RAM is Key: Extracting Disk Encryption Keys From Volatile Memory

The increasing mobility of computing devices combined with frequent stories of privacy breaches and identity theft has thrust data encryption into the public eye. This heightened awareness of, and demand for, encryption has resulted in the development of a number of strong encryption solutions that emphasize usability. While encryption can help mitigate the threat of unintentional data exposure, it is equally capable of hiding evidence of criminal malfeasance. The increasing accessibility and usability of strong encryption solutions present new challenges for digital forensic investigators, whose traditional response methodologies leave them largely unprepared to deal with pervasive strong encryption. In this paper we address the shortcomings of the traditional forensic response methodology with respect to encryption. We develop and discuss a variety of practical techniques for dealing with the use of encryption to conceal evidence. Our research highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from memory to facilitate the analysis of encrypted media in a forensically sound manner. We also present a proof of concept tool capable of automatically extracting key material from a volatile memory dump and using it to decrypt an encrypted disk image.