The persistence of memory: Forensic identification and extraction of cryptographic keys

Authors:
Carsten Maartmann-Moe;Steffen E. Thorkildsen; André íRnes
Affiliations:
Department of Telematics, Norwegian University of Science and Technology, O.S. Bragstads Plass 2B, N-7491 Trondheim, Norway;National Criminal Investigation Service, Norway;Norwegian Information Security Laboratory, Gjøvik University College, PO Box 191, N-2802 Gjøvik, Norway
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2009

Citing 8
Cited 3

Applied Cryptography: Protocols, Algorithms, and Source Code in C

Applied Cryptography: Protocols, Algorithms, and Source Code in C
Playing "Hide and Seek" with Stored Keys

FC '99 Proceedings of the Third International Conference on Financial Cryptography
Data remanence in semiconductor devices

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Shredding your garbage: reducing data lifetime through secure deallocation

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Secure deletion of data from magnetic and solid-state memory

SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
How to forget a secret

STACS'99 Proceedings of the 16th annual conference on Theoretical aspects of computer science
User data persistence in physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Identifying almost identical files using context triggered piecewise hashing

Digital Investigation: The International Journal of Digital Forensics & Incident Response

AESSE: a cold-boot resistant implementation of AES

Proceedings of the Third European Workshop on System Security
Detection and analysis of cryptographic data inside software

ISC'11 Proceedings of the 14th international conference on Information security
Aligot: cryptographic function identification in obfuscated binary programs

Proceedings of the 2012 ACM conference on Computer and communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The increasing popularity of cryptography poses a great challenge in the field of digital forensics. Digital evidence protected by strong encryption may be impossible to decrypt without the correct key. We propose novel methods for cryptographic key identification and present a new proof of concept tool named Interrogate that searches through volatile memory and recovers cryptographic keys used by the ciphers AES, Serpent and Twofish. By using the tool in a virtual digital crime scene, we simulate and examine the different states of systems where well known and popular cryptosystems are installed. Our experiments show that the chances of uncovering cryptographic keys are high when the digital crime scene are in certain well-defined states. Finally, we argue that the consequence of this and other recent results regarding memory acquisition require that the current practices of digital forensics should be guided towards a more forensically sound way of handling live analysis in a digital crime scene.