As a result, videoconferencing market is expected to grow from US $6.28 billion in 2021 to US $12.99 billion by 2028 according to a Fortune Business Insight report. In fact, during the pandemic, the work landscape changed dramatically as more companies shifted to a work-from-home model. Although network communications are encrypted, we successfully retrieve useful artifacts such as IPs of server domains and host devices along with message/event timestamps.ĬOVID-19 has been a prime catalyst in the widespread adoption of videoconferencing applications such as Zoom, Cisco WebEx, Microsoft Teams, Adobe Connect, and BlueJeans for professional and personal use.
Additionally, we identify anti-forensic artifacts such as deleted chat messages. We develop a memory parsing tool for Cisco WebEx based on the extracted artifacts. These include user credentials, emails, user IDs, profile photos, chat messages, shared media, meeting information including meeting passwords, contacts, Advanced Encryption Standard (AES) keys, keyword searches, timestamps, and call logs. From the extracted artifacts, it is evident that valuable user data can be retrieved from different data localities.
We focus on three digital forensic areas, namely memory, disk space, and network forensics. More precisely, we present the results of the forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications. In this contribution, we present a detailed forensic analysis of Cisco WebEx which is among the top three videoconferencing applications available today. This feature is only available on kernel versions >= 2.6.35.Īdditionally, you must obtain the profile information first before running any other tool.Digital forensic analysis of videoconferencing applications has received considerable attention recently, owing to the wider adoption and diffusion of such applications following the recent COVID-19 pandemic. If a page exceeds the timeout all the memory region are skipped.Ġ ~ disable the timeout so the slow region will be acquired. Timeout (optional): 1000 ~ max amount of milliseconds tolerated to read a page (default). Localhostonly (optional): 1 ~ restricts the tcp to only listen on localhost, See below forĭio (optional): 1 ~ attempt to enable Direct IO Raw ~ concatenates all System RAM ranges (warning : original position of dumped memory is likely to be lost)ĭigest (optional): Hash the RAM and provide a. Lime ~ each range prepended with fixed-size header containing address space info Tcp:port ~ network port to communicate overįormat (required): padded ~ pads all non-System RAM ranges with 0s Path (required): outfile ~ name of file to write to on local system (SD Card) Cons: more difficult to use as a library.Īdditionally, you must obtain the profile information first before running any other tool. Pros: clean, easy to run multiple versions, easy to upgrade or uninstall. Also, you can easily have multiple versions of Volatility installed at the same time, by just keeping them in separate directories (like /home/me/vol2.0 and /home/me/vol2.1). This is a cleaner method since no files are ever moved outside of your chosen directory, which makes it easier to upgrade to new versions when they're released. When you want to use Volatility just do python /path/to/directory/vol.py. Cons: more difficult to upgrade or uninstall.Įxtract the archive to a directory of your choice. Running setup.py is only necessary if you want to have access to the Volatility namespace from other Python scripts, for example if you plan on importing Volatility as a library. This will take care of copying files to the right locations on your disk.