| Computer and network has been integrated into all aspects of social and personallife, and greatly improve the productivity and quality of life. However, various kindsof crime with computer and network are increasingly rampant. Computer Forensicsbecomes an important means to combat theses crime, and becomes focus of computerscience and legislative institution. This paper study technology of webmail forensicand develop one forensic system-WinWebMail.Firstly,one webmail forensic method is proposed. After getting memorysnapshot with virtual machine, this method using means based on string search tolocate and judge completeness of webmail header; characaters of html frame to locateand judge completeness of webmail body. And one algorithm of matching header andbody of webmail is introduced based on date, Email address and subject of header andcorresponding content of body. This method can recover webmail in memory dumpsand not depend on knowledge of operation system kernel, process and memory.Experiments on Windows XP show a positive result and feasibility of this method.Secondly, we developed one system called WinWebMail. Four modules aredesigned, memory dumps getting module, preprocessing module, recovering andanalyzing module and result revealing module. Memory dumps getting module usesdriver in kernel space to get data; preprocessing module uses zlib library todecompress gzip data; recovering and analyzing module implements algorithms andsave results to database; result revealing module shows results to users. WinWebMailcould recover webmail in memory dumps with a high precision and show userrecovered header, body and their matching degree.In conclusion, this paper proposed one method to recover webmail in memory,designed and developed one webmail forensic system base on memory forensictechnology. |
PDF Full Text Request