Skip to main content
SpringerLink
Log in

A Webmail Reconstructing Method from Windows XP Memory Dumps

  • Conference paper
  • First Online:
Multimedia and Ubiquitous Engineering

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 240))

Abstract

Retrieving the content of webmail from physical memory is one key issue for investigators because it may provide with useful information. This paper proposes a webmail evidence reconstructing method from memory dumps on Windows XP platform. The proposed method uses mail header format defined in RFC2822 and HTML frame based on specific webmail server to locate header and body respectively. Then webmail is reconstructed based on matching degree between FROM, TO(CC/BCC), DATE and SUBJECT fields of header and corresponding content extracted from body. The experiment results show that this method could reconstruct the webmail from memory dumps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hadjidj R, Debbabi M, Lounis H et al (2009) Towards an integrated e-mail forensic analysis framework. Proc Digital Invest 5:124–137

    Article  Google Scholar 

  2. Pereira MT (2009) Forensic analysis of the Firefox 3 Internet history and recovery of deleted SQLite records. Proc Digital Invest 5:93–103

    Article  Google Scholar 

  3. Oh J, Lee S, Lee S (2011) Advanced evidence collection and analysis of web browser activity. Proc Digital Invest 8:62–70

    Article  Google Scholar 

  4. Vömel S, Freiling FC (2012) Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Proc Digital Invest 9:125–137

    Article  Google Scholar 

  5. http://www.ietf.org/rfc/rfc2822.txt

  6. Solomon J, Huebner E, Bem D, Szezynska M (2007) User data persistence in physical memory. Proc Digital Invest 4:68–72

    Article  Google Scholar 

Download references

Acknowledgments

This work is supported by NSFC (No. 61070212 and 61003195), Zhejiang Province NSF of China (No. Y1090114 and LY12F02006), Zhejiang Province key industrial projects in the priority themes of China (2010C11050), and the science and technology search planned projects of Zhejiang Province (No. 2012C21040).

Author information

Authors and Affiliations

  1. College of Computer, Hanzhou Dianzi University, Hangzhou, China

    Fei Kong, Ming Xu, Yizhi Ren, Jian Xu, Haiping Zhang & Ning Zheng

Authors
  1. Fei Kong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ming Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yizhi Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jian Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Haiping Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ning Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ming Xu .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Seoul University of Science & and Technology (SeoulTech), Seoul, Korea, Republic of (South Korea)

    James J. (Jong Hyuk) Park

  2. Dept of Computer Science, Hong Kong Baptist University, Kowloon Tong, Hong Kong SAR

    Joseph Kee-Yin Ng

  3. Humanitas College, Kyung Hee University, Seoul, Korea, Republic of (South Korea)

    Hwa-Young Jeong

  4. School of Computer Science and Software Engineering, Monash University, Clayton, Victoria, Australia

    Borgy Waluyo

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media Dordrecht(Outside the USA)

About this paper

Cite this paper

Kong, F., Xu, M., Ren, Y., Xu, J., Zhang, H., Zheng, N. (2013). A Webmail Reconstructing Method from Windows XP Memory Dumps. In: Park, J., Ng, JY., Jeong, HY., Waluyo, B. (eds) Multimedia and Ubiquitous Engineering. Lecture Notes in Electrical Engineering, vol 240. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6738-6_27

Download citation

  • DOI: https://doi.org/10.1007/978-94-007-6738-6_27

  • Published:

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-94-007-6737-9

  • Online ISBN: 978-94-007-6738-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation