Embed Size (px)
Citation preview
Journal of Digital Forensics, Journal of Digital Forensics,
Security and Law Security and Law
Volume 10 Number 4 Article 6
2015
Forensic Acquisition of IMVU: A Case Study Forensic Acquisition of IMVU: A Case Study
Robert van Voorst National Police of the Netherlands
M-Tahar Kechadi University College Dublin
Nhien-An Le-Khac University College Dublin
Follow this and additional works at: https://commons.erau.edu/jdfsl
Part of the Computer Engineering Commons, Computer Law Commons, Electrical and Computer
Engineering Commons, Forensic Science and Technology Commons, and the Information Security
Commons
Recommended Citation Recommended Citation van Voorst, Robert; Kechadi, M-Tahar; and Le-Khac, Nhien-An (2015) "Forensic Acquisition of IMVU: A Case Study," Journal of Digital Forensics, Security and Law: Vol. 10 : No. 4 , Article 6. DOI: https://doi.org/10.15394/jdfsl.2015.1212 Available at: https://commons.erau.edu/jdfsl/vol10/iss4/6
This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].
(c)ADFSL
Forensic Acquisition of IMVU: A Case Study JDFSL V10N4
© 2015 ADFSL Page 69
FORENSIC ACQUISITION OF IMVU: A CASESTUDYRobert van Voorst
National Police of the NetherlandsRotterdam, Netherlands
M-Tahar Kechadi, Nhien-An Le-KhacUniversity College Dublin
Dublin 4, Ireland{tahar.kechadi,an.lekhac}@ucd.ie
ABSTRACTThere are many applications available for personal computers and mobile devices that facilitateusers in meeting potential partners. There is, however, a risk associated with the level ofanonymity on using instant message applications, because there exists the potential for predatorsto attract and lure vulnerable users. Today Instant Messaging within a Virtual Universe (IMVU)combines custom avatars, chat or instant message (IM), community, content creation, commerce,and anonymity. IMVU is also being exploited by criminals to commit a wide variety of offenses.However, there are very few researches on digital forensic acquisition of IMVU applications. Inthis paper, we discuss first of all on challenges of IMVU forensics. We present a forensicacquisition of an IMVU 3D application as a case study. We also describe and analyse ourexperiments with this application.Keywords: Instant messaging, forensic acquisition, Virtual Universe 3D, forensic process, forensiccase study
INTRODUCTIONInstant messaging (IM) is one of the mostpopular digital communication technologiesand is widely used today. In fact, IM belongsto the category of Internet basedcommunication services. Traditionally the IMwas designed to transfer text messages only,but now it has been enhanced with additionalfeatures such as voice/video message, filetransfer, etc. Moreover, IM can be accessiblethrough cell phones or other mobile devices, aswell as on a computer. It is estimated thatthere are several millions of IM users who useIM for various purposes. There are numerous
IM applications available for download today[1]. Besides, IM applications (apps) also allowusers to create a detailed personal profileincluding name, email address, age, homeaddress, phone number, school and hobbies. Ifusers do not verify carefully during the sign-upprocess, they could reveal more informationthan they should. Easy accessible profiles canallow anyone to contact IM users. Indeed,some IM apps offer users the option of joiningin chat with strangers. As a consequence, usingof IM apps can encourage gossiping andbullying. Children could receive pornographic"spam" through IM apps or become victim ofSexual grooming of children [2]. In the recent
JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study
Page 70 © 2015 ADFSL
years, police investigators have noticed thatIM apps have been directly or indirectlyinvolved in criminal activities. Due to theirpopularity, IM apps have the potential ofbeing a rich source of evidential value in allkinds of criminal investigations. Indeed,Europol has identified the threat of misusedIM communications by criminals to facilitatetheir illegal activities due to the fact that it isharder to monitor or to regulate these services[3].
