Memory Forensics: Recovering Chat Messages and Encryption Master Key
Source of Publication
2019 10th International Conference on Information and Communication Systems, ICICS 2019
© 2019 IEEE. In this pervasive digital world, we are witnessing an era where cybercriminals are improving their abilities in taking advantage of wide-spread digital devices to perform various malicious activities. By utilizing anti-forensic techniques, cybercriminals are able to erase or alter digital evidence that can otherwise be used against them in court. One of the most critical sources of digital evidence that forensic investigators examine is the physical memory of a digital device, i.e., Random Access Memory (RAM). RAM is a volatile memory containing data that might be of significant value to forensic investigation. RAM, which stores data about recent activities, stores data only when the device is powered on. Once the device powers off, all the data stored in the RAM is lost permanently. Forensic investigators find great value in RAM data and thus need to preserve such data without harming the integrity of the collected evidence. Many existing tools provide the ability to acquire and analyze images of the data stored in RAM. This paper tackles the fundamental topic of security, privacy, and digital forensics. Specifically, this paper examines memory dumps of 4GB Windows 7 computers with the objective of identifying an instant messaging tool and recovering its chat messages, and recovering master encryption keys of volumes encrypted by BitLocker and TrueCrypt. Throughout this paper, we utilize two widely-used tools, namely Volatility and WinHex, due to their various functionalities designed specifically for memory forensic investigation.
Kazim, Abdullah; Almaeeni, Fadya; Ali, Shamsah Al; Iqbal, Farkhund; and Al-Hussaeni, Khalil, "Memory Forensics: Recovering Chat Messages and Encryption Master Key" (2019). Scopus Indexed Articles. 662.