Abstract
Retrieving the content of webmail from physical memory is one key issue for investigators because it may provide with useful information. This paper proposes a webmail evidence reconstructing method from memory dumps on Windows XP platform. The proposed method uses mail header format defined in RFC2822 and HTML frame based on specific webmail server to locate header and body respectively. Then webmail is reconstructed based on matching degree between FROM, TO(CC/BCC), DATE and SUBJECT fields of header and corresponding content extracted from body. The experiment results show that this method could reconstruct the webmail from memory dumps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hadjidj R, Debbabi M, Lounis H et al (2009) Towards an integrated e-mail forensic analysis framework. Proc Digital Invest 5:124–137
Pereira MT (2009) Forensic analysis of the Firefox 3 Internet history and recovery of deleted SQLite records. Proc Digital Invest 5:93–103
Oh J, Lee S, Lee S (2011) Advanced evidence collection and analysis of web browser activity. Proc Digital Invest 8:62–70
Vömel S, Freiling FC (2012) Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Proc Digital Invest 9:125–137
Solomon J, Huebner E, Bem D, Szezynska M (2007) User data persistence in physical memory. Proc Digital Invest 4:68–72
Acknowledgments
This work is supported by NSFC (No. 61070212 and 61003195), Zhejiang Province NSF of China (No. Y1090114 and LY12F02006), Zhejiang Province key industrial projects in the priority themes of China (2010C11050), and the science and technology search planned projects of Zhejiang Province (No. 2012C21040).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media Dordrecht(Outside the USA)
About this paper
Cite this paper
Kong, F., Xu, M., Ren, Y., Xu, J., Zhang, H., Zheng, N. (2013). A Webmail Reconstructing Method from Windows XP Memory Dumps. In: Park, J., Ng, JY., Jeong, HY., Waluyo, B. (eds) Multimedia and Ubiquitous Engineering. Lecture Notes in Electrical Engineering, vol 240. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6738-6_27
Download citation
DOI: https://doi.org/10.1007/978-94-007-6738-6_27
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-6737-9
Online ISBN: 978-94-007-6738-6
eBook Packages: EngineeringEngineering (R0)