Browse > Article
http://dx.doi.org/10.3837/tiis.2022.09.013

Cold Boot Attack on Encrypted Containers for Forensic Investigations  

Twum, Frimpong (Department of Computer Science, College of Science, Kwame Nkrumah University of Science and Technology)
Lagoh, Emmanuel Mawuli (Department of Computer Science, College of Science, Kwame Nkrumah University of Science and Technology)
Missah, Yaw (Department of Computer Science, College of Science, Kwame Nkrumah University of Science and Technology)
Ussiph, Najim (Department of Computer Science, College of Science, Kwame Nkrumah University of Science and Technology)
Ahene, Emmanuel (Department of Computer Science, College of Science, Kwame Nkrumah University of Science and Technology)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.16, no.9, 2022 , pp. 3068-3086 More about this Journal
Abstract
Digital Forensics is gaining popularity in adjudication of criminal cases as use of electronic gadgets in committing crime has risen. Traditional approach to collecting digital evidence falls short when the disk is encrypted. Encryption keys are often stored in RAM when computer is running. An approach to acquire forensic data from RAM when the computer is shut down is proposed. The approach requires that the investigator immediately cools the RAM and transplant it into a host computer provisