WormHex: A Volatile Memory Analysis Tool for Retrieval of Social Media Evidence
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32870
WormHex: A Volatile Memory Analysis Tool for Retrieval of Social Media Evidence

Authors: Norah Almubairik, Wadha Almattar, Amani Alqarni


Social media applications are increasingly being used in our everyday communications. These applications utilise end-to-end encryption mechanisms which make them suitable tools for criminals to exchange messages. These messages are preserved in the volatile memory until the device is restarted. Therefore, volatile forensics has become an important branch of digital forensics. In this study, the WormHex tool was developed to inspect the memory dump files for Windows and Mac based workstations. The tool supports digital investigators by enabling them to extract valuable data written in Arabic and English through web-based WhatsApp and Twitter applications. The results confirm that social media applications write their data into the memory, regardless of the operating system running the application, with there being no major differences between Windows and Mac.

Keywords: Volatile memory, REGEX, digital forensics, memory acquisition

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 867


[1] Al Mutawa, Noora, Ibrahim Baggili and Andrew Marrington. 2012. “Forensic analysis of social networking applications on mobile devices.” Digital investigation 9:S24–S33.
[2] Al Mutawa, Noora, Ibtesam Al Awadhi, Ibrahim Baggili and Andrew Marrington. 2011. Forensic artifacts of Facebook’s instant messaging service. In 2011 International Conference for Internet Technology and Secured Transactions. IEEE pp. 771–776.
[3] Alqarni, Amani, Wadha Almattar and Norah Almubairik. 2022. “WormHex.”. URL: https://github.com/amaniaq/WormHex
[4] Barradas, Diogo, Tiago Brito, David Duarte, Nuno Santos and Luís Rodrigues. 2017. Forensic Analysis of Communication Records of Web-based Messaging Applications from Physical Memory. pp. 43–54.
[5] Belkasoft. 2020. Capture Live RAM Contents with Free Tool from Belkasoft. URL: https://belkasoft.com/ramcapturer
[6] Forte, Dario. 2008. “Volatile data vs. data at rest: the requirements of digital forensics.” Network Security 2008:13–15.
[7] Hoog, Andrew. 2011. Android forensics: investigation, analysis and mobile security for Google Android. Elsevier.
[8] Nisioti, Antonia, Alexios Mylonas, Vasilios Katos, Paul D Yoo and Anargyros Chryssanthou. 2017. You can run but you cannot hide from memory: Extracting IM evidence of Android apps. In 2017 IEEE Symposium on Computers and Communications (ISCC). IEEE pp. 457–464.
[9] Sadeghi, Behrouz. 2015. Guide to Computer forensics and investigations.
[10] Telegram. N.d. “Telegram Privacy Policy.” https:// telegram.org/privacy.
[11] Thantilage, Ranul and Neera Jeyamohan. 2017. A volatile memory analysis tool for retrieval of social media evidence in windows 10 OS based workstations. pp. 86–88.
[12] Thantilage, Ranul and Nhien-An Le-Khac. 2019. Framework for the Retrieval of Social Media and Instant Messaging Evidence from Volatile Memory. pp. 476–482.
[13] Vömel, Stefan and Felix C Freiling. 2011. “A survey of main memory acquisition and analysis techniques for the windows operating system.” Digital Investigation 8(1):3–22.
[14] Walnycky, Daniel, Ibrahim Baggili, Andrew Marrington, Jason Moore and Frank Breitinger. 2015. “Network and device forensic analysis of android social-messaging applications.” Digital Investigation 14:S77–S84.