Forensic Analysis of Volatile Instant Messaging

Older instant messaging programs typically require some form of installation on the client machine, enabling forensic investigators to find a wealth of evidentiary artifacts. However, this paradigm is shifting as web-based instant messaging becomes more popular. Many traditional messaging clients (e.g., AOL Messenger, Yahoo! and MSN), can now be accessed using only a web browser. This presents new challenges for forensic examiners due to the volatile nature of the data and artifacts created by web-based instant messaging programs. These webbased programs do not write to registry keys or leave configuration files on the client machine. Investigators are, therefore, required to look for remnants of whole or partial conversations that may be dumped to page files and unallocated space on the hard disk. This paper examines the artifacts that can be recovered from web-based instant messaging programs and the challenges faced by forensic examiners during evidence recovery. An investigative framework for dealing with volatile instant messaging is also presented.