Plain text passwords: A forensic RAM-raid |
| |
| Affiliation: | 1. School of Applied Sciences, University of Huddersfield, Queensgate, Huddersfield, West Yorkshire, HD1 3DH, United Kingdom;2. Department of Criminal Justice and Forensic Science, School of Law, Policing and Forensics, Staffordshire University, Leek Road, Stoke-on-Trent, Staffordshire, ST4 2DF, United Kingdom;1. Indraprastha Institute of Information Technology, Delhi (IIIT-D), Delhi, India;2. Amazon, India;3. PDPM Indian Institute of Information Technology, Design and Manufacturing, Jabalpur, India;4. Indira Gandhi Delhi Technical University for Women (IGDTUW), Delhi, India;5. Indian Institute of Technology, Jodhpur, India |
| |
| Abstract: | Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with ‘string markers’ which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases. |
| |
| Keywords: | RAM Physical memory Passwords Digital forensics Investigation |
| 本文献已被 ScienceDirect 等数据库收录! |
|
