![]() ![]() The incident response team confirms NIDS alert using live technique as the alerts can be false. The anti-virus software scanning a file system everyday looking for a virus is the perfect example of incident response live analysis. Live analysis technique is favored as dead analysis does not use a software. The challenge before the live analysis tools is a gap between the availability of a system and the reliability of the investigation conclusions. The Network Intrusion Detection System (NIDS) generates an alert when Internet server is attacked. The live analysis tools have made a significant difference in capturing evidence during forensic investigations. We compare moreover the forensics analysis of Tango with two other popular IMs: WhatApp and Viber ![]() The achieved results of this research provided elaborative answers on the types of artefacts that can be identified by this IM application. Finally, a review of the information that can become available via the IM vendor was conducted. Additionally to the forensic analysis, alternative sources of evidence were examined such as the possibility to clone an IM session and perform communication interception. We also define taxonomy of target artefacts in order to guide and structure the subsequent forensic analysis. We try to answer on how evidence can be collected when IM communications are used. Therefore, in this paper we present forensic acquisition and analysis of Tango VoIP for both iOS and Android platforms. However, in the literature, there is no forensic analysis related to Tango, an IM on both iOS and Android platforms, even though the total users of this application already exceeded 100 million. Recently, most research on IM forensics focus on applications such as WhatsApp, Viber and Skype. Traces and Evidence left by applications can be held on smart phones and retrieving those potential evidences with right forensic technique is strongly required. Indeed, the increased use of Instant Messengers on smart phones has turned to be the goldmine for mobile and computer forensic experts. The reason is an IM can serve as a very useful yet very dangerous platform for the victim and the suspect to communicate. Although IM applications are ubiquitous communication tools nowadays, it was observed that the relevant research on the topic of evidence collection from IM services was limited. The advent of the Internet has significantly transformed the daily activities of millions of people, with one of them being the way people communicate where Instant Messaging (IM) and Voice over IP (VoIP) communications have become prevalent. Lastly, we provide a case study using our tools on the Monero Cryptocurrency Miner. Our approach recovered the majority of objects indicated by the heap profiler with common types such as the ONE_BYTE_INTERNALIZED_STR type returning more than 98.9%. Our findings were verified with Chrome DevTool's Heap Profiler. The V8MapScan plugin scans process memory for the MetaMap data structure contained within the V8 isolate using its data structure, references to objects can be found and extracted. By using the MetaMap and a object-fitting technique, we were able to extract objects, object-maps, and object properties. Within the heap of the isolate exists a root object map known as the MetaMap. The runtime of the V8 engine is housed within the V8 isolate which contains its own heap manager and garbage collector. We then developed and validated a Volatility plugin – V8MapScan – to reconstruct V8 objects from a memory image. We analyzed the V8 engine and its garbage collection process. These objects can be used to reveal key information about a user and their activity. To aid in incident response and memory forensics in such scenarios, our work introduces the first generalizable account of the memory forensics of the V8 JS engine and provides practitioners with a list of objects and their descriptors extracted from a memory image. Malicious threat actors abuse the usage of JS because most modern-day browsers implicitly trust script code to execute. V8 is the open source interpreter developed by Google to enable JavaScript (JS) functionality in Chrome and power other software. ![]()
0 Comments
Leave a Reply. |