2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop
Email Spoofing Detection Using Volatile Memory
Forensics
R. Padmavathi Iyer∗ , Pradeep K. Atrey∗ , Gaurav Varshney† and Manoj Misra†
∗ University at Albany, State University of New York, Albany, New York, USA
Email:
[email protected]
,
[email protected]
† Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India
Email: [email protected], [email protected]
Abstract—In email systems, one of the most widely used
attacks is email spoofing, in which the source address of the
email message is forged to make the recipient of the email
believe that the email was sent from a legitimate source. Several
research works have been presented in the past to address
email spoofing attack. Further, in recent years, the technique
of memory forensics has evolved significantly where critical
evidence is extracted from the volatile memory of the target
machine during a cyber crime investigation. In this paper, we
utilize memory forensics to detect if the client received any
spoofed email. In addition, our memory forensics approach
detects if the client replied to any spoofed emails. The memory
of the client machine is acquired on a scheduled basis and
the acquired memory dump is analyzed to identify spoofing
attack and, if detected, storing the details in log files that can
be used by cyber crime investigators. The benefit of applying
memory forensics to detect spoofed emails is that it guarantees
non-repudiation since every action performed on a computer
is loaded in the system’s physical memory, including email
communication, and hence the user cannot deny receiving or
replying to spoofed email.
Index Terms—Email spoofing, Memory forensics, Spoofing
websites
I. INTRODUCTION
A. Email Spoofing
With the growth and evolution of emails, the threats
associated with email communication also increases, with
sophisticated adversaries using state-of-the-art techniques like
sending spoofed emails from/to legitimate user email ad-
dresses. Email Spoofing [1] is a technique that involves
forging of the email source such that the email appears
to have come from some other source. Email spoofing is
generally used by adversaries in phishing attacks [2] in order
to gain the trust of the target that the received email is from a
legitimate source and making them open the malicious email
document. However, the source information in email header
of a spoofed email is different from that of a genuine email
and this difference between the email headers of a spoofed
email and a legitimate email serves as a critical evidence for
identifying email spoofing attacks.
Several approaches have been proposed in the past to
address the issue of email spoofing like anti-spoofing applica-
tion using Secure Socket Layer (SSL) protocol proposed by
Mooloo et al. [1], identifying the authentic owner of forged
email address presented by Hanumanthappa et al. [3] and
978-1-5386-0683-4/17/$31.00 ©2017 IEEE
978-1-5386-0683-4/17/$31.00 ©2017 IEEE
Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
examining Sender Policy Framework (SPF) [4], DomainKeys
Identified Mail (DKIM) [5] and Domain-based Message
Authentication, Reporting and Conformance (DMARC) [6]
fields of email header to detect spoofed addresses proposed
by Gupta et al. [7].
B. Memory Forensics and Challenges
One of the emerging branches of digital forensics, namely
memory forensics [8], entails analyzing the memory of the
suspect device for garnering evidence of cyber attack. Mem-
ory of any computer can be divided into non-volatile memory,
which includes internal storage called hard disks, and volatile
memory called RAM. The non-volatile memory supports
persistent storage and is used for storing static critical files.
On the other hand, volatile memory loses its contents when
the device is restarted and stores dynamic information such
as processes, network connections details, etc. Although
traditional analysis of non-volatile memory reveals wealth of
settings and configurations information about the systems and
applications, some crucial details like password, unencrypted
content, and email headers and messages can be retrieved
from volatile memory only.
However, it is challenging to analyze the memory dump
collected from the target computer due to the complex data
structures in it. In addition, memory forensics has been
evolving slowly, until recently, with free tools limited to
particular Operating System (OS) versions and currently most
tools are targeted on Windows OS RAM. Nevertheless, in
recent years, researches have contributed large volume of
work to this domain of memory forensics like detecting
Advanced Persistent Threat (APT) Trojan proposed by Wang
and Xu [9], discovering kernel mode rootkits described by
Korkin et al. [10] and extracting user credentials of popular
Web applications presented by Joseph et al. [11].
C. Using Memory Forensics for Email Spoofing
Any process or action on a computer, like network con-
nections, unencrypted file contents, cryptographic keys and
passwords, resides in the primary memory for its execution
and thus leaves evidence therein [8]. All this wealth of
crucial information can be used to track the adversary. The
significance of memory forensics can also be applied in
the sphere of email forensics to detect malicious or spam
emails. Whenever an email transaction occurs, all email-
related information gets stored in the memory (RAM) of the
619
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop
user’s machine. And spoofed emails are no exceptions. The
email header and body details get etched in dynamic memory
and even if the adversary tries to delete all the evidence
pertaining to the spoofing attack like clearing browsing data
or deleting the messages from inbox or sent folders, the
information required for forensics is still safe in the primary