On the other hand, a virtual universe is acomputer-based simulated environment. In a3D virtual universe, the users can take theform of 3D avatars (virtual character) visibleto others. Today, Instant Messaging within aVirtual Universe (IMVU) combines customavatars, chat/IM, community, contentcreation, commerce, and anonymity [4]. IMVUcontains its own economy with a currencysystem based on IMVU "credits" and"promotional credits". IMVU members use thecredits to purchase virtual items like fashionpieces (hair, clothes, skins, and accessories),pets, and 3D scenes such as homes, clubs andopen landscapes. Except ‘VIP users’, everyonehas “Guest_” in front of his/her avatar name.It is also possible to buy an ‘Access Pass’. TheAccess Pass is available for those 18 years oldand older. It grants access to more risquéclothing and slightly more intimate furnitureand poses. It also allows chatting to adultsonly. IMVU was also mentioned as a commonVirtual World addressing ‘Crime and Policingin Virtual Worlds’ (2010) by Marc Goodman[5]. He concludes that criminals can exploitthis new technology to commit a wide varietyof offenses. Almost any types of crime in thereal world can also be found in virtual spacesfrom child abuse to terrorist attacks. Besides,the presence of child pornography in chat hasalso been denounced in 3D social networks likeIMVU. Indeed, the emerging of 3D social
networks is rapidly tainted with childpornography as stated in [6].
In fact, there are many tools available forcollecting artefacts, some of them specific forchat/IM such as Paraben chat examiner [7] orBelkasoft Evidence Centre 2015 [8]. However,at the time of writing this paper, none of themsupports the investigation of IMVU apps.Despite that IMVU exists a while, has millionsof users worldwide and it is associated withchild abuse (material), to the best of ourknowledge there is no technique or softwaretool for forensic acquisition and analysis ofIMVU artefacts. Therefore, the objective ofthis paper is to investigate whether it ispossible to forensically acquire and analyseartefacts on a computer after the installationand use of the IMVU application. The rest ofthis paper is structured as follows: Section 2shows the background of this researchincluding related work in this domain. Wepresent IMVU apps and forensic process inSection 3. We describe our case study inSection 4 and discuss on experiment results inSection 5 and 6. We conclude and discuss onfuture work in Section 7.
RELATED WORKIn fact, we have tried to find in literatureabout this specific subject, but to the best ofour knowledge, there is no published researchregarding forensic artefacts of IMVU. Hence,we present some literature survey on theforensic acquisition and analysis of IMapplications in general. A more traditionalinvestigation method of IM has been describedin [9]. Kiley et al [10] conducted some researchon IM forensic artefacts and they also pointedout that IM is being exploited by criminals dueto its popularity and privacy features. One ofthe conclusions from this work is that forensicevidence is recoverable after these programshave been used, but investigators must know
Forensic Acquisition of IMVU: A Case Study JDFSL V10N4
© 2015 ADFSL Page 71
certain elements of the conversations in orderto perform string searches.
Lun [11] describes the popularity of IMsand the challenges by extracting informationfrom these IMs by Law Enforcement. Hisfinding indicated that the forensic tool wasable to aid the forensic examiner to extractdigital evidence from instant messenger, but itwas not comprehensive enough at that forensicexaminers could not rely on one tool during aninvestigation.
Dickson [12] describes the examination ofAOL Instant Messenger (AIM) 5.5. Thisresearch focuses on the contact information(identification) and the ability to trace backfrom a known suspect’s computer system toidentify contact with his alleged victims. Thisis specifically interesting when an allegation ofgrooming is made. According to the author,one of the first things an examiner should do isto determine the suspect’s computer systemthat was used to contact the informant’saccount in the first place.
Husain et al. [13] describe the ForensicAnalysis of Instant Messaging on SmartPhones. Their results have shown that varioususeful artefacts, related to IMs, can berecovered, including username, password,buddy list, last log-in time, and conversationtimestamp as well as conversation details.
