The persistence of memory: Forensic identification and extraction of cryptographic keys |
| |
Institution: | 1. Department of Telematics, Norwegian University of Science and Technology, O.S. Bragstads Plass 2B, N-7491 Trondheim, Norway;2. National Criminal Investigation Service, Norway;3. Norwegian Information Security Laboratory, Gjøvik University College, PO Box 191, N-2802 Gjøvik, Norway |
| |
Abstract: | The increasing popularity of cryptography poses a great challenge in the field of digital forensics. Digital evidence protected by strong encryption may be impossible to decrypt without the correct key. We propose novel methods for cryptographic key identification and present a new proof of concept tool named Interrogate that searches through volatile memory and recovers cryptographic keys used by the ciphers AES, Serpent and Twofish. By using the tool in a virtual digital crime scene, we simulate and examine the different states of systems where well known and popular cryptosystems are installed. Our experiments show that the chances of uncovering cryptographic keys are high when the digital crime scene are in certain well-defined states. Finally, we argue that the consequence of this and other recent results regarding memory acquisition require that the current practices of digital forensics should be guided towards a more forensically sound way of handling live analysis in a digital crime scene. |
| |
Keywords: | |
本文献已被 ScienceDirect 等数据库收录! |
|