memory of the target machine.
In this paper, we present an approach for detecting spoofing
attacks in received and replied emails, based on the technique
of memory forensics. The basic procedure behind our scheme
is as follows. Whenever the client opens his email inbox, all
email related data is loaded in the client computer’s main
memory in the form of email headers. The main memory
dump is acquired and email related data is gathered from the
dump. Then the retrieved email data, more specifically email
headers, from the target machine is matched against the email
header pattern of a genuine email, and any anomalies in this
process might possibly indicate a spoofed email.
The entire process runs on a scheduled basis on the client
computer. To demonstrate the feasibility of our approach, we
conducted experiments in which spoofed emails were sent
from authentic email addresses to the client via websites
that offer such services. The client can reply to the received
spoofed emails, in which case the replied email is received by
the legitimate owner of the spoofed email address. Genuine
emails were also sent and replied to test for false positives.
We observe that our implementation stores details of spoofed
emails in received and replied logs respectively depending on
whether the client received or replied to the spoofed email,
while preventing false positives. Hence, log files created by
our approach can be utilized by cyber crime investigators to
identify email spoofing attacks.
D. Paper Contributions
To the best of our knowledge, this is the first paper
that performs volatile memory forensics to not only detect
spoofed emails but also identify if the client has replied to
a received spoofed email. The advantage of using memory
forensics to detect spoofed emails is that this technique
guarantees non-repudiation [12], that is, the client cannot
deny receiving or replying to spoofed email. Furthermore,
all email data including the message, which are otherwise
transmitted in encrypted form over the network, are loaded
as plain text in RAM. Our key contributions in this paper
are:
• Design an approach to detect email spoofing based on
analysis of volatile memory dump and store details
of detected spoofed emails, received or replied by the
client, in received and replied log files respectively.
• Demonstrate the practicality of our scheme by sending
spoofed emails via websites offering such services.
E. Paper Organization
The paper is structured as follows. Section II discusses
related work in the field of email spoofing and memory
forensics and how our approach is novel compared to prior
works. In section III, we give a detailed explanation of
620
Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
our approach and the flow of operations involved in the
entire process. Section IV elucidates implementation of our
scheme with experiments and results, along with performance
analysis. Finally, in section V we conclude and shed light on
some potential future works in this direction.
II. RELATED WORK
A large volume of work has been undertaken in the past
to address email spoofing, which is mainly based on network
forensics. In network forensics based methods, the email
headers are extracted from the network traffic and analyzed
to identify spoofed emails [13]. The email headers usually
contain crucial information, such as source and destination
email addresses, evidence of the path traversed by the email
on its journey from source host to receiver host, date and
time the message was sent, etc.
The network forensics defense mechanisms against email
spoofing can be classified as follows:
Network Level Defense It typically involves blocking a
group of domains or a range of Internet Protocol (IP)
addresses to protect the network from systems that
commonly deliver spoofed malicious emails [23][24].
However, these mechanisms do not focus on the content
of the message.
Authentication This usually involves checking the path of
an email to ensure that its domain name has not been
spoofed by attacker [3][7][25][23]. To accomplish this,
most email servers are equipped with prominent security
technologies such as Microsoft’s Sender ID and Yahoo’s
Domain Key. Nevertheless, for a successful email au-
thentication mechanism, both the sender and the receiver
mail servers must apply the same technology.
Client Side Defense These protection mechanisms enable
users to identify spoofed emails so that even when the
server crashes or is temporarily down, the user is not
vulnerable to spoofing attacks [1][26]. Usually these
mechanisms are based on the white-listing technique to
differentiate legitimate emails from spoofed emails. As
a result, these methods suffer from high false positives.
The main limitation of employing network forensics to
detect email spoofing is that it is almost impossible to capture
all traffic that pass through a network [27]. For example, most
Intrusion Detection Systems (IDS) do not capture normal
port 80 traffic. Moreover, prior work focused on identifying
spoofing attacks in emails received by the client. Our work
aims to overcome these shortcomings by using memory
forensics for identifying spoofing attack in both received
and replied emails. The advantage of employing memory
forensics technique for detecting spoofed emails is that it
guarantees non-repudiation [12], that is, the user cannot
deny receiving or replying to spoofed email, since every
action performed on the user’s computer is recorded in the
system’s physical memory, including email communications.
Furthermore, all email data, including the message, are loaded
as plain text in RAM, which are otherwise transmitted
in encrypted form over the network. In addition, memory
forensics provides enough control to detect spoofed emails
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop

TABLE I: Past works involving volatile memory analysis

Work Task performed Identify spoofing in Identify spoofing in
received emails? replied emails?
Xu and Wang [14] Extract logged-in passwords in Windows No No
system
Graziano et al. [15] Inspect hypervisors and virtual machines No No
Guangqi et al. [16] Algorithm for examining virtual machines No No
Joseph et al. [11] Extract usernames and passwords of Web No No
applications in Windows system
Chen and Li [17] Retrieve picture data No No
Saltaformaggio et al. Recover photographic evidence in Android No No
[18] device
Korkin and Nesterov Detect kernel mode rootkits No No
[10]
Wang and Xu [9] Detect APT Trojan evidence No No
Huang et al. [19] Recover traces of Skype and Facebook com- No No
munications in Windows system
Chen and Mao [20] Recover email data from Android RAM No No
Lee et al. [21] Algorithm for guaranteeing bootstrapping No No
steps while inspecting compromised mem-
ory
Case and Richard III Identify userland malware on Mac OS X No No
[22]
Proposed work Detect email spoofing in Windows system Yes Yes

since email headers can be accessed from memory of the
client machine instead of network, which employs https, and
hence there is no need to have access to third-party email
service providers.
Memory forensics is an evolving and promising area of
research. Xu and Wang [14] presented a technique for the
retrieval of system logged-in passwords from the physical
memory of Windows XP and Windows 7. In addition,
Graziano et al. [15] demonstrated a set of approaches for
analyzing hypervisors and virtual machines by utilizing mem-
ory forensics. Subsequently, Guangqi et al. [16] proposed
an algorithm for memory forensics on virtual machines
comprising of process search, memory dump and memory
analysis. Further, Joseph et al. [11] proposed methodology
that examines Windows system’s physical memory dump
for extracting information about Internet activity and re-
trieving usernames and passwords of Web applications like
mail accounts. Interestingly, Chen and Li [17] presented
a technique for recovering picture data from the memory
dump. Subsequently, Saltaformaggio et al. [18] presented a
memory forensics technique called Visual Content Recovery
(VCR) that retrieves all photographic evidence generated
by an Android device’s cameras. Furthermore, Korkin and
Nesterov [10] described a new memory forensic system for
detection of kernel mode rootkits. Following that, Wang and
Xu [9] applied memory forensics techniques to identify traces
of APT Trojan in the memory image. Moreover, Huang et
al. [19] proposed a technology utilizing memory forensics
in Windows OS to gather key evidence in Skype and Face-
book Messenger communications. Subsequently, Chen and
Mao [20] focused on discovering email-related information
by analyzing the volatile memory of the Android mobile
phone. Interestingly, Lee et al. [21] suggested an algorithm
for analyzing the compromised memory while guaranteeing
all the three bootstrapping steps, comprising of operating
system fingerprinting, Directory Table Base identification and
obtaining kernel objects. In addition, Case and Richard III
[22] focused on memory forensics techniques for detecting
userland malware on Mac OS X.
Compared to prior works that utilize primary memory
forensics to gather different types of critical information, the
goal of our work is to discover spoofing attack in emails
received and replied by the client through volatile memory
analysis of Windows OS, as depicted in table I.
III. PROPOSED WORK
We propose a scheme that utilizes memory forensics to
detect spoofed emails. The goal of this work is twofold.
First, our approach detects if any received email is a spoofed
email when the client opens his email inbox. Second, our
scheme detects if the client replied to any spoofed email.
The following subsections describe the procedure followed
to accomplish these tasks.
A. Extracting Email Related Data From Memory
1) Capturing Live Memory Using Mandiant’s Memoryze:
We used Mandiant’s Memoryze [28] for acquiring live mem-
ory images. A significant advantage of using Memoryze
is that it can be used via the command-line for acquiring
memory images and also provides the flexibility of specifying
the destination folder for storing the acquired memory im-
ages. However, running the tool requires Administrator-level
command prompt because only then Memoryze can load a
kernel-level driver for getting access to raw memory.
2) Extracting UNICODE & ASCII Strings Using Strings
Tool: We used Strings v2.53 [29] by Mark Russinovich to
retrieve UNICODE and ASCII strings with a length of three
or more characters from the captured memory dump and
redirected the output to a strings file.

621

Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop

3) Filtering Email Related Data: The contents of the Algorithm Detecting Spoofing in Replied Emails
strings file contain information that are irrelevant to emails. EmailHeadersList ← read(headers f ile)
So email headers were filtered from the strings file and saved for each header ∈ EmailHeadersList do
in a headers file. f rom ← getF romAddress(header)
to ← getT oAddress(header)
B. Algorithm For Detecting Spoofed Emails subject ← getSubject(header)
The spoofed emails should be detected accurately such that inReplyT o ← getinReplyT o(header)
they are distinguished from genuine emails to prevent false
positives. The basic idea is to compare the domain portion toDom ← getDomain(to)
of from: and messageId fields of email headers to detect inReplyT oDom ← getDomain(inReplyT o)
spoofing attack in received emails and record the details of
spoofed emails in the received log, and comparing the domain cmp ← isComparable(toDom, inReplyT oDom)
portion of to: and inReplyTo email header fields to identify if if cmp = F ALSE then
the client has replied to any spoofed email and save the details header.isSpoof ed ← T RU E
of spoofed emails in the replied log. More specifically, each Log ← write(f rom, to, subject, inReplyT o)
entry in the log file contains the from address, to address, end if
subject, messageId or inReplyTo Id of the spoofed email, and end for
the time the entry was registered in the log.
The following algorithms describe detecting spoofing at-
tack in received and replied emails respectively. These algo-
rithms are implemented in Perl 5, version 12, subversion 3
(v5.12.3).

Algorithm Detecting Spoofing in Received Emails

EmailHeadersList ← read(headers f ile)
for each header ∈ EmailHeadersList do
f rom ← getF romAddress(header)
to ← getT oAddress(header)
subject ← getSubject(header)
messageId ← getM essageId(header)

f romDom ← getDomain(f rom)

messageIdDom ← getDomain(messageId)

cmp ← isComparable(f romDom, messageIdDom)

