory, regardless of the operating system running the application, with there being no major differences between Windows and Mac.
[1] Al Mutawa, Noora, Ibrahim Baggili and Andrew
Marrington. 2012. “Forensic analysis of social
networking applications on mobile devices.” Digital
investigation 9:S24–S33.
[2] Al Mutawa, Noora, Ibtesam Al Awadhi, Ibrahim Baggili
and Andrew Marrington. 2011. Forensic artifacts
of Facebook’s instant messaging service. In 2011
International Conference for Internet Technology and
Secured Transactions. IEEE pp. 771–776.
[3] Alqarni, Amani, Wadha Almattar and Norah Almubairik.
2022. “WormHex.”.
URL: https://github.com/amaniaq/WormHex
[4] Barradas, Diogo, Tiago Brito, David Duarte, Nuno
Santos and Luís Rodrigues. 2017. Forensic Analysis
of Communication Records of Web-based Messaging
Applications from Physical Memory. pp. 43–54.
[5] Belkasoft. 2020. Capture Live RAM Contents with Free
Tool from Belkasoft.
URL: https://belkasoft.com/ramcapturer
[6] Forte, Dario. 2008. “Volatile data vs. data at rest:
the requirements of digital forensics.” Network Security
2008:13–15.
[7] Hoog, Andrew. 2011. Android forensics: investigation,
analysis and mobile security for Google Android.
Elsevier.
[8] Nisioti, Antonia, Alexios Mylonas, Vasilios Katos,
Paul D Yoo and Anargyros Chryssanthou. 2017. You
can run but you cannot hide from memory: Extracting
IM evidence of Android apps. In 2017 IEEE Symposium
on Computers and Communications (ISCC). IEEE
pp. 457–464.
[9] Sadeghi, Behrouz. 2015. Guide to Computer forensics
and investigations.
[10] Telegram. N.d. “Telegram Privacy Policy.” https://
telegram.org/privacy.
[11] Thantilage, Ranul and Neera Jeyamohan. 2017. A
volatile memory analysis tool for retrieval of social
media evidence in windows 10 OS based workstations.
pp. 86–88.
[12] Thantilage, Ranul and Nhien-An Le-Khac. 2019.
Framework for the Retrieval of Social Media and
Instant Messaging Evidence from Volatile Memory.
pp. 476–482.
[13] Vömel, Stefan and Felix C Freiling. 2011. “A survey
of main memory acquisition and analysis techniques
for the windows operating system.” Digital Investigation
8(1):3–22.
[14] Walnycky, Daniel, Ibrahim Baggili, Andrew Marrington,
Jason Moore and Frank Breitinger. 2015. “Network
and device forensic analysis of android social-messaging
applications.” Digital Investigation 14:S77–S84.
[1] Al Mutawa, Noora, Ibrahim Baggili and Andrew
Marrington. 2012. “Forensic analysis of social
networking applications on mobile devices.” Digital
investigation 9:S24–S33.
[2] Al Mutawa, Noora, Ibtesam Al Awadhi, Ibrahim Baggili
and Andrew Marrington. 2011. Forensic artifacts
of Facebook’s instant messaging service. In 2011
International Conference for Internet Technology and
Secured Transactions. IEEE pp. 771–776.
[3] Alqarni, Amani, Wadha Almattar and Norah Almubairik.
2022. “WormHex.”.
URL: https://github.com/amaniaq/WormHex
[4] Barradas, Diogo, Tiago Brito, David Duarte, Nuno
Santos and Luís Rodrigues. 2017. Forensic Analysis
of Communication Records of Web-based Messaging
Applications from Physical Memory. pp. 43–54.
[5] Belkasoft. 2020. Capture Live RAM Contents with Free
Tool from Belkasoft.
URL: https://belkasoft.com/ramcapturer
[6] Forte, Dario. 2008. “Volatile data vs. data at rest:
the requirements of digital forensics.” Network Security
2008:13–15.
[7] Hoog, Andrew. 2011. Android forensics: investigation,
analysis and mobile security for Google Android.
Elsevier.
[8] Nisioti, Antonia, Alexios Mylonas, Vasilios Katos,
Paul D Yoo and Anargyros Chryssanthou. 2017. You
can run but you cannot hide from memory: Extracting
IM evidence of Android apps. In 2017 IEEE Symposium
on Computers and Communications (ISCC). IEEE
pp. 457–464.
[9] Sadeghi, Behrouz. 2015. Guide to Computer forensics
and investigations.
[10] Telegram. N.d. “Telegram Privacy Policy.” https://
telegram.org/privacy.
[11] Thantilage, Ranul and Neera Jeyamohan. 2017. A
volatile memory analysis tool for retrieval of social
media evidence in windows 10 OS based workstations.
pp. 86–88.
[12] Thantilage, Ranul and Nhien-An Le-Khac. 2019.
Framework for the Retrieval of Social Media and
Instant Messaging Evidence from Volatile Memory.
pp. 476–482.
[13] Vömel, Stefan and Felix C Freiling. 2011. “A survey
of main memory acquisition and analysis techniques
for the windows operating system.” Digital Investigation
8(1):3–22.
[14] Walnycky, Daniel, Ibrahim Baggili, Andrew Marrington,
Jason Moore and Frank Breitinger. 2015. “Network
and device forensic analysis of android social-messaging
applications.” Digital Investigation 14:S77–S84.
@article{"International Journal of Information, Control and Computer Sciences:80843", author = "Norah Almubairik and Wadha Almattar and Amani Alqarni", title = "WormHex: A Volatile Memory Analysis Tool for Retrieval of Social Media Evidence", abstract = "Social media applications are increasingly being used in our everyday communications. These applications utilise end-to-end encryption mechanisms which make them suitable tools for criminals to exchange messages. These messages are preserved in the volatile memory until the device is restarted. Therefore, volatile forensics has become an important branch of digital forensics. In this study, the WormHex tool was developed to inspect the memory dump files for Windows and Mac based workstations. The tool supports digital investigators by enabling them to extract valuable data written in Arabic and English through web-based WhatsApp and Twitter applications. The results confirm that social media applications write their data into the memory, regardless of the operating system running the application, with there being no major differences between Windows and Mac.", keywords = "Volatile memory, REGEX, digital forensics, memory
acquisition", volume = "16", number = "6", pages = "233-6", }
