Authors: Guido Schipper, Rudy Seelt and Nhien-An Le-Khac
DFRWS EU 2021
Instant messaging (IM) has been around for decades now. Over the last few decades IM has become more and more popular with varied protocols, both open source and closed source. One of the new recent open source ones is the Matrix protocol with the first stable version released in 2019 and the IM application based on this protocol is “Riot.im”. In recent years many organizations started using the Matrix protocol to setup and manage their own IM platforms. In addition, the number of users who are using the public Matrix protocol-based servers is also increasing. However, because the Matrix protocol and the Riot.im application are very new, there is a knowledge gap when it comes to investigators in relation to the forensic acquisition and analysis of Riot.im application and the Matrix protocol. Yet, there is very little research in literature on the Matrix protocol forensics. The goal of this paper is to fill this gap by pre- senting a forensic approach to analyze forensic artifacts of Riot.im and the Matrix protocol.