if cmp = F ALSE then
header.isSpoof ed ← T RU E
Log ← write(f rom, to, subject, messageId)
end if
end for
In the proposed algorithms, read function takes the head-
ers file as input and stores all the email headers contained
therein in EmailHeadersList array. During each iteration over
this array, getFromAddress function retrieves the From: field
from the corresponding header and stores it in the variable
from. Similarly, getToAddress retrieves the To: field and stores
it in variable to, getSubject stores the Subject field in variable
subject, getMessageId stores the MessageId field in variable
messageId and getinReplyTo retrieves the inReplyTo field and
stores it in variable inReplyTo.
While detecting spoofing in received emails, the getDo-
main function retrieves the domain information from the ar-
gument, from and messageId, and stores in variables fromDom
and messageIdDom respectively. The isComparable function
checks if fromDom is a substring of messageIdDom and
returns a boolean value. If it is false, then the corresponding
Fig. 1: Basic flow of operations
header is marked as spoofed and the write function registers
details of the spoofed email, particularly from, to, subject
and messageId values in the Log file. Similar procedure
is followed for detecting spoofing in replied emails except
that, instead of from and messageId values, to and inReplyTo
values are used.
C. Flow of Operations
Figure 1 depicts the basic flow of operations involved in
our scheme. When the client opens email inbox, his emails
are loaded into memory in the form of email headers. An
email header contains all the information about a particular
email which is specified in fields. Table II enumerates some
fields of an email header that we will use to detect spoofing
attacks in received and replied emails.
The entire process from capturing the live memory to
reporting any detected spoofed emails by analyzing the

622

Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop
TABLE II: Some Email Header Fields
Field Definition
From Persons responsible for the email message
cc cc=Carbon Copy. Secondary, informational
recipients
bcc bcc=Blind Carbon Copy. Recipients not to
be disclosed to other recipients
To Primary recipients
Subject Title or heading of the email message
MessageId Unique ID of the email message
inReplyTo Reference to email message for which this
email is a reply to
Fig. 2: Example of an email header as captured from the
memory of client computer
acquired memory dump is automated. The Mandiant’s Mem-
oryze software is run on the client’s computer to acquire
the live memory and store the captured memory image on
the secondary storage of the machine. Then we run the
Strings tool on this just captured memory dump to extract
all the UNICODE and ASCII strings of length three or more
characters and store the extracted strings in strings file in
the same directory as the memory dump. Subsequently, all
the email data is filtered from the strings file and outputted
to headers file, which is stored in the same directory as the
memory dump and the strings file. Figure 2 shows a typical
email header. The next step involves correctly identifying
spoofed emails by scanning the headers file and registering
their details in the logs, while distinguishing genuine emails
from spoofed ones to prevent false positives. Previous subsec-
tion gives such an algorithm for identifying spoofed emails.
IV. IMPLEMENTATION AND RESULTS
Our scheme, deployed on the client machine, runs on
a scheduled basis to identify whether the client received
any spoofed emails and also detect if the client replied to
any received spoofed emails, while preventing false positives
by correctly distinguishing spoofed emails from genuine
emails. In the following subsections we describe details of
the experiments we conducted to demonstrate the deployment
of our scheme for detecting spoofed emails.
A. Assumptions
While performing our experiments, we assume that the
memory dump acquired from the client machine, which is
623
Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
TABLE III: Specifications of the client computer
OS Windows 10
Processor Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
2.59 GHz
RAM 12.0 GB (11.9 GB usable)
System type 64-bit Operating System, x64-based processor
the basis of our analysis for detecting email spoofing attacks,
is honest and has not been modified by any malicious activity.
B. Experimental Setup
We implemented our scheme on client machine, with the
specifications given in table III, to detect spoofing attacks
in both received and replied emails. To evaluate our imple-
mentation, spoofed emails were sent from legitimate email
addresses to the client machine from websites providing
services to send spoofed emails, and the client replies to
received spoofed emails. Also, genuine emails were sent
and replied to test if our technique accurately distinguishes
spoofed emails from genuine emails.
Spoofed emails were sent from three websites
namely Emkei’s Fake Mailer (https://emkei.cz),
Anonymailer (http://anonymailer.net/ ) and sharpmail
(http://www.sharpmail.co.uk/ ). For all the three websites,
we used the following fields to send spoofed emails - From
email address, To email address, Subject, Body or message,
and attachments. The client receives the email, sent from
each of the three above mentioned websites, like any other
genuine email that he can access through his inbox. When
the client replies to the spoofed emails, it is received by
the innocent user whose email address was forged in the
spoofing attack. Genuine emails were sent from various
email service providers to ensure that our implementation
prevents false positives.
C. Results and Analysis
This section elucidates the time analysis and other pro-
cessing overheads of the proposed approach when run on
the client computer with specifications given in table III.
The scheme takes approximately 12 minutes for the entire
process from acquiring memory image of the client machine
to registering detected spoofed emails in appropriate log files.
The Memoryze software takes approximately two and a half
minutes to complete execution and consumes approximately
6% of CPU, 2 MB of memory and 82 MB/s of disk. The
Strings tool takes approximately seven and a half minutes
consuming nearly 1 MB of memory, 25 MB/s of disk and
utilizes about 15% of processor. Finally the QGREP Utility,
which is filtering email related data followed by execution
of the Perl script for detecting spoofed emails, takes ap-
proximately ten seconds and utilizes about 5% of CPU and
consumes around 1 MB of memory and 46 MB/s of disk.
The performance evaluation of our scheme is enumerated in
table IV.
The performance evaluation discussed above is particular
to the machine with specifications given in table III. As a
result, a client machine with lower RAM will take lesser time
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop

(a) Spoofed email (b) Genuine email

Fig. 3: Memory images indicating the difference between spoofed email and genuine email.

Fig. 4: Received log file contains details of spoofed emails received by the client

to execute. For example, we implemented our scheme on a the email O2 for oxygen is stored in the replied log, whereas
machine with 4 GB RAM having 32-bit Pentium Dual-Core the email P for parrot is not, when the client replies to both
processor, and it took approximately 5 minutes for overall the spoofed email (O2 for oxygen) and the genuine email (P
execution. for parrot), as manifested in figure 6.
To verify if our scheme accurately identifies spoofing
TABLE IV: Performance analysis
attacks in both received and replied emails while preventing
Process Memory(MB) Disk(MB/s) CPU(%) Time(mm:ss) false positives, we sent seventy spoofed emails from the
Memoryze 1.9 82.1 6.0 2:30 spoofing website emkei.cz and seventy genuine emails to
Strings 0.9 24.7 14.6 7:30
QGREP Utility 0.6 45.6 5.1 00:10 the client machine. The client replied to all the received
Total time taken (mm:ss) = 12:10. emails. Both spoofed and genuine emails were sent from
seven email service providers, that is ten spoofed and ten
Figure 3 shows the difference in the email headers be- genuine emails were sent from each email service provider
tween a spoofed email and a genuine email when a spoofed since the performance did not change after ten emails. Table
email with subject O2 for oxygen and a genuine email with V demonstrates the results along with accuracy of detecting
subject P for parrot are sent from the gmail address bful- spoofing in both received and replied emails. None of the
[email protected] to the client whose email address genuine email was registered in the log files indicating that
is pi.95 [email protected]. Hence details of the email with our scheme prevents false positives.
subject O2 for oxygen should be registered in the received Although all email data is logged in the memory dump, in
log file whereas the email with subject P for parrot should some cases, when our implementation has to process large
not, which is evident from figure 4. number of newly received emails in a single execution, few
If the client replies to the spoofed email O2 for oxygen, email headers are not properly filtered from the strings file
the replied email is sent to the legitimate owner of the email to the headers file. As a result, the proposed algorithm for
address [email protected]. Figure 5 demonstrates detecting spoofed emails “skips” those emails and hence they
the difference in the email headers between replying to a are not registered in the log. This issue is comparatively
spoofed email (with subject O2 for oxygen) and replying to much less in replied spoofed emails than received spoofed
a genuine email (with subject P for parrot). Hence, details of emails. Nevertheless, in the immediately next execution of
the scheme, all the spoofed emails both received and replied
are registered in the respective log files.
TABLE V: Accuracy of the proposed scheme
Email No. of No. of No. of Accuracy V. CONCLUSION AND FUTURE WORK
Service Spoofed Received Replied
Provider Emails Sent Spoofed Spoofed The advantage of using memory forensics for email spoof-
Emails Emails
Detected Detected ing is that it guarantees non-repudiation, that is, the user
rediffmail.com 10 10 10 100% cannot deny receiving or replying to spoofed emails, since all
zoho.com 10 9 10 96.7% the actions performed on the user’s computer are etched in the
outlook.com 10 8 10 93.4%
mail.com 10 10 10 100% system’s physical memory, including email communications.
gmail.com 10 8 10 93.4% In this work, specifically, we detect if the client received
sfletter.com 10 9 9 93.4%
fastmail.com 10 9 10 96.7% any spoofed email and/or if the client replied to any spoofed
email. Our implementation is run on a scheduled basis on

