Instant messaging (IM) is a well-established means of fast and effective communication. Once used primarily by home users for personal communications, IM solutions are now being deployed by organizations to provide convenient internal communication. This often includes the exchange and discussion of proprietary and sensitive information, thus introducing privacy concerns. Although IM is used in many legitimate activities for conversations and message exchange, it can also be misused by various means. For example, an attacker may masquerade as another user by hijacking the connection, performing a man-in-the-middle attack, or by obtaining physical access to a userís computer. There are various reasons that an attacker might want to masquerade as someone else, including spying, disgruntlement, snooping, or other malicious intentions. Analysis of IM in terms of computer forensics and intrusion detection has gone largely unexplored until now. This paper explores IM author classification based on author behavior. Author classification may be used for author identification/validation for forensics analysis or masquerade detection. The experiments presented here applied classification methods to IM messages to determine whether the author of an IM conversation could be identified based strictly on user behavior, and to determine the strongest identifying characteristics.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 4, Number 1, pp 22-28, DOI: 10.5769/J200901002 or http://dx.doi.org/10.5769/J200901002
Classification of Instant Messaging Communications for Forensics Analysis
By Angela Orebaugh, and Jeremy Allnutt
To download this paper, click here