In [14], authors observed that the relevantresearch on the topic of evidence collectionfrom IM services was limited. Authorspresented the forensic acquisition and analysisof WhatsApp, Viber, Skype and Tango IMsand VoIPs for both iOS and Android platformsand authors tried to answer on how evidencecan be collected when IM communications areused. This work provides useful informationthat assists us in developing our case study inthis paper. More precisely the authors haveprovided a very useful taxonomy of targetartefacts.
IMVU AND FORENSICPROCESS
In this section, we describe our forensic processfor investigating IMVU apps for Windows. Theobjective of this paper is to forensicallyexamine significant artefacts present on acomputer after the installation and use of theIMVU app. Therefore, the approach chosen isempirical or experimental research anddifferential forensic analysis. While there is noavailable technique or software tool to evaluateand there is very little known about IMVUartefacts, our approach includes the collectionof data during experiments and try to discoversignificant forensic artefacts by observing andanalysing the data. In fact, with an IMVUapp, apart from the typical conversation logshowing on screen, and possible (log) filessaved on the logical drive, evidence ofconversation could also be found in page filesand unallocated hard disk space, the windowsregistry or volatile data in the internal memory(RAM). There are two main steps in ourforensic process: data collection and dataanalysis.
IMVU data collection: in this phase data iscollected during the running time of an IMVUapp. The contents of the IMVU applicationand data directory, unallocated disk space, theWindows registry, volatile data from theinternal memory and network traffic areacquired. We attempt moreover to infer thebehaviour of the IMVU application throughthe reverse engineering process. The objectiveis to trace user activities, like the history ofperformed activities such as instant messagessent or received (chat logs), date and timestamp of the communication, sender, receiverand password. All experiments were carriedout several times to ensure that results arerepeatable.
IMVU data analysis: This phase givesmeaning to the data that have been collected
JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study
Page 72 © 2015 ADFSL
so that the research question can be answered.Differential forensic analysis [15] is carried outby comparing the collected data (snapshot)before and after the experiments with IMVUto observe the differences between them suchas report the files that have been added,deleted, renamed, and altered, the differencebetween Windows registry hive files. Theobjective of the analysis is to understand thechanges and to determine if it contains anyrelevant information or not. A taxonomy oftarget artefacts is defined in order to guide andstructure subsequent forensic analysis. Thetaxonomy used in our analysis is described in[14].
IMVU FORENSICS: ACASE STUDY
In our case study, we used computers withnetwork access (using a static IP address). Thetesting was conducted using Windows 7Enterprise, SP1. Besides, the monitoring toolSysTracer was installed onto the system torecord file activity and changes made to the
Windows registry. Another computer wassetup as a man-in-the-middle proxy usingMITMproxy, running on the Ubuntu 14.04.1LTS, this computer is used to monitor andintercept network traffic as shown in Figure 1.Next, an IMVU client program, version 514.0,was installed. In order to use IMVU, firstly auser has to create an account. For this casestudy, we create three IMVU accounts(InspectorAlgar, LadyElizabethSmall andmissycanaryyellow). We conduct differentconversations to create test data. Theconversations were in public rooms but alsolimited by two participants. We createdmoreover an AutoIt [16] script that simulatedan IMVU user. On beforehand a text file wascreated containing the conversation text of oneof the discussion partners. A chat message wassend to the IMVU application within a fixed(pre-adjustable) interval. By starting twoscripts on different machines in appropriatetime, we can simulate a chat conversation. Thechat messages contained the chat text and aUNIX timestamp. An example from the chatmessages is shown in Figure 2.
Figure 1. MITM proxy setup
Forensic Acquisition of IMVU: A Case Study JDFSL V10N4
© 2015 ADFSL Page 73
Figure 2. Chat script usage example
IMVU: FILE SYSTEMFORENSICS
In this section, we describe our forensicacquisition results of IMVU file systemsincluding application file, log files, profile dataand location data.