624

Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Conference on Communications and Network Security (CNS): The Network Forensics Workshop
(a) Spoofed email
Fig. 5: Memory images indicating the difference between replying to spoofed email and replying to genuine email.
Fig. 6: Replied log file contains details of “replied to spoofed emails” by the client.
the client machine and registers details of spoofed emails,
detected by analyzing the memory dump, in appropriate log
files depending on whether the client received or replied to the
spoofed email, and these log files can be used by cyber crime
investigators. Performance analysis indicates that our scheme
takes around 12 minutes to accurately detect spoofed emails,
sent from websites offering such services, while preventing
false positives, consuming system resources judiciously, and
without interrupting with normal functioning of the client
computer.
An interesting future work in this direction is to optimize
the scheme developed in this paper such that it takes lesser
time to execute while requiring minimum overhead on the
system’s resources. Also, our approach does not find if any
spoofed email has been sent by a malicious client from a
spoofing website; we aim to address this issue in future.
R EFERENCES
[1] D. Mooloo and T. P. Fowdur, “An ssl-based client-oriented anti-
spoofing email application,” in 2013 Africon, Sept 2013, pp. 1–5.
[2] G. Varshney, M. Misra, and P. K. Atrey, “A survey and classification
of web phishing detection schemes,” Wiley Journal of Security and
Communication Networks, 2016.
[3] M. Kumar, M. Hanumanthappa, and T. S. Kumar, “A countermeasure
technique for email-spoofing,” International Journal of Advanced Re-
search in Computer Science, vol. 4, no. 2, 2013.
[4] S. Kitterman, “Sender policy framework project overview,”
http://www.openspf.org/, accessed: 2014.
[5] “DomainKeys Identified Mail (DKIM),” http://www.dkim.org/.
[6] “DMARC overview,” https://dmarc.org/overview/.
[7] S. Gupta, E. S. Pilli, P. Mishra, S. Pundir, and R. Joshi, “Forensic
analysis of e-mail address spoofing,” in The 5th IEEE International
Conference on the Next Generation Information Technology Summit
(Confluence), 2014, pp. 898–904.
[8] K. Amari, “Techniques and tools for recovering and analyzing data
from volatile memory,” SANS Institute InfoSec Reading Room, 2009.
[9] L. H. Wang and Q. L. Xu, “An apt trojan detection method based on
memory forensics techniques,” Applied Mechanics and Materials, vol.
701, p. 927, 2014.
[10] I. Korkin and I. Nesterov, “Applying memory forensics to rootkit
detection,” arXiv preprint arXiv:1506.04129, 2015.
[11] N. Joseph, S. Sunny, S. Dija, and K. Thomas, “Volatile internet
evidence extraction from windows systems,” in International Confer-
ence on Computational Intelligence and Computing Research (ICCIC),
2014, pp. 1–5.
625
Authorized licensed use limited to: Glyndwr University. Downloaded on October 23,2020 at 21:50:32 UTC from IEEE Xplore. Restrictions apply.
(b) Genuine email
