A Forensic Framework for Webmail Threat Monitoring and Log Analysis

Abstract

Today, webmail is being deployed in many organizations for all kinds of normal and important communications. Several cyber threats involving phishing, malicious insider, and ransomware attacks are primarily targeted through webmail. This poses challenges and limitations for forensic investigators in the analysis as compared to email clients, where they have access to email files. The majority of work on email forensics and detection focuses on email client artifacts stored on a disk. To gather artifacts about email activity from webmail used in browsers, volatile memory forensics is gaining popularity. Few research work, utilizing memory forensics approach are focused on external email threats such as spoofed email detection, to create user activity logs and gather artifacts. The present work lacks a generic framework with some new tools which can perform the tasks periodicall and efficiently in terms of performance and storage. Moreover, present schemes are not applicable to detect internal email threats, where a malicious user can send a new email containing confidential information. In this work a novel method is proposed, to monitor, detect, log and gather information about new email activity using volatile memory forensics. In our research work, a framework is proposed to address the internal threat related to webmail. The proposed scheme, efficiently creates user activity logs from browser parent process memory as the user creates a new email. To implement and test the framework a python tool was developed that perform the tasks peridocally with good performance efficiency from previous schemes in terms of memory dump size, file sizes, and logs creation time. The framework is equally applicable for both public and private browsing. The proposed method can also be applied to create logs about spoofed email as proposed in previous schemes. Our proposed method provides forensics investigators with a novel webmail logging tool that can be used to gather artifacts about malicious email activity from insiders.