Forensic investigation of Google Meet for memory and browser artifacts

Web applications have experienced a widespread adaptation owing to the agile Service Oriented Architecture (SOA) reflecting the ever-changing software needs of users. Google Meet is one of the top video conferencing applications, especially in the post-COVID19 era. Security and privacy concerns are therefore critical. This paper presents an extensive digital forensic analysis of Google Meet running on multiple browsers and software platforms including Google Chrome, Mozilla Firefox, and Microsoft Edge browsers in Windows 10 and Linux. Artifacts, traces of potential evidence, are extracted from different locations on a client’s desktop, including the memory and browser. These include meeting records, communication records, email addresses, profile pictures, history, downloads, bookmarks, cache, cookies, etc. We explore how different Random Access Memory (RAM) sizes of client devices impact the persistence and format of extracted memory artifacts. A memory artifact extraction tool is developed to automate the extraction of artifacts identified via unstructured string analysis. Google Meet forensic artifacts are critical in that they are potential digital evidence in relevant criminal investigations. Additionally, they highlight that user data can be extracted despite implementing multiple privacy and security mechanisms.