[12] Y. Kavurucu and Ö. Sever, “Hybrid non-repudiation protocol with all
types of pairings,” 2016.
[13] R. Hunt and S. Zeadally, “Network forensics: an analysis of techniques,
tools, and trends,” IEEE Computer, vol. 45, no. 12, pp. 36–43, 2012.
[14] L. Xu and L. Wang, “Research on extracting system logged-in pass-
word forensically from windows memory image file,” in The 9th IEEE
International Conference on Computational Intelligence and Security
(CIS), 2013, pp. 716–720.
[15] M. Graziano, A. Lanzi, and D. Balzarotti, “Hypervisor memory foren-
sics,” in International Workshop on Recent Advances in Intrusion
Detection, 2013, pp. 21–40.
[16] L. Guangqi, W. Lianhai, Z. Shuhui, X. Shujiang, and Z. Lei, “Memory
dump and forensic analysis based on virtual machine,” in International
Conference on Mechatronics and Automation (ICMA), 2014, pp. 1773–
1777.
[17] L. Chen and Y. H. Li, “A method of extracting picture in memory,” in
Applied Mechanics and Materials, vol. 556, 2014, pp. 5186–5189.
[18] B. Saltaformaggio, R. Bhatia, Z. Gu, X. Zhang, and D. Xu, “Vcr:
App-agnostic recovery of photographic evidence from android device
memory images,” in The 22nd ACM SIGSAC Conference on Computer
and Communications Security, 2015, pp. 146–157.
[19] C.-T. Huang, Y.-T. Chang, and S.-J. Wang, “Evidence revelations
at memory forensics in conversations of instant messages,” Forensic
Science Journal, vol. 14, no. 1, pp. 59–67, 2015.
[20] L. Chen and Y. Mao, “Forensic analysis of email on android volatile
memory,” in Trustcom/BigDataSE/I SPA, 2016, pp. 945–951.
[21] K. Lee, H. Hwang, K. Kim, and B. Noh, “Robust bootstrapping
memory analysis against anti-forensics,” Elsevier Journal of Digital
Investigation, vol. 18, pp. S23–S32, 2016.
[22] “Detecting objective-c malware through memory forensics,” Elsevier
Journal of Digital Investigation, vol. 18, pp. S3 – S10, 2016.
[23] A. Almomani, B. Gupta, S. Atawneh, A. Meulenberg, and E. Al-
momani, “A survey of phishing email filtering techniques,” IEEE
Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2070–2090,
2013.
[24] V. Ramanathan and H. Wechsler, “phishGILLNETphishing detection
methodology using probabilistic latent semantic analysis, AdaBoost,
and co-training,” EURASIP Journal of Information Security, vol. 2012,
no. 1, p. 1, 2012.
[25] A. Jayan and S. Dija, “Detection of spoofed mails,” in IEEE Inter-
national Conference on Computational Intelligence and Computing
Research (ICCIC), 2015, pp. 1–4.
[26] T. Fowdur and L. Veerasoo, “An email application with active spoof
monitoring and control,” in IEEE International Conference on Com-
puter Communication and Informatics (ICCCI), 2016, pp. 1–6.
[27] A. Xrysanthou and I. Apostolakis, “Network forensics: Problems and
solutions,” in E-Democracy: Challenges of the Digital Era, 2006, pp.
307–318.
[28] “Memoryze,” https://www.fireeye.com/services/freeware/memoryze.html.
[29] Microsoft TechNet, “Windows sysinternals strings v2.53,”
https://technet.microsoft.com/en-us/sysinternals/strings.aspx, accessed:
2017.