Forensic Key Discovery and Identification : Finding Cryptographic Keys in Physical Memory

• Main Author: Maartmann-Moe, Carsten
• Format: Others
• Language: English
• Published: Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk 2008
• Subjects: ntnudaim; SIE7 kommunikasjonsteknologi; Telematikk
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-8895

Communication and whole-disk cryptosystems are on the verge of becoming mainstream tools for protection of data, both in corporate laptops and private computing equipment. While encryption is a useful tool, it also present new problems for forensic investigators, as clues to their investigation may be undecipherable. However, contrary to popular belief, these systems are not impenetrable. Forensic memory dumping and analysis can pose as ways to recover cryptographic keys that are present in memory due to bad coding practice, operation system quirks or hardware hacks. The volatile nature of physical memory does however challenge the classical principles of digital forensics as its transitory state may disappear at the flick of a switch. In this thesis, we analyze existing and present new cryptographic key search algorithms, together with different confiscation and analysis methods for images of volatile memory. We provide a new proof of concept tool that can analyze memory images and recover cryptographic keys, and use this tool together with a virtualized testbed to simulate and examine the different states of platforms with several separate cryptosystems. Making use of this testbed, we provide experiments to point out how modern day encryption in general are vulnerable to memory disclosure attacks. We show that memory management procedures, coding practice and the overall state of the system has great impact on the amount and quality of data that can be extracted, and present simple statistics of our findings. The discoveries have significant implications for most software encryption vendors and the businesses relying on these for data security. Using our results, we suggest best practices that can help investigators build a more comprehensive data foundation for analysis, by reconstructing virtual memory from RAM images. We also discuss how investigators may reduce the haystack by leveraging memory and process structure on Windows computers. Finally we tie this to current digital forensic procedures, and suggest an optimized way of handling live analysis based on the latest development in the field.