Forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications

Abstract

Digital forensic analysis of videoconferencing applications has received considerable attention recently, owing to the wider adoption and diffusion of such applications following the recent COVID-19 pandemic. In this contribution, we present a detailed forensic analysis of Cisco WebEx which is among the top three videoconferencing applications available today. More precisely, we present the results of the forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications. We focus on three digital forensic areas, namely memory, disk space, and network forensics. From the extracted artifacts, it is evident that valuable user data can be retrieved from different data localities. These include user credentials, emails, user IDs, profile photos, chat messages, shared media, meeting information including meeting passwords, contacts, Advanced Encryption Standard (AES) keys, keyword searches, timestamps, and call logs. We develop a memory parsing tool for Cisco WebEx based on the extracted artifacts. Additionally, we identify anti-forensic artifacts such as deleted chat messages. Although network communications are encrypted, we successfully retrieve useful artifacts such as IPs of server domains and host devices along with message/event timestamps.

1 Introduction

COVID-19 has been a prime catalyst in the widespread adoption of videoconferencing applications such as Zoom, Cisco WebEx, Microsoft Teams, Adobe Connect, and BlueJeans for professional and personal use. In fact, during the pandemic, the work landscape changed dramatically as more companies shifted to a work-from-home model. As a result, videoconferencing market is expected to grow from US $6.28 billion in 2021 to US $12.99 billion by 2028 according to a Fortune Business Insight report [1].

The growing popularity of videoconferencing applications has also attracted malicious users, who use them to launch targeted attacks such as hacking online meetings and subjecting attendees to offensive content. The terms Zoom bombing or Zoom raiding have recently been used to designate the disruptive intrusion into a videoconference call, whereby a hacker leverages weak authentication features (or other vulnerabilities) to either stream improper content or bully/harass meeting participants [2, 3]. The security and privacy of the videoconference session have therefore become a major concern. Forensic artifacts carved in digital investigation of such applications can provide useful insights into the what-whom-when-where of incidents, and attribute malicious actions to a device or an individual, which can serve as digital evidence (DE) in criminal investigations.

Considering a regular Cisco WebEx user’s scenario, our goal is to perform an exhaustive investigation of the DE (forensic artifacts) left behind by the application on a client’s device. This research is an extension of our earlier work [4], which investigated various data localities (memory, disk space, and network) in a Windows 10 operating system (OS) for DE pertaining to the Cisco WebEx desktop application.

The present contribution extends our earlier research [4] in at least four aspects:

• We extend the scope of our forensic analysis in [4] to cover WebEx Meetings smartphone application running under Android OS.

• We introduce a memory parsing tool for Cisco WebEx based on our findings from (manual) memory forensic analysis.

• We extract additional disk space forensic artifacts from Cisco WebEx desktop client application such as prefetch files.

• We present the results of the forensic analysis of Cisco WebEx web application, targeting the Google Chrome data directory for client-side artifacts with an illustrated case study to highlight the relevance of artifacts in a forensic investigation.

The results of the forensic investigation of three versions (desktop, web, smartphone) of Cisco WebEx applications revealed several relevant artifacts including user account information (display names, email addresses, credentials, default WebEx sites, profile pictures), running processes, encryption keys, exchanged and deleted chat messages, media/text files, meeting records, registry keys, prefetch files, network information, history, downloads, cookies, cache, and bookmarks. The extracted artifacts can be used as potential DE in a court of law.

The remaining of this paper is organized as follows. Section 2 discusses the state of the art in videoconferencing applications’ forensics research. Section 3 details our research methodology and experimental setup. Sections 4, 5, and 6 present forensic artifacts extracted from Cisco WebEx desktop, web, and smartphone applications, respectively. Section 7 illustrates two case studies, and Section 8 provides a summary of the paper and some suggestions for future research.

2 Related work

Digital forensics of Voice over Internet Protocol (VoIP), and videoconferencing applications has become a popular research topic recently as highlighted by increase in the number of published papers on these topics during the past few years. Both client and server-side forensic analyses are vital to reconstruct a holistic picture of events pertaining to these applications. However, server-side forensics require access to data stored in application servers, which (1) is not easily available, (2) can be time-consuming to gain access to, and (3) is costly and potentially complicated to collect due to privacy policies implemented by Internet service providers (ISPs) [5]. Nonetheless, a network forensic analysis may divulge information about client-server connections and vice versa. Also, the Windows 10 roaming folder can provide valuable forensic insights since it stores a server’s copy of the account data that is loaded into any device the user account is logged into [6]. On the other hand, artifacts extracted from the client device, while accessible, may be stored in encrypted form. While encryption enhances user privacy, it also introduces additional complexity for the forensic analyst. The entailing discussion explores methods for forensic analysis of videoconferencing, and/or VoIP applications (with respect to different data localities, and OSs), and various challenges in the process.

Mahr et al. [7] presented a forensic analysis of Zoom, with a special focus on exploring the disk space for extracting artifacts. The authors investigated various databases associated with the Zoom data directory and extracted artifacts related to chats, contacts, cache, video meetings, and user/device configurations. The authors also presented preliminary results associated with network and memory forensic analysis. At the time their research was conducted, the databases investigated were stored in unencrypted format on the client desktop. However, we have observed that with recent updates of Zoom, these databases are now encrypted which introduces an additional layer of complexity for forensic investigators as a passphrase, or key is now required to decrypt the databases.

Yang et al. [8] performed an in-depth forensic analysis of the Windows Store Skype application for memory, disk space, and network artifacts on a Windows 8.1 client machine. The experiments and results revealed valuable terrestrial (client side) forensic artifacts, including installation information, login, conversations, and records of exchanged files. The authors also observed that uninstalling Skype from the client machine automatically removes the application folders of Skype from Windows’ file system, which makes them inaccessible for forensic investigation. However, Skype installation folders still reside in the file system, and these can reveal several artifacts of forensic value.

Nicoletti and Bernaschi [9] adopted a multiple case study approach to forensically analyze Skype for business. Their research focused on examining the communication architecture, protocols, and the VoIP codec to extract artifacts. In addition, the Windows Registry, Event Viewer, client application folder, and log files have been identified as sources of forensic evidence.

Recently, Nicoletti, and Bernaschi [10] performed forensic analysis of Microsoft Teams exploring different usage scenarios of the application. This included the Teams-public switched telephone network (PSTN) and Teams walkie-talkie communication scenarios. The authors also explored whether the Teams-PSTN integrated environment is more vulnerable to attacks and whether forensic evidence can be extracted.

Bowling [11] performed client-side forensic analysis of Microsoft Teams with respect to multiple OSs: Windows, iOS, and Android. The focus of the study was disk space forensics, identifying SQLite databases (in Android) and the chromium cache structures (in Windows) as main sources of artifacts. However, an important database/structure called LevelDB was not explored by the author because of difficulties in parsing the said database.

Bilz [12] also performed disk space forensics to extract Microsoft Teams’ artifacts, exploring the data directory for artifacts. In his analysis, the author proposed a Python script to analyze the LevelDB structure discussed in [11]. The script parses the database/structure and outputs data in .json. The LevelDB structure seems to store a plethora of information including text messages, comments, posts, exchanged files, contacts, and call logs according to the author’s findings.

Anglano [13] performed a forensic analysis of WhatsApp Messenger on an Android smartphone. For this purpose, the YouWave virtualization platform was used to emulate multiple Android smartphones. Various forensic artifacts were extracted including contacts and existing/deleted messages.

Other works [14,15,16,17] detail forensics of VoIP applications such as WhatsApp, Viber, Skype, and Tango.

Most of earlier research contributions focused on disk space/file-system forensics to extract client artifacts. Memory and network forensics, on the other hand, were addressed only in few studies such as those reported by Mahr et al. [7], Yang et al. [8], and Nicoletti and Bernaschi [9, 10]. This is mainly attributed to the fact that memory acquisition on a digital device that is in a shutdown mode becomes obsolete, while network traffic encryption renders network forensics a daunting task. Our aim, on the other hand, was to perform an exhaustive analysis of Cisco WebEx, by exploring all three data localities.

3 Experimental setup

Forensic analysis of Cisco WebEx was conducted on a client’s device in a controlled test environment. For this purpose, a Windows 10 ISO file was used to create a virtual machine (VM). This was done in order to avoid mixing of WebEx artifacts with other applications (or system files). A total of 4 GB of memory/RAM and 60 GB disk space were allocated to the VM. The Cisco WebEx desktop application was downloaded and installed. A new WebEx account was setup in the VM, and the actions of a typical user were performed while interacting with the WebEx desktop application. The user actions were based on the videoconferencing features provided by WebEx. Similarly, a separate VM was setup for the WebEx web application for test usage. Compared to the desktop application, WebEx’s web application naturally offers limited features.

WebEx assigns a personal meeting room ID, a default WebEx site, and a default video address to each user, much like an in-person scenario would take place. Users can invite other guests to join them in their personal meeting room by sharing their meeting link. This way, videoconferencing group meetings can be setup instantly or scheduled at given times.

User actions performed as test activity include the following:

1. 1.

   Setting up a username, password, and profile photo

2. 2.

   Adding/deleting contacts

3. 3.

   Exchanging/deleting chat messages

4. 4.

   Exchanging/deleting text files, media files, and URLs

5. 5.

   Using the keyword search to find acquaintances and friends

6. 6.

   Conducting a meeting using personal room

7. 7.

   Creating groups

8. 8.

   In-meeting chat messages, media, and text files

9. 9.

   Record meetings

10. 10.

    Screen sharing

11. 11.

    Conducting one-to-one, group, and scheduled meetings

The test activities associated with users deleting certain contacts, messages, and exchanged files from the WebEx application were conducted to be investigated later in the analysis phase of our forensics process to see if such obstructive/anti-forensic behaviors could be detected.

After the user actions were performed, memory and disk space were captured using the AccessData FTK Imager, intermittently. In case of memory, the captures were made after major events such as login, exchange of chat messages, exchange of media files, and one-on-one/group/scheduled meetings. The hashes of these images were computed using FTK Imager to ensure their integrity before image processing.

For network forensic analysis of WebEx, a Wi-Fi hotspot was used to streamline the network traffic. Wireshark network protocol analyzer was used to capture the traffic which was saved as a .pcap file. NetworkMiner was also used for analysis. Network traffic for each user activity was captured separately in order to analyze the artifacts of each activity individually. The login events, chat messages/files/URLs exchange events, and meeting events were recorded using Wireshark separately.

