Recovery of Encryption Keys from Memory Using a Linear Scan

Hargreaves, Christopher; Chivers, Howard

doi:10.1109/ares.2008.109

Cited by 41 publications

(27 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the potential problems of using live images from encrypted systems are highlighted in Hargreaves and Chivers (2008), since the accuracy of the acquired image cannot be verified by comparing to an original. Therefore, in addition to obtaining disk images from a live system, it is also possible to create backup copies of the start-up or recovery keys by accessing the 'Manage BitLocker Keys' interface through the Control Panel, as shown in Fig.…”

Section: Recovering Data From a Live Bitlocker Enabled Systemsmentioning

confidence: 99%

Windows Vista and digital investigations

Hargreaves

Chivers

Titheridge³

2008

Digital Investigation

Self Cite

View full text Add to dashboard Cite

Section: Recovering Data From a Live Bitlocker Enabled Systemsmentioning

confidence: 99%

Windows Vista and digital investigations

Hargreaves

Chivers

Titheridge³

2008

Digital Investigation

Self Cite

View full text Add to dashboard Cite

“…It is most commonly used during incident response to attempt a determination of how a machine was compromised. However, live forensics is likely to become more important and more common as users become familiar with and operating systems come standard with full disk encryption as it can be vital to circumventing such encryption (Casey & Stellatos, 2008;Hargreaves & Chivers, 2008).…”

Section: Live Forensics Phasementioning

confidence: 99%

Research toward a Partially-Automated, and Crime Specific Digital Triage Process Model

Cantrell

Dampier²,

Dandass³

et al. 2012

CIS

View full text Add to dashboard Cite

The digital forensic process as traditionally laid out begins with the collection, duplication, and authentication of every piece of digital media prior to examination. These first three phases of the digital forensic process are by far the most costly. However, complete forensic duplication is standard practice among digital forensic laboratories.The time it takes to complete these stages is quickly becoming a serious problem. Digital forensic laboratories do not have the resources and time to keep up with the growing demand for digital forensic examinations with the current methodologies. One solution to this problem is the use of pre-examination techniques commonly referred to as digital triage. Pre-examination techniques can assist the examiner with intelligence that can be used to prioritize and lead the examination process. This work discusses a proposed model for digital triage that is currently under development at Mississippi State University.

show abstract

“…In this case, we may achieve a low false alarm rate. In fact, the method of brute force memory scanning has been used in memory forensics [28]. It has to overcome the difficulties of large address space and unclear goals.…”

Section: Datamentioning

confidence: 99%

“…More specifically it first uses hardware card, virtualization, and applications at different levels including user level and kernel level. To acquire memory [15], Hargreaves and Chivers proposed a method for recovering the decryption keys from the memory using linear scan [28]. Sylve et al proposed a novel technique for locating kernel object allocations with quick pool tag scanning [17], which has a good performance in the large memory space.…”

Section: Memory Forensicsmentioning

confidence: 99%

“…while < do (8) if matches .V then (9) ← +AP.offset; (10) Extracting data from ; (11) Saving data to ; (12) end if (13) + +; (14) end while (15) end for (16) return (17) end function (18) (19) function GetThread( , TF) (20) Finding PEB address ; (21) Finding TEB addresses _array based on ; (22) for all in _array do (23) Reading the stack base _ from ; (24) Reading the stack limit _ from ; (25) calculate size and read the stack buffer _buf ; (26) ← _ ; (27) while < _ do (28) if matches the value in TF then (29) save _ and _ to ℎ ; (30) end if (31) + +; (32) end while (33) end for (34) return ℎ (35) end function (FAR), it denotes the interference of the irrelevant objects in the extracted objects, and (c) average CPU time (ACT), it is the CPU usage of the search thread on the target system. The method based on vtable pointer characteristic searches in the virtual memory space.…”

Section: Vtable Searchmentioning

confidence: 99%

See 1 more Smart Citation

PMCAP: A Threat Model of Process Memory Data on the Windows Operating System

Pan

Zhuang

2017

Security and Communication Networks

View full text Add to dashboard Cite

Research on endpoint security involves both traditional PC platform and prevalent mobile platform, among which the analysis of software vulnerability and malware is one of the important contents. For researchers, it is necessary to carry out nonstop exploration of the insecure factors in order to better protect the endpoints. Driven by this motivation, we propose a new threat model named Process Memory Captor (PMCAP) on the Windows operating system which threatens the live process volatile memory data. Compared with other threats, PMCAP aims at dynamic data in the process memory and uses a noninvasive approach for data extraction. In this paper we describe and analyze the model and then give a detailed implementation taking four popular web browsers IE, Edge, Chrome, and Firefox as examples. Finally, the model is verified through real experiments and case studies. Compared with existing technologies, PMCAP can extract valuable data at a lower cost; some techniques in the model are also suitable for memory forensics and malware analysis.

show abstract

Recovery of Encryption Keys from Memory Using a Linear Scan

Cited by 41 publications

References 11 publications

Windows Vista and digital investigations

Windows Vista and digital investigations

Research toward a Partially-Automated, and Crime Specific Digital Triage Process Model

PMCAP: A Threat Model of Process Memory Data on the Windows Operating System

Contact Info

Product

Resources

About