Information Retrieval From Internet Applications For Digital Forensic

Advanced internet technologies providing services like e-mail, social networking, online banking, online shopping etc., have made day-to-day activities simple and convenient. Increasing dependency on the internet, convenience, and decreasing cost of electronic devices have resulted in frequent use of online services. However, increased indulgence over the internet has also accelerated the pace of digital crimes. The increase in number and complexity of digital crimes has caught the attention of forensic investigators. The Digital Investigators are faced with the challenge of gathering accurate digital evidence from as many sources as possible. In this paper, an attempt was made to recover digital evidence from a system’s RAM in the form of information about the most recent browsing session of the user. Four different applications were chosen and the experiment was conducted across two browsers. It was found that crucial information about the target user such as, user name, passwords, etc., was recoverable.

💡 Research Summary

The paper investigates the feasibility of extracting forensic evidence directly from a computer’s volatile memory (RAM) during an active web‑browsing session. Recognizing that modern Internet services—email, social networking, online banking, and e‑commerce—are increasingly targeted by cyber‑criminals, the authors focus on the investigator’s need to capture the most current and sensitive data before it disappears.

A controlled laboratory environment was built on Windows 10 with two widely used browsers, Google Chrome and Mozilla Firefox. Four representative online applications were selected: a generic web‑mail service, a social media platform, an online banking portal, and an e‑commerce site. For each combination of browser and application, the researchers performed a full login, interacted with the site (e.g., sending an email, posting a status, initiating a transaction, adding items to a cart), and then captured a full physical memory image at several time points (immediately after login, 30 seconds, 2 minutes, and 5 minutes later). Memory acquisition tools such as FTK Imager and DumpIt were employed to ensure a faithful dump without altering the memory contents.

The analysis pipeline combined open‑source frameworks (Volatility, Rekall) with custom scripts. The authors first identified the browser processes, then examined their private memory pools, searching for plaintext strings, regular‑expression patterns matching usernames, passwords, session tokens, cookies, URLs, and form fields. They also leveraged knowledge of each browser’s internal data structures (Chrome’s cache and “Login Data” SQLite blobs, Firefox’s “nsCookieService” and “key4.db”) to locate encrypted or obfuscated values.

Key findings include:

• Credentials in plaintext – Both Chrome and Firefox stored the entered username and password in RAM for several seconds after submission. Chrome typically exposed these values within 3–5 seconds, while Firefox showed a slightly longer window (5–8 seconds) and occasionally stored passwords in an encrypted form linked to the OS keyring.
• Session tokens and cookies – Banking sites left authentication tokens (e.g., session IDs, CSRF tokens) in clear text, enabling a potential replay attack if the memory image were obtained. Social media platforms stored OAuth bearer tokens that could be used to call the API on the user’s behalf.
• Form data and search queries – E‑commerce interactions left search terms, product IDs, and cart contents as readable strings, providing a detailed picture of the user’s intent.
• Browser‑specific behavior – Chrome’s memory management retained strings longer, whereas Firefox’s aggressive memory pool reuse caused some data to be overwritten after a few minutes. This difference influences the optimal acquisition timing for each browser.

The authors argue that RAM analysis can yield evidence that is unavailable or heavily sanitized in persistent storage (e.g., deleted browser history, cleared caches). However, they also stress the volatile nature of RAM: a system reboot, sleep, or even normal memory pressure can erase the data. Consequently, forensic responders must prioritize rapid acquisition and use tools that minimize their own footprint on the target system.

Limitations of the study include its focus on a single operating system and only two browsers; mobile platforms, virtualized environments, and newer browsers (e.g., Edge, Safari) were not examined. Additionally, the presence of hardware‑based memory encryption (e.g., Intel SGX, Windows Credential Guard) could render the techniques ineffective.

Future work suggested by the authors involves:

1. Extending the methodology to Android and iOS devices, where application sandboxing and different memory layouts pose new challenges.
2. Developing automated pipelines that combine string extraction, pattern matching, and machine‑learning classifiers to flag high‑value artifacts with minimal analyst intervention.
3. Investigating counter‑forensic measures (memory wiping, encryption, anti‑analysis hooks) and proposing mitigations for both investigators and software developers.

In conclusion, the paper demonstrates that forensic investigators can reliably recover sensitive user information—usernames, passwords, session tokens, and activity logs—from RAM during an active browsing session. This capability broadens the scope of digital evidence collection, offering a powerful complement to traditional disk‑based analysis and underscoring the need for timely, memory‑centric response strategies in modern cyber‑investigations.