To perform forensic analysis of the Android smartphone, we used Andriller Community Edition (CE) to acquire a logical forensic image of the smartphone. This operation was first performed on an unrooted Android smartphone, in which case Andriller CE was unable to acquire the image. On the other hand, we were able to successfully complete a logical acquisition after rooting the smartphone. Additionally, we were able to successfully acquire and investigate the Android Debug Bridge (ADB) backup for potential DE.

Figure 1 details the forensic methodology of this study, while Table 1 lists the tools employed during the digital investigation process.

Fig. 1

Forensic methodology

Table 1 Tools used for forensic analysis

4 Cisco WebEx desktop client forensics

This section gives a detailed client-side forensic analysis of Cisco WebEx desktop application targeting the memory, disk space, and network data localities.

4.1 Memory forensics

The volatile memory provides a wealth of information about running processes and applications in a device among other artifacts. It is a subject of great interest for forensic investigators because data that would normally be stored in encrypted form on hard drive can reside in memory as plaintext. Our analysis of captured memory dumps focused on five profiles [18], namely communication content (activity/relationship context, details), contacts, communication history, passwords, and encryption keys.

4.1.1 Automated analysis

Several WebEx processes, listed below, were identified from memory dumps (using pstree Volatility):

1. 1.

   atmgr.exe

2. 2.

   CiscoCollabHost.exe

3. 3.

   Ciscowebexstart.exe

4. 4.

   webexAppLaunch.exe

5. 5.

   washost.exe

6. 6.

   webexmta.exe

The atmgr.exe and washost.exe processes in particular exist when WebEx meetings occur (Fig. 2).

Fig. 2

Pstree output for WebEx extracted via Volatility

Targeted yarascan searches (particular to the process IDs obtained with the running processes of WebEx) against the memory dumps revealed interesting information regarding calls, but the output that appeared was a limited block of information and required parsing through the dump based on the physical/virtual offset of the yarascan result for further analysis (Fig. 3); similar artifacts were easily extracted manually as well.

Fig. 3

Yarascan search on WebEx process (PID 2152) via Volatility

Advanced Encryption Standard (AES) keys (Fig. 4), the email addresses of the test user, and corresponding parties were recovered from memory using Bulk Extractor (Fig. 5).

Fig. 4

AES encryption keys extracted via Bulk Extractor

Fig. 5

Email addresses of meeting participants via Bulk Extractor

Photographic images reconstructed from the memory dumps using PhotoRec included the WebEx logo and favicon images related to the application. Despite acquiring several successive memory dumps for carving avatars, we were not able to extract the profile photos of the participants. Most likely, the profile photos of WebEx accounts are stored in encrypted form in memory.

4.1.2 Manual analysis

String searching using relevant phrases and keywords was performed against the captured memory dumps. Such analysis is purely an “unstructured” (/manual) analysis of the memory [19], which proved vital in extracting detailed communication artifacts.

A memory dump contains scattered information consisting of lines of data that do not necessarily follow any order. To extract application-specific information from the dump, we first developed a sense of the patterns and behaviors that WebEx artifacts exhibit. Consider the following line of information extracted from the memory using the command “strings [memory dump filename]| grep ‘messagesContainer’”:

{{avatar:raw}}<div class="messagesContainer {{isReply}}">{{sparkMessagesDiv:raw}}</div> "" data-object-id="5e6ec853-9ff3-465a-a9d8-768fd9dd62ea"><img class="sparkAvatar" draggable="false" participantid="PID-5e6ec853-9ff3-465a-a9d8-768fd9dd62ea" data-object-type="person" data-object-id="5e6ec853-9ff3-465a-a9d8-768fd9dd62ea" onclick="return sparkBase.clickEventHandler(event);" onmouseenter="return sparkBase.mouseEventHandler(event);" onmouseleave="return sparkBase.mouseEventHandler(event);"></div><div class="messagesContainer "><div tabIndex="-1" messageId="cfa73e80-9a1f-11eb-bd43-b734da68796a" role="row" class="messageContainer " aria-describedby="infocfa73e80-9a1f-11eb-bd43-b734da68796a"><p class="messageHeader"><span class='actor' data-object-id='5e6ec853-9ff3-465a-a9d8-768fd9dd62ea'><spark-contact data-object-type='USER' data-object-id='5e6ec853-9ff3-465a-a9d8-768fd9dd62ea'>Usmani</spark-contact><span class='externalDomain'></span></span> <span class="messageTime">4/10/2021, 10:11 PM</span> </p><div class="sparkMessage " messageId="cfa73e80-9a1f-11eb-bd43-b734da68796a"><div id="infocfa73e80-9a1f-11eb-bd43-b734da68796a" aria-hidden="false" class="visualhidden"></div><div class="msgContainer"><div class="sparkShares "></div><div>What is going on?</div></div>

This snippet of memory dump gives every detail about a chat message that was sent by the test user: the actual message, timestamp, message ID, display name of the user receiving the message, and the fact that this user is also a contact of the test user on WebEx. The presence of the <messagesContainer> string tag (a constant tag for chat messages) enabled us to extract all the messages exchanged by the test user along with the associated timestamps and other metadata (Fig. 6). A similar analysis of the memory dump using searches based on phrases/keywords such as webex, message, meeting, and query was performed to investigate the patterns/tags that would fetch other useful artifacts pertaining to the application. As a result, a plethora of information related to the test user account was extracted. Basic user account information extracted includes the name of the test account, associated email address, default WebEx site, personal room number, and video address (Fig. 7). We also observed that the password of the test account was encrypted in memory since we were unable to retrieve it in plaintext. The keywords entered by the user into the search bar to find acquaintances and friends were extracted under the <query> tag (Fig. 8). Exchanged text files, media files, and their metadata along with other details were found under the <sparkShareInfo> tag (Fig. 9–10). Exchanged URLs were also extracted (Fig. 11). Information related to scheduled meetings was extracted under <WebExMeetingData> (Fig. 12). Among other information, the passwords of the scheduled meetings, and in-meeting chat messages were found in plaintext (Figs. 12, 13).