Application FilesIMVU application files are stored in:C:\Users\%USERNAME%\AppData\Roaming\IMVUClient\ folder. This path is fixed duringthe installation. During the installation ashortcut to IMVUQualityAgent.exe is addedinto the Windows Start-up folder as well onthe user's desktop. We also found that IMVUuses Mozilla's Gecko rendering engine and theXML User Interface Language (XUL) forbuilding its user interface [17].
Besides, a configuration file imvu.cfg isadded into the user Flash Player Trust folder:C:\Users\%USERNAME%\AppData\Roaming\Macromedia\FlashPlayer\#Security\FlashPlayerTrust\. Configuration files inside this
FlashPlayerTrust folder normally contain a listof directory paths. We also observe thatapplication shortcuts are added to IMVUfolder: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\IMVU\. We found moreoverthe IMVU application is written in Python andthe compiled script files are stored inlibrary.zip: C:\Users\%USERNAME%\AppData\Roaming\IMVUClient\library.zip. We also decompiled these filesusing Easy Python Decompiler and to explorethe IMVU application through reverseengineering.
Log FilesIMVU log files are stored in C:\Users\%USERNAME%\AppData\Roaming\IMVU\folder including cpp.log,IMVUQualityAgent.log, IMVULog.log, etc.The cpp.log contains information related touser interface and this file is created every timethe application starts. TheIMVUQualityAgent.log file is also created
JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study
Page 74 © 2015 ADFSL
every time the application starts. It contains‘application validation’ information and localtime stamp. Regarding to IMVULog.log file,from the digital forensics examination point ofview, this file contains the most valuableinformation. In fact, this log file is generatedby a round-robin process based on session andfile size. A new log file is created every timethe application starts. When the size of the logfile is greater than 2MB (2097152 bytes), thisprocess successively creates new files with thesame pathname as the first file, but withdifferent extensions started with ".1", ".2" andso on. If it is greater than “.5”, the extensionrestarts from “.1”, older files will be deleted.Each record in IMVULog.log file contains thefollowing attributes (Figure 3):
1. The number of seconds sincestart of application: Floatingpoint decimal value. The length is 6characters minimum including thedot and 3 decimals (millisecondsrounded). If the length is less than6, a leading 0 is added.
2. The thread id: String value,minimum length 5 characters,padded by spaces if necessary.
3. File name of the source filewhere the logging call wasissued: String value, minimumlength 30 characters, padded byspaces if necessary
4. Source line number where thelogging call was issued: Signedinteger decimal value, minimumlength 4 digits, padded by spaces ifnecessary.
5. The logging level for themessage: String value, minimumlength 7 characters, padded byspaces if necessary. Possible valuesare
'DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'.
6. The log message: String value.
Moreover, we notice that the maximumlength of an entire log record (attributes 1-6) is512 characters. If the length exceeds 512characters, it is truncated to the first 509characters and three dots (‘…’) are added tothe end of the record. Besides, if the length ofthe log message (attribute 6) is greater than adefined length this log message is truncatedand three dots are also added to the end. Wehave also observed that the log messageregarding to logging level ‘ERROR’, and‘INFO’ consists of multiple lines, while otherlog messages only contain a single line.
When analysing the log files, we noticedthat the IMVULog file also stores informationrelated to text communications. To analyse anIMVU chat, it is necessary to understand thefollowing important aspects of a chatconversation: (i) Who says what to whom; (ii)In which chat session the conversation takesplace, note that an user can be present inmultiple rooms (chat sessions) at the ‘same’time; (iii) Timestamp of the messages.
The text of a single message appears morethan once in different log records. Besides, in achat room, it is possible to have a privateconversation with just a single person in thatroom (at least one of users is a VIP). Whisperis a special feature available exclusively forVIPs. A VIP member can whisper to anyoneand vice-versa, anyone can whisper to a VIP.Two non-VIP users however cannot use thisfeature to chat with each other. Moreover, thelog message contains a list of several elements.The first element is the member id (‘userId’),the second one is a chat id (‘chatId’) and thelast one contains dictionary data with keys andvalues. The value ‘0’ of the key ‘to’ indicatesthat the message was sent to the participant(s)of a room. There are one or more participants
Forensic Acquisition of IMVU: A Case Study JDFSL V10N4
© 2015 ADFSL Page 75
in a room. The value of the key ‘message’contains the actual chat message. We also notethat the value sometimes contains an asteriskfollowed by a chat command. Besides, if themessage exceeds the maximum length, asmentioned previously, it is truncated and threedots are added to the end.
