Z is for Zoombombing

Zoombombing — the act of interrupting zoom and similar on-line meetings is just one symptom of disruptive and often more serious security issues facing society as we move on-line. COVID-19 has driven a surge in such disordering of digital activities and has affected our conduct in an increasingly connected world. Mobile phones and computers have become an essential part of life during the pandemic while working remotely, shopping online or consulting on health. To remain connected during the pandemic there has been a substantial increase in use of video calling/conferencing tools such as Zoom, Google Hangouts, Microsoft Teams, and WebEx Meetings. Ease of online communications could, however, make information easier for cybercriminals to access and to use these tools for malicious purposes. The UK’s Office for National Statistics [1] published data that showed 46.6% of people in employment conducted some form of work at home, with 86% of these people doing so because of Covid-19. Similarly, between the months of May and June 2020, it was discovered that 87% of parents with a child in education had undertaken some form of home-schooling. Whilst video conferencing apps are usually used for work and school meetings, there can also be a darker side to these programs. It might not be as common as work meetings, but video conferencing programs can be used for criminal uses.

‘Zoombombing’ has become an issue in recent times, according to Wiltshire Police [2]. ‘Zoombombing’ has been defined as the act of interrupting a zoom call, often with disturbing images of, for example, child abuse. This has been possible due to a security flaw in Zoom that allows people to join without a password, using a call code that has been posted publicly, such as by pages on Facebook. Whilst there are mitigations for this sort of issue, such as using the “waiting room” feature, and only sending the room code to the people in-volved, the fact that ‘Zoombombing’ is happening shows that there is the risk for people to be snooping on calls, or using them to distribute false, illegal and disturbing images or content. As video conferencing has only recently had a boom in popularity there are not much research regarding forensic findings and artefacts that can be used to trace perpetrators. Recent investigations at Canterbury Christ Church University reports [3] how forensic evidence from two popular video conferencing tools, Microsoft Teams and Google Meet, could be collected by forensic examiners, and how these artefacts can be used as evidence. Industry standard cyber forensics tools have been reported to extract artefacts from range of digital sources, such as computer memory, network, internet browsers and operating system files, such as windows registry. The results are intended to verify security and trustworthiness of both applications as an online conferencing tool.

Results reveal several key artefacts, including suspect’s email addresses, as well as email addresses of other parties who may have been involved. Finding out that these artefacts exist and knowing where to look for them could be key information for investigators, since it would save them time and resources. During Google Meet’s investigations a collection of artefacts indicates that a user accessed and circumstantially used the Google Meet application. Hyperlinks were recovered from the internet browser’s “History” file. With the hyperlink being unique to a specific call, there is a possibility of proving a suspect was involved in the Google Meet call as suspect’s machine was used to access the specific call. Additionally, the hyperlinks obtained can be used to re-join existing calls. Therefore, if a malicious person gained access to this artefact in the browser files, they could potentially gain access to a Google Meet call that they were not supposed to be on.

The study focused on only the ‘Windows 10’ operating system; therefore, inverigation of other operating systems may present more, less or simply different artefacts. Future work should include testing the application on other popular platforms, such as, but not limited to, ‘macOS’, ‘iOS’, ‘Linux’ and ‘Android’. By applying this approach to alternative platforms, a full picture of the forensic soundness of both Google Meet and MS Teams can be created.

Dr Hannan Azhar is Senior Lecturer in Computing at Christ Church. His research focuses on cybercrime and security investigations of a wide range of computer applications and hardware ecosystems, such as smart home IoT, drones, wearable devices, etc. His research also involves designing and developing a trustworthy and secure infrastructure for education and healthcare as well as tools to gather intelligence, especially when the crime is still unfolding and attackers are still at large.

Reference

Office for National Statistics (2020). Coronavirus and homeschooling in Great Britain: April to June 2020. Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/educationandchildcare/articles/coronavirusandhomeschoolingingreatbritain/apriltojune2020 (Accessed: 02/09/2021).

Wiltshire Police (2020). Incidents of ‘zoom-bombing’ reported in Wiltshire — Wiltshire Police. Available at: https://www.wiltshire.police.uk/article/6136/Incidents-of-zoom-bombing-reported-in-Wiltshire (Accessed: 02/09/2021).

Azhar, M.A.H.B., Timms, J. and Tilley, B. (2021). Forensic Investigations of Google Meet and Microsoft Teams — Two Popular Conferencing Tools in the Pandemic, In the Proceedings of 12th EAI International Conference on Digital Forensics & Cyber Crime, ICDF2C 2021, Publisher: Springer, Singapore.