Fig. 6

Exchanged chat message information via manual string search

Fig. 7

User account information via manual string search

Fig. 8

Keyword search via manual string search

Fig. 9

Exchanged text file information via manual string search

Fig. 10

Exchanged media file information via manual string search

Fig. 11

Exchanged URLs via manual string search

Fig. 12

Scheduled meeting information via manual string search

Fig. 13

In-meeting chat message extracted via manual string search

We have developed a Cisco WebEx memory parsing tool based on our findings from the manual (unstructured) forensic analysis of the memory dumps. Our memory parsing tool ([20]) can be used to retrieve memory artifacts (including user account information, search keywords, exchanged text/media files, exchanged URLs, deleted URLs, exchanged chat messages, deleted chat messages, scheduled meeting information, and contacts) from any memory dump taken from a Windows machine with Cisco WebEx as one of the running applications.

4.1.3 Anti-forensics

When a WebEx user deletes information such as chat messages and exchanged files, the information is still recoverable from memory using manual string searches, thus enabling the detection of attempts to obstruct evidence. In our case, we recovered deleted URLs from the memory. While deleted messages were also recovered from the memory dumps, it was observed that they were not found in the usual message containers. Although discarded from the message containers upon deletion, these messages were still recoverable, preceding the user identity, and under the paragraph href tags, i.e., <p></p> (Fig. 14). Chat messages exchanged during the videoconference meeting were also recovered from the memory dump under the <p></p> paragraph href tags (Fig. 15).

Fig. 14

Deleted chat message information via manual string search

Fig. 15

In-meeting deleted chat message extracted via manual string search

4.2 Disk-space forensics

As opposed to volatile memory, a device’s hard disk retains application data for a longer time. The application folder, Windows Registry, and prefetch files on disk are potential sources of forensic artifacts.

4.2.1 Cisco WebEx data directory structure

WebEx leaves remnants in the Local, Locallow, and Roaming application folders. In the Roaming subfolder, \AppData\Roaming\webex\Avatar, WebEx saves avatar of the currently logged-in account and also accounts that were previously logged into the application, if any (Fig. 16). In addition, a .ini file with information regarding the last joined location is stored in \AppData\Roaming\webex\Avatar\latestjoinedlocation.ini (Fig. 17). The Roaming folder also stores a temporary .dat file (\AppData\Roaming\webex\Avatar\QSXMLFile.dat) that has information regarding previous meetings of the account including meeting numbers, timestamps, and passwords of the meetings (Fig. 18). It is pertinent to note that the QSXMLFile.dat file resides in the file system for a temporary time following the event of a scheduled meeting that has recently been scheduled/conducted by the user.

Fig. 16

Avatars of logged-in accounts via Autopsy

Fig. 17

Last joined location via Autopsy

Fig. 18

Temporary QSXMLFile.dat file

In the Local folder, the application creates (1) WebEx and (2) CiscoSpark folders separately. The presence of these two separate folders is attributed to the fact that WebEx was a separate application before Cisco acquired it. The WebEx folder contains (1) .json scripts for different browsers to enable the application startup, (2) site information that consists of the default WebEx site of the user (or multiple default sites if more than one account was logged in on the device), (3) WebEx cache, and (4) the WebEx application itself along with application extensions.

From the CiscoMeetings database in the same folder, \AppData\Local\WebEx\CiscoMeetings.db, we were able to retrieve records of meetings, and their timestamps, along with default WebEx sites of previous and currently logged-in accounts (Fig. 19). Client info of the logged-in accounts was also found in the same database including blackList, siteURL, URLroot of the account (Fig. 20), and the timestamp of when the last meeting was held along with other application-related information (Fig. 21).

Fig. 19

CiscoMeetings.db via Autopsy

Fig. 20

CiscoMeetings.db client info via Autopsy

Fig. 21

CiscoMeetings.db client info via DB Browser for SQLite

The CiscoSpark folder contains several artifacts of interest for digital forensic investigation as well. In particular, the subfolder \AppData\Local\CiscoSpark\media\calls stores call logs of the logged-in user. Timestamps from these logs can be corroborated with evidence extracted from the CiscoMeetings database to infer useful insights regarding meetings and calls from the logs. Although log analysis requires intensive manual searching, they provide useful information such as call IDs, media session IDs, IP addresses, media statistics such as screenshare/video resolution, and number of audio/video packets received.

The \AppData\Local\CiscoSpark\[User ID] folder contains spark_persistent_store.db and spark_roaming_store.db databases that are encrypted.

