WormHex: Evidence Retrieval Tool of Social Media from Volatile Memory
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 87758
WormHex: Evidence Retrieval Tool of Social Media from Volatile Memory

Authors: Norah Almubairik, Wadha Almattar, Amani Alqarni

Abstract:

Social media applications are increasingly being used in our everyday communications. These applications utilise end-to-end encryption mechanisms, which make them suitable tools for criminals to exchange messages. These messages are preserved in the volatile memory until the device is restarted. Therefore, volatile forensics has become an important branch of digital forensics. In this study, the WormHex tool was developed to inspect the memory dump files of Windows and Mac-based workstations. The tool supports digital investigators to extract valuable data written in Arabic and English through web-based WhatsApp and Twitter applications. The results verify that social media applications write their data into the memory regardless of the operating system running the application, with there being no major differences between Windows and Mac.

Keywords: volatile memory, REGEX, digital forensics, memory acquisition

Procedia PDF Downloads 194