Memory Forensics: Recovering Chat Messages and Encryption Master Key

Author First name, Last name, Institution

Abdullah Kazim, Zayed University
Fadya Almaeeni, Zayed University
Shamsah Al Ali, Zayed UniversityFollow
Farkhund Iqbal, Zayed UniversityFollow
Khalil Al-Hussaeni, Rochester Institute of Technology Dubai

Document Type

Conference Proceeding

Source of Publication

2019 10th International Conference on Information and Communication Systems, ICICS 2019

Publication Date

6-1-2019

Abstract

© 2019 IEEE. In this pervasive digital world, we are witnessing an era where cybercriminals are improving their abilities in taking advantage of wide-spread digital devices to perform various malicious activities. By utilizing anti-forensic techniques, cybercriminals are able to erase or alter digital evidence that can otherwise be used against them in court. One of the most critical sources of digital evidence that forensic investigators examine is the physical memory of a digital device, i.e., Random Access Memory (RAM). RAM is a volatile memory containing data that might be of significant value to forensic investigation. RAM, which stores data about recent activities, stores data only when the device is powered on. Once the device powers off, all the data stored in the RAM is lost permanently. Forensic investigators find great value in RAM data and thus need to preserve such data without harming the integrity of the collected evidence. Many existing tools provide the ability to acquire and analyze images of the data stored in RAM. This paper tackles the fundamental topic of security, privacy, and digital forensics. Specifically, this paper examines memory dumps of 4GB Windows 7 computers with the objective of identifying an instant messaging tool and recovering its chat messages, and recovering master encryption keys of volumes encrypted by BitLocker and TrueCrypt. Throughout this paper, we utilize two widely-used tools, namely Volatility and WinHex, due to their various functionalities designed specifically for memory forensic investigation.

DOI Link

10.1109/iacs.2019.8809179

ISBN

9781728100456

Publisher

Institute of Electrical and Electronics Engineers Inc.

First Page

58

Last Page

64

Disciplines

Computer Sciences

Keywords

BitLocker, Clipboard, Encryption, Master Key, Memory Forensics, Privacy, Security, TrueCrypt

Scopus ID

85072100291

Recommended Citation

Kazim, Abdullah; Almaeeni, Fadya; Ali, Shamsah Al; Iqbal, Farkhund; and Al-Hussaeni, Khalil, "Memory Forensics: Recovering Chat Messages and Encryption Master Key" (2019). All Works. 2363.
https://zuscholars.zu.ac.ae/works/2363

Indexed in Scopus

yes

Open Access

no