Another database, spark_shared_store.db (\AppData\Local\CiscoSpark\spark_shared_store.db), stores installation ID, and user ID of the previous account that was logged in. In the CiscoSpark folder, lifecycle.dat stores login state of the user account (logged in vs logged out).

4.2.2 Windows Registry keys for Cisco WebEx

Following an in-depth analysis of Windows Registry for the presence of WebEx artifacts, we identified several registry keys that revealed valuable information about previous user activity (Fig. 22). These include credentials, profile avatars, configuration settings, application settings, and product information. In particular, the HKCU\SOFTWARE\WebEx\ProdTools\Logon\[Default WebEx Site] key stores the login credential and profile avatar of the user. Credentials of previously logged-in users are also stored in this key. The HKCU\SOFTWARE\WebEx\FeaturePayloads key stores user configuration settings in reference to the default WebEx site, e.g., “EnableAES256GCM”:true. A total of 141 configuration settings are stored in this key. The HKCU\SOFTWARE\WebEx\Config key stores application settings such as the theme type setup by user and whether panelist and attendees’ names are shown.

Fig. 22

Cisco WebEx Registry keys

4.2.3 Cisco WebEx prefetch files

Cisco WebEx has two associated prefetch files stored in the Windows file system, namely CISCOCOLLABHOST.EXE-49749B78.pf and WEBEXHOST.EXE-7D2F62CC.pf. The eight characters trailing the name of the executable is a hash of the application’s location and may differ from one device to another. The sizes of the two prefetch files in our test device were 116 KB and 26 KB, respectively. This suggested that the application was used frequently. The prefetch files were parsed (using PECmd) for information about the run times of the executables and related timestamps. As illustrated in Fig. 23, the CISCOCOLLABHOST.EXE-49749B78.pf and WEBEXHOST.EXE-7D2F62CC.pf files had run counts of 25 and 15, respectively.

Fig. 23

Parsing results for prefetch files CISCOCOLLABHOST.EXE-49749B78.pf and WEBEXHOST.EXE-7D2F62CC.pf

In addition to run counts, parsing results related to creation time, modified time, last accessed time, and volume information along with directories, and files referenced by the executables were extracted as shown in Fig. 23.

4.3 Network forensics

WebEx has three related processes, among others: CiscoCollabHost.exe, atmgr.exe, and washost.exe, which may emerge while parsing memory for artifacts. Figure 24 shows the netscan output for WebEx. The additional system processes, such as svchost.exe, have been filtered for the sake of brevity. In addition to the CiscoCollabHost.exe process, the atmgr.exe process also appeared. This process belongs to the AtMgr module of Cisco WebEx. After the connection was established, and the meeting began, this process appeared during the transfer of meeting media (audio/video/text). As can be seen in Fig. 24, the atmgr.exe process is associated with User Datagram Protocol (UDP), which is the protocol WebEx uses for transferring meeting media. Timestamps, and PIDs from netscan, can be corroborated with the pslist/pstree output or with other artifacts. The netscan output also lists Internet Protocol (IP) foreign addresses that can be further analyzed for origin traces. The physical or virtual offsets can be used to locate the processes in the dump files via a hex editor.

Fig. 24

Netscan output extracted via Volatility

While memory and disk are valuable sources for forensic artifacts, memory is not always available because of its volatile nature, and disk can be manipulated (to an extent). Accordingly, network forensics can be a practical alternative as one advantage to watching the network is that the network can’t lie [21].

WebEx does encrypt all of its sessions using Transport Layer Security (TLS) v1.2. Multimedia traffic is sent using the UDP protocol in encrypted form. From our observations, signaling data and media are encrypted since no credentials, images, or files were found in plaintext. However, the URLs exchanged via chat sessions did appear in plaintext over the network. Images pertaining to exchanged URLs were also observed as shown in Fig. 25.

Fig. 25

Plaintext URLs sent in WebEx chat extracted via Wireshark

Logging into WebEx, we found that a session with Amazon.com, Inc. was created on port 443. This makes sense since Cisco uses both Amazon Web Services and Microsoft Azure to provide cloud services. Then, a session with Cisco WebEx LLC servers (global-idbroker-eu.webex.com, idbroker-eu.webex.com, and identity-eu.webex.com) was established on port 443 to authenticate the host to the cloud. Another session with ocsp.quovadisglobal.com was subsequently established to request the certificate revocation lists (CRLs) on Hypertext Transfer Protocol (HTTP) port 80. Account information such as profile ID, contacts, and meeting information was retrieved from the servers (jabber-integration-k.wbx2.com, conv-k.wbx2.com, contacts-service-k.wbx2.com, avatar-k.wbx2.com, calendar-k.wbx2.com) on port 443. As discussed before, since all network traffic is encrypted, captured frames associated with users’ credentials, files, profile IDs, and contacts were not helpful for the forensic investigation. However, NetworkMiner does retrieve digital certificates exchanged during the videoconference which validate whether communicating nodes were authenticated or not.

The IP addresses, and timestamps from the traffic, can be useful in reconstructing events, and attributing whom the host communicated with and when. The communication artifacts can also be utilized as signatures/flags for Cisco WebEx network traffic.

Table 2 illustrates captured network details associated with the IP addresses and the servers that the host communicated with.

