A Forensic Framework for Webmail Threat Detection Using Log Analysis
Pages 57 - 69
Abstract
Today, webmail is being used in a number of organizations for all kinds of important communications as they move to cloud-based services. Several cyber threats involving phishing, malicious insider, unauthorized access to data and ransomware attacks are primarily carried out through webmail. This poses challenges and limitations for forensic investigators in the incident investigations involving emails, because actual email evidence is store at cloud service provider. The majority of work on email forensics and detection works on email information stored by email clients on desktop physical disk space. In order to gather artifacts from webmail used in browsers, volatile memory forensics is gaining popularity. However, few recent work utilizing memory forensics are focused on detecting email spoofing attempts from outside work by taking memory dumps of emails received by user from outside. This leaves the opportunity for malicious insiders to covertly send confidential data through webmail and remain undetected. In this work a novel framework is proposed, which models the malicious insider scenario and create the activity logs using volatile memory forensics. To implement and test the framework, a small tool was created using python. The framework is equally applicable for both public and private browsing. Our proposed method counters the limitation in previous schemes in terms of analyzing new email messages more efficiently using browser parent process ID. Our proposed method provides forensics investigators with a novel webmail tool that can be used to detect malicious email activity generated from with in the organisation.
References
[1]
Thantilage, R., Le Khac, N.: Framework for the retrieval of social media and instant messaging evidence from volatile memory. In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) (2019)
[2]
Iyer, R., Atrey, P., Varshney, G., Misra, M.: Email spoofing detection using volatile memory forensics. In: 2017 IEEE Conference on Communications and Network Security (CNS) (2017)
[3]
Chen, L., Mao, Y.: Forensic analysis of email on android volatile memory. In: 2016 IEEE Trustcom/BigDataSE/ISPA (2016)
[4]
Barradas D, Brito T, Duarte D, Santos N, and Rodrigues L Forensic analysis of communication records of messaging applications from physical memory Comput. Secur. 2019 86 484-497
[5]
Bloomberg - Are you a robot? [Internet]. Bloomberg.com (2021). https://www.bloomberg.com/press-releases/2019-06-25/new-fireeye-email-threat-report-reveals-increase-in-social-engineering-attacks. Accessed 17 Dec 2021
[6]
SANS Internet Storm Center [Internet]. SANS Internet Storm Center (2021). https://isc.sans.edu/forums/diary/Using+Yara+rules+with+Volatility/22950/. Accessed 17 Dec 2021
[7]
Creating Process Dumps with ProcDump | Knowledge Base [Internet]. Kb.acronis.com (2021). https://kb.acronis.com/content/27931. Accessed 17 Dec 2021
[8]
Shukla, S., Misra, M., Varshney, G.: Identification of spoofed emails by applying email forensics and memory forensics. In: 2020 the 10th International Conference on Communication and Network Security (2020)
[9]
Devendran V, Shahriar H, and Clincy V A comparative study of email forensic tools J. Inf. Secur. 2015 06 02 111-117
[10]
Malik, A.: Webmaill-logging-tool/webmail-logging-tool.py at main abdolsabor/webmaill-logging-tool [Internet]. GitHub (2021). https://github.com/abdolsabor/webmaill-logging-tool/blob/main/webmail-logging-tool.py. Accessed 17 Dec 2021
[11]
Tariq BM Techniques and tools for forensic investigation of e-mail Int. J. Netw. Secur. Appl. 2011 3 6 227-241
[12]
52 Gmail Statistics That Show How Big It Actually Is In 2021 [Internet]. TechJury (2021). https://techjury.net/blog/gmail-statistics/#gref. Accessed 24 Nov 2021
[13]
Xu, L., Wang, L.: Research on extracting system logged-in password forensically from windows memory image file. In: 2013 Ninth International Conference on Computational Intelligence and Security (2013)
[14]
Preimesberger, C.: Cloud-based email services: everything you need to know | ZDNet [Internet]. ZDNet (2021). https://www.zdnet.com/article/cloud-based-email-services-everything-you-need-to-know/. Accessed 24 Nov 2021
[15]
Hussain, M., Wahab, A., Batool, I., Arif, M.: Secure Password Transmission for Web Applications over Internet using Cryptography and Image Steganography (2021)
[16]
Hassan NA Web browser and e-mail forensics Digital Forensics Basics 2019 Berkeley, CA Apress 247-289
Index Terms
- A Forensic Framework for Webmail Threat Detection Using Log Analysis
Index terms have been assigned to the content through auto-classification.
Recommendations
Enabling efficient orienteering behavior in webmail clients
UIST '07: Proceedings of the 20th annual ACM symposium on User interface software and technologyWebmail clients provide millions of end users with convenient and ubiquitous access to electronic mail - the most successful collaboration tool ever. Web email clients are also the platform of choice for recent innovations on electronic mail and for ...
BPEL orchestration of secure webmail
SWS '06: Proceedings of the 3rd ACM workshop on Secure web servicesWebMail proposes to migrate existing SMTP-based mail systems to Web-Services. We show how a verifiably-correct, generic mail service that enables extensions of SMTP-based standard mail use cases that avoids known misuse cases can be specified using WSDL ...
SecWEM: a security solution for web based e-mail
ICISS'11: Proceedings of the 7th international conference on Information Systems SecurityWeb based e-mail (Webmail) service is a popular mode of e-mail communication and is being widely used for personal and business purposes. Security of webmails carrying sensitive commercial or corporate information is an important requirement today. A ...
Comments
Information & Contributors
Information
Published In
Nov 2021
344 pages
© Springer Nature Switzerland AG 2022.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 25 November 2021
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Oct 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in