Title :
Capturing encryption keys for digital analysis
Author :
Štefan Balogh;Matej Pondelík
Author_Institution :
Slovak University of Technology, Faculty of Electrical Engineering and Information Technology, Institute of Computer Science and Mathematics
Abstract :
This article deals with encrypted evidence and gaining encryption keys from memory. For the purpose of forensic analysis an image of an encrypted disk cannot be later verified against any original evidence, because, after the power is switched off the decrypted original contents is no longer accessible. However, using a live image of the system´s volatile memory obtained at the time when the container is open, the decryption keys can be recovered. We show a new approach to identify encryption keys in memory. This work focuses mainly on the Ubuntu Linux distribution and a new version of encryption tool TrueCrypt, but we deal also with the Windows operating system.
Keywords :
"Encryption","Forensics","Containers","Schedules","Kernel","Linux"
Conference_Titel :
Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2011 IEEE 6th International Conference on
Print_ISBN :
978-1-4577-1426-9
DOI :
10.1109/IDAACS.2011.6072872