Table 2 Network information—Cisco WebEx

5 Cisco WebEx web application forensics

Cisco WebEx web version is meant to alleviate the need to install the full desktop version (which requires storage space) while allowing the users to still benefit from the usage of Web Services (WS) on-the-go. One might conjecture that since the application is not installed on the actual OS, it must not leave any artifacts behind that may be of sensitive value. While this may be true in the sense that no application/installation folders are created for these web applications, nonetheless, a substantial amount of information can still be extracted from the Google Chrome data directory, as elaborated in this section. Our target artifacts in browser forensics included (1) traces/indicators of Cisco WebEx web application’s usage, (2) meeting records, (3) history, (4) downloads, (5) bookmarks, (6) cache, (7) cookies, and (8) associated profile picture, and email address. These are further discussed below:

5.1 Traces of usage

The first question to be addressed during our forensic analysis of the WebEx web application was whether the application was used in the first place, and if so, to whom the application’s usage can be attributed. We found that there are several artifacts that may help in tracing Cisco WebEx web application’s usage. In particular, C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsMostVisited and C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed store the icons of most visited and recently closed web applications. C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Top Sites is a similar indicator. Topsites is an SQLite database that stores the thumbnails of top sites visited by the user. The favicons database at C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Favicons also stores favicons of the web pages/applications. In our case, the Cisco WebEx web application was present in all the four folders/databases, which might not be the case in instances of less frequent usage.

In addition to the above, the presence of a Cisco WebEx URL in the Network Action Predictor SQLite database (C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor) is an indicator of its past usage.

The QuotaManager SQLite database (C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\QuotaManager) listed the use count of the web application along with the last accessed timestamp. The last accessed timestamp may also be extracted from the shortcuts SQLite database (C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Shortcuts).

Session data stored in the folder C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Sessions also indicated that the WebEx web application was used.

Once it is established that Cisco WebEx web application was used, an artifact of attribution as to whom the user was can be found at C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Accounts\Avatar Images and at C:\Users\[usermane]\AppData\Local\Google\Chrome\User Data\Default\Google Profile Picture. We extracted the email address associated with the profile from the Sessions folder mentioned earlier. The logs stored in the folder disclosed the email address of the user. These session logs may also divulge links of the meetings that were conducted. However, any additional details, such as in-call messages, were not found in the sessions folder.

5.2 IndexedDB-levelDB

Whenever a web application is invoked from Google Chrome, an indexedDB-levelDB database corresponding to that web application is created in the Google Chrome data directory on the client’s desktop. This artifact is a strong indicator of trace of usage for the Cisco WebEx web application. IndexedDB is a novel browser Application Programming Interface (API) based on the levelDB key-value pair database structure. It essentially stores and retrieves session data for various web applications that are activated from a browser [12, 22]. In the Cisco WebEx case, a levelDB named “https_[default WebEx site]_0.indexeddb.leveldb” is created in the C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\IndexedDB folder.

Fig. 26 shows structure of a levelDB as seen via Autopsy.

Fig. 26

IndexedDB-levelDB structure via Autopsy

The .log and .ldb files were of particular interest in our forensic investigation. Accessing the raw data in the database through Autopsy was tricky since it showed the database contents in unordered/scattered manner. It should be noted that although Autopsy presented the contents in an unordered manner, these were however presented in a readable (strings) format (which is not the case when this database is viewed directly via a text editor such as notepad).

To demystify the data stored in Cisco WebEx’s levelDB, we dumped the contents from the database into a .json file using a Python script developed in [12] which essentially converts electron-based levelDB into .json; although Cisco WebEx is not based on electron, the subject Python script worked fine for Cisco WebEx levelDB. Accordingly, we investigated the contents of the database to see how it is organized and what information can be retrieved from it.

Cisco WebEx levelDB’s object stores are arranged meeting wise, meaning the logs of each meeting that successively takes place are stored in successive object stores, namely logStore1, logStore2, logStore3, and logStore4 (Figs. 27, 28, 29, 30, 31, 32, 33). These stores log detailed information about every meeting that takes place, including event logs. The logs are numbered/serialized chronologically. The value in key-value pairs that encompass the object stores is an important element of particular interest. It stores the timestamps of every event, serial numbers, records of meetings, and associated events. These events can also be categorized according to one of the service managers that manage events emanating from a WebEx web application session, namely serviceMgr, confMgr, conf, videoMgr, mediaCSIMgr, activeMgr, chatMgr, webServiceMgr, CMSC, among others. For instance, records of exchanged chat messages can be found in the object stores under the chatMgr identifier (Fig. 27). As may be seen, information regarding the sender, and receiver(s) of the message, the actual message, and relative timestamps can be retrieved.

Fig. 27

Chat message recovered from levelDB

Fig. 28

Meeting settings recovered from levelDB

Fig. 29

Meeting name, password, and timestamp of scheduled meeting recovered from levelDB

Fig. 30

Screensharing event recovered with timestamp from levelDB

Fig. 31

User call number recovered from levelDB

Fig. 32

Client IP address recovered from levelDB

Fig. 33

Network details recovered from levelDB

Information regarding meeting settings (Fig. 28), meeting name, and meeting keys/passwords in case of scheduled meetings (Fig. 29), number of participants in each meeting, added, and removed participant counts can also be retrieved. Instances/events (and timestamps) of screensharing (Fig. 30), international call numbers of users (Fig. 31), user IDs, session IDs, node IDs of client device(s), and whether audio/video was on (and timestamps of when they were) were successfully retrieved. The CMSC service manager logged networking details about the meetings including the client’s IP address, the server IP addresses that the client communicated with during the meeting (i.e., 62.109.233.128, 62.109.233.150, 62.109.233.129, 62.109.233.177, 62.109.233.168, and 170.72.63.182 etc.), and other details such as mediaType (audio/video), bytesReceived, bytesSent, bitrateReceived, bitrateSent, packetsReceived, packetsSent, transportType (protocol used for transmission), packetsLostReceived, and localPort were also disclosed from the database (Fig. 32–33). It is pertinent to note that the IP addresses of parties the client had communicated with were not logged in the levelDB log stores.