The value of the key ‘userId’ contains themember id of the sender of the text message.The value of the key ‘chatId’ contains a uniqueid for each chat session. Concurrent chatsessions in different rooms therefore havedifferent IDs. This log record does not containa timestamp. To determine the date and timeof the message for these log records, there aretwo possibilities:
1. Calculate the approximatetimestamp using the number ofseconds since the start of theapplication. This number is listedat the beginning of the log record.
2. Combine it with the log recordsderived from the fileSessionDispatcher.pyo.
User profile dataThe IMVULog file only contains user profiledata when the status is ‘Running’ (i.e. theapplication is running and the user is loggedin). The following information can be retrievedfrom the user profile data: the user’savatarname associated with the IMVUaccount, eight (8) asterisks of the user’spassword. Note that the real user password isalways replaced by eight asterisks. It isindependent on the actual length of thepassword. Indeed, the most comprehensiveinformation can be retrieved from the multi-line log message started with self.userInfo_and followed by multiple lines of dictionary(pairs of <key, value>) data.
The above information is based on the dataentered by the user (Account Settings) and
data allocated by IMVU. Besides, objects inIMVU are identified by a unique id such as, forexample, Member ID, Room(Instance) ID,Session ID, Product ID or Chat ID.
User authentication dataBy investigating the Windows registry, wefound that IMVU authenticate users by usingusername and password. The password isstored in the registry if the option ‘SavePassword’ is selected. Indeed, the relevantpassword can be retrieved from the registrywhere it is stored as a hexadecimal Unicodecharacter notation. The user’s avatar nameassociated with the IMVU account is alsopresent in the IMVULog file. The IMVULogfile also contains information about contactssuch as ‘Friends”, “Buddies” or “Fans”. Besides,we also found that the buddystate.pyo scriptimplements the logging process.
Location dataThere is limited information on location in theuser profile data as has been described inSection 5.3, where the ‘country’ key referrersto the geo-location of the IP address used and‘country_code’ refers to the location specifiedby the user in the profile settings. In theIMVULog file the client and server IPaddresses are listed. When the system isdirectly connected to the Internet and receivesan external Wide Area Network (WAN) publicIP address, this IP address is listed in the logfile.
IMVU INTERNALMEMORY FORENSICS
In this test, authors have explored the Pythonsource code to understand how log records arebuffered in memory. Whenever a record isadded into the buffer, a check is made to seewhether the buffer should be flushed to file ornot. In fact, the buffer is periodically flushedwhenever the buffer is full, or when an event of
JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study
Page 76 © 2015 ADFSL
a certain severity happened. After making amemory dump of a running system, authorswere able to retrieve log record data aspreviously described above. Besides, because arecord consists of isolated fragments, it isdifficult to link the messages to a date andtime, a chat ID or the participants. IMVU alsocreates a SQLite database in memory. Authorswere able to modify the source code and savethis database to hard disk. The databaseconsists of only a single table and containsinformation about the HTTP cached files.IMVU (log) files are nonvolatile and normallyavailable for investigation.
Authors were also able to retrieve theIMVU password in clear text from memory,even when the option ‘Save Password’ not wasused and therefore the password not could beretrieved from the registry.
