Abstract
Tencent Meeting, an instant meeting software, is widely used at present, but no research has been conducted on its forensics. Since the real-time data generated by such software during meetings will not be stored in the computer disk, the traditional disk forensics method against such software is no longer applicable and needs to obtain evidence through memory analysis. To extract meeting data transmitted during meetings, this article proposes a method for Tencent Meeting forensics based on memory reverse analysis. First, by analyzing the process storage and metadata format of Tencent Meeting in memory, an inverse metadata extraction algorithm is designed. Then, by analyzing the data structure of Tencent Meeting in memory, a meeting data stream engraving algorithm is developed. Finally, the experimental results indicate that the proposed method can effectively extract metadata information such as meeting time, meeting number, topic, and data flow information such as participants, message records, as well as transmitted files from the memory of Tencent Meeting, providing crucial digital evidence for digital crime investigation. Compared with other forensic analysis methods for instant meeting software, our proposed forensic method for Tencent Meeting conducts memory reverse analysis with the entire memory file, enabling the extraction of more comprehensive and abundant forensic data.