5.3 Bookmarks, history, cookies, and cache

The bookmark of Cisco WebEx web application saved by the user on Google Chrome was extracted from C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks. This gave us the GUID of the bookmark along with the timestamp of when it was added into the Google Chrome browser.

The history SQLite database (C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History) provided detailed information regarding (1) keyword search terms entered into Google Chrome (e.g., “cisco webex web app”), (2) history of the visited URLs (along with visit counts, timestamp of last visit, and durations of visits), and (3) downloads from the web application, if any.

The cookies related to the Cisco WebEx web application were also found in the SQLite databases C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Cookies, and C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies.

WebEx cache on the other hand was collected from the C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Cache folder. Figure 34 shows WebEx cache extracted from the cache folder.

Fig. 34

WebEx cache via ChromeCacheView

6 Android smartphone forensics

6.1 Logical forensic image

Investigation of the logical forensic image of Android smartphone taken using Andriller CE, for evidence pertaining to the WebEx Meetings smartphone application revealed several primary artifacts. The Shared Storage folder from logical image contained (1) whiteboard images downloaded by the test user during WebEx meetings and (2) pictures shared/annotated by the user. A Shared Storage report logged the same, along with their directories/paths, filenames, file sizes, and modified timestamps as shown in Fig. 35.

Fig. 35

Shared storage report listing downloaded whiteboard documents and shared pictures via Andriller CE

The email address of the user account logged into the smartphone was revealed in the device specifications REPORT (Fig. 36). This test email address was linked to the WebEx Meetings account for attribution using an artifact extracted from the \data\ directory as further explained below.

Fig. 36

Email address and device specifications of Android

The SQLite database frosting.db in the \data\apps\com.android.vending\db folder saved the apk path of WebEx Meetings along with last updated timestamp as shown in Fig. 37.

Fig. 37

Frosting database acquired via Andriller CE

Similarly, several other SQLite databases in the same \data\apps\com.android.vending\db folder, including install_queue.db, install_source.db, localappstate.db, suggestions.db, verify_apps.db, and xternal_referrer_status.db, provided some digital evidence of application’s usage. Attribution of the WebEx Meetings account with an email address can be done using library.db in the same \data\apps\com.android.vending\db folder, which lists the email address against WebEx Meetings, and the certificate hash of the application as shown in Fig. 38.

Fig. 38

Library.db acquired via Andriller CE

The \data\apps\com.google.android.googlequicksearchbox\r\app_webview folder contains Cookies.db that stores web cookies pertaining to WebEx meetings. Other SQLite databases indicating traces of installation/usage are auto_update.db, and data_usage.db in the \data\apps\com.android.vending\db folder.

6.2 ADB backup

Further forensic investigation of the ADB backup of Android smartphone revealed the presence of additional interesting forensic artifacts. These included information, and error event logs related to WebEx Meetings. Cookies related to the application (with values and expiration dates) were also extracted from the ADB backup.

An SQLite database, calendar.db, containing Google Calendar events that listed a record of past WebEx meetings was extracted, which provided details related to meeting titles, meeting locations, meeting descriptions, timestamps of start, and attend times of meetings, event time zones, and the organizer’s email address (Fig. 39).

Fig. 39

calendar.db acquired via ADB backup

We were also able to extract another SQLite database, localappstate.db, with records of installed applications, listing WebEx Meetings with download timestamp, associated email address, last notification and last update timestamps (Fig. 40).

Fig. 40

localappstate.db acquired via ADB backup

Other extracted artifacts included profile picture of associated Google account, whiteboard downloads from the application, and shared/annotated images (with thumbnails).

Putting things together, we illustrate in Table 3 the forensic evidence extracted from the three versions (desktop, web, smartphone) of the Cisco WebEx applications.

7 Case studies

To gain better insights on how individual artifacts, when corroborated, can play a vital role in a forensic investigation, we present in the sequel two case studies based on hypothetical scenarios.

7.1 Desktop client

A legal firm is investigating a case of a fraudulent employee who was recently hired as a junior associate and is suspected by the firm’s senior partners to have faked a law degree and practicing law without having passed the bar exam. The suspicion started when the firm rang up the listed college on his resume for a routine reference check and found no records of the said student. As a result, the firm decided to further investigate the case. While the employee, thereafter, referred to as X, was working on his laptop PC, he was called in by the HR director for interrogation, and his computer was confiscated for forensic examination. Since the computer was on, the forensic analysts immediately captured a memory dump from X’s computer, and analyzed it for clues. A pslist/pstree Volatility search revealed the running applications, among which Cisco WebEx was listed. Further investigation (a string search against < messagesContainer > tag) revealed interesting artifacts. Figure 41 shows details of a suspicious message that X received from an account associated with ‘Mike Ross’. In addition to the acquired message contents, it was also evident that the account was one of X’s contacts on Cisco WebEx. The time the message was received was also recorded (1:41 PM) along with the email domain of the sender (@yahoo.com).

