Attacking the BitLocker Boot Process
Trust '09 Proceedings of the 2nd International Conference on Trusted Computing
Windows Vista and digital investigations
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Augmenting password recovery with online profiling
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Pypette: A Platform for the Evaluation of Live Digital Forensics
International Journal of Digital Crime and Forensics
| Hi-index | 0.00 |
As encrypted containers are encountered more frequently the need for live imaging is likely to increase. However, an acquired live image of an open encrypted file system cannot later be verified against any original evidence, since when the power is removed the decrypted contents are no longer accessible. This paper shows that if a memory image is also obtained at the same time as the live container image, by the design of on-the-fly encryption, decryption keys can be recovered from the memory dump. These keys can then be used offline to gain access to the encrypted container file, facilitating standard, repeatable, forensic file system analysis. The recovery method uses a linear scan of memory to generate trial keys from all possible memory positions to decrypt the container. The effectiveness of this approach is demonstrated by recovering TrueCrypt decryption keys from a memory dump of a Windows XP system.