Title :
A forensic analysis framework for recovering encryption keys and BB10 backup decryption
Author :
Al Shehhi, Halima ; Abu Hamdi, Dua´a ; Asad, IzzEddin ; Iqbal, Farkhund
Author_Institution :
Coll. of Technol. Innovation, Zayed Univ., Dubai, United Arab Emirates
Abstract :
Memory forensics has become an important part of digital forensic investigation. Its importance has increased due to the type of information resides within memory that can be extracted using appropriate tools. This information includes open processes, open dynamically linked libraries (DLLs), encryption keys, function parameters passed at runtime, and login information. In this paper, we propose a forensic analysis framework that uses common disk encryption methods to encrypt a hard disk and then employs forensic analysis tools to extract encryption keys from the memory dump. We use the recovered keys to successfully decrypt content of an original encrypted disk. In addition, we successfully recover the content of an encrypted BlackBerry10 backup file (.bbb), which is encrypted by default, by employing email login information extracted from the memory image.
Keywords :
cryptography; digital forensics; storage management; BB10 backup decryption; BlackBerry10 backup file; DLL; common disk encryption methods; digital forensic investigation; email login information; encryption key extraction; encryption key recovery; forensic analysis framework; forensic analysis tools; function parameters; hard disk encryption; memory dump; memory forensics; open dynamically linked libraries; open process; Data mining; Electronic mail; Encryption; Forensics; Media; Random access memory; Bitlocker; BlackBerry10 Backup; Mac Disk Utility; Memory acquisition; Memoryze; PGP Desktop; TrueCrypt; decryption; encrypted password;
Conference_Titel :
Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on
Conference_Location :
Toronto, ON
Print_ISBN :
978-1-4799-3502-4
DOI :
10.1109/PST.2014.6890937