Fig. 41

Message received by X

A string search for emails revealed the complete email of the sender, i.e., mikeross@yahoo.com. An email histogram obtained using Bulk Extractor indicated that this account was one of the most frequently contacted accounts that X communicated with recently. Furthermore, the text messages exchanged between X and Mike were extracted along with the corresponding timestamps. It revealed that X was to receive his fake degree at midnight in exchange for a certain amount of money.

Performing memory dump capture revealed to a be an invaluable approach for extracting forensic evidence. However, because of memory volatility, such an approach becomes impractical if the user shuts down the device. In this case, disk space forensics becomes a viable alternative.

7.2 Web application

A long-term senior employee, Y, of a food manufacturing company, ABC, is in a confidentiality agreement with the company in regard to a trade secret that the company developed decades ago. Y received a multimillion dollar offer by a rival company to disclose the trade secret. A virtual meeting related to this business was in order. Since Y did not want to use his company licensed Cisco WebEx account, which was logged into his WebEx desktop client application, he used his personal WebEx account, which he created using his personal Gmail. Y, in order to avoid any trace of this communication on his laptop PC, decided to use the Cisco WebEx web application instead. The subject meeting was conducted, and the deal was finalized.

A few weeks in, company ABC asked for a forensic investigation of employees’ workstations. Y’s laptop hard drive were imaged using FTK Imager and investigated for any relevant clues. Although no trace of contact with the rival company was found in the Cisco WebEx data directory, i.e., the CiscoSpark (AppData\Local\CiscoSpark) and WebEx (AppData\Local\WebEx) folders which were storing information of his company licensed WebEx account, the forensic analyst checked the Google Chrome data directory as a last resort. As it turned out, an indexedDB-levelDB corresponding to a personal Cisco WebEx account was found which not only proved the application’s usage via the Chrome web browser, but also provided details related to the conducted meeting with the rival XYZ company in the levelDB in logstore12 object store. The timestamps of logstore12, decoded using DCode (Fig. 42), suggested that the meeting was held on October 26, 2021, around 2 PM.

Fig. 42

Decoded timestamp of Y’s meeting with XYZ Co.

The text chain of Y, and company XYZ was recovered in chronological order (following the chatMgr service manager to streamline the search using the find utility on the text editor), and also using timestamps of each text message. A text message sent by Y to the XYZ Co. representative in the meeting, as shown in Fig. 43, clearly proves that Y was guilty of violating the confidentiality agreement because he communicated the trade secret with the company XYZ.

Fig. 43

Message sent by Y

Evidently, even when the suspect in subject case employed an anti-forensic route by not using the Cisco WebEx desktop client application, the forensic analyst was able to counter by performing forensic analysis of the web application. Cisco WebEx web application leaves very detailed artifacts pertaining to meetings conducted, and can be presented as DE in cases involving the application.

8 Conclusion and future work

Forensic analysis of videoconferencing applications has attracted considerable attention among researchers, and forensic investigators alike, owing to the accelerated usage of these applications following the COVID-19 pandemic and the emergence of highly publicized cases of Zoom-bombing incidents. The established artifacts pertaining to each videoconferencing application provide a reference for forensic analysts, which can potentially serve as digital evidence in the court of law.

This paper presented a forensic analysis of Cisco WebEx desktop and web applications with respect to memory, disk space, and network on Windows 10. The objective of the research was to analyze what forensic artifacts can be extracted pertaining to the application. Memory forensics revealed detailed information with respect to communications that took place between the user and other parties, such as chat messages, exchanged text and media files, meeting passwords, and contacts. User credentials were not found in the memory in plaintext, but the same was successfully extracted from disk space Windows Registry. Other interesting artifacts extracted from the disk space included profile pictures, call logs, meeting records, and prefetch files. The extracted network artifacts provided useful insights into the client-server communications such as server domains and IP addresses. Artifacts from all these sources can be linked to reconstruct user activities and to develop a chronological trail for activities that took place.

The Cisco WebEx web application was also observed to be keeping detailed logs of the meetings that occurred. Besides traces of the web application’s usage in different files/folders in the Google Chrome data directory, the indexedDB-levelDB proved to be a prime source of all the interesting details regarding meetings.

Forensics of logical images, and ADB backups of Android OS for WebEx Meetings smartphone application artifacts, revealed user account information, shared media, cookies, event logs, and meeting records etc.

Results presented herein are valid at the time the research was conducted, and they might become outdated with the emergence of potential future WebEx software updates.

This work can be further explored in many directions. Since this research focuses on Windows 10 OS, it would be interesting to perform a similar in-depth analysis of Cisco WebEx on the novel Windows 11 OS. A forensic analysis of a physical Android image may also be performed since our study focused on logical images and ADB backups. It would also be needful to conduct a forensic investigation of Cisco WebEx on other OSs such as iOS, macOS, and Linux etc., and additionally, on other smart devices such as iPad. Future work can also focus on extending our forensic analysis to other videoconferencing applications that have not been explored as of yet such as Google Meet, Adobe Connect, and BlueJeans

Appendix

Table 3. Summary of extracted artifacts