CONCLUSIONIn this paper, we present a forensic acquisitionprocess of IMVU apps for Windows. IM is oneof the most popular digital communicationtechnologies and widely used, but also being
exploited by criminals due to its popularityand privacy features. So it is important thatwe are able to collect artefacts of IM apps.While most IM apps use a well-knownformatted history file (also known as IM log orchat log) and there are tools available fordigital evidence collection, this is not the casewith IMVU. IMVU has a set of fixed numberlog files that contain not only chat messages,but also identifiable data. IMVU app alsodeletes old log files when the number of logfiles reaches a limit number. Forensic artefactscan also be found in user profile data,authenticated data and location data. Indeed,we can also retrieve IMVU artifact from theinternal memory by explore its SQLitedatabases.
We are working on the acquisition andanalysis more forensic artefacts of an IMVUapp such as registry information, networktraffic data and unallocated disk space. In thecase of analysing large amount of forensicsdata, we also look at using data mining andknowledge map techniques [18][19].
Figure 3. Partial IMVU.log file
Forensic Acquisition of IMVU: A Case Study JDFSL V10N4
© 2015 ADFSL Page 77
REFERENCESWikimedia Foundation, Inc. (2014)
Comparison of instant messaging clients.Retrieved on December 17 fromhttp://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients
Wikimedia Foundation, Inc., (2013) Childgrooming. Retrieved on December 3 fromhttp://simple.wikipedia.org/wiki/Child_grooming
Europol (2013) Threat Assessment - ItalianOrganised Crime. Retrieved on January 19fromhttps://www.europol.europa.eu/sites/default/files/publications/italian_organised_crime_threat_assessment_0.pdf
IMVU (2014) About IMVU. Retrieved onDecember 17 fromhttp://nl.imvu.com/about/
M. Goodman (2014) Crime and Policing inVirtual Worlds, Retrieved on December 17from http://f3magazine.unicri.it/? p=360
M. Garcia-Ruiz et al. (2011) An Overview ofChild Abuses in 3D Social Networks andOnline Video Games. Investigating CyberLaw and Cyber Ethics, Issues, Impacts andPractices, Hershey, Information ScienceReference (IGI Global), p. 321
Paraben Corporation (2014) Paraben ChatExaminer. Retrieved on December 18 from:https://www.paraben.com/chat-examiner.html.
Belkasoft (2014): http://belkasoft.com/National Institute of Justice (2007)
Investigations Involving the Internet,Retrieved fromhttps://www.ncjrs.gov/pdffiles1/nij/
M. Kiley, S. Dankner and M. Rogers (2008)Forensic Analysis of Volatile InstantMessaging Advances in digital forensics IV,New York, Springer, 2008
B. Lun (2012) Forensic Investigation forInstant Messenger, School of Computingand Mathematical Sciences, Auckland, NewZealand, 2012
M. Dickson (2006), “An examination into AOLInstant Messenger 5.5 contactidentification,” Elsevier Ltd., 2006
M. I. Husain and R. Sridhar (2009) iForensics:Forensic Analysis of Instant Messaging onSmart Phones Digital Forensics and CyberCrime, Albany, NY, USA, Springer, p. 182
C. Sgaras, M.-T. Kechadi and N.-A. Le-Khac(2014) Forensics Acquisition and Analysisof instant messaging and VoIP applicationsSpringer Verlag LNCS 3850, 2011
S. Garfinkel, A. J. Nelson and J. Young (2012)A general strategy for differential forensicanalysis Elsevier Ltd.
AutoIt Consulting Ltd (2014) AutoIt,Retrieved on December 20 fromhttps://www.autoitscript.com/site/autoit/
Mozilla Developer Network, (2015) “Retrievedon February 5 fromhttps://developer.mozilla.org/en-US/
L. M. Aouad, N-A. Le-Khac and M-T.Kechadi, "Lightweight ClusteringTechnique for Distributed Data MiningApplications", Springer LNAI 4597, 2007,
N-A. Le-Khac, L. M. Aouad and M-T. Kechadi"A new approach for Distributed DensityBased Clustering on Grid platform",Springer LNCS 4587, 2007.
JDFSL V10N4 Forensic Acquisition of IMVU: A Case Study
Page 78 © 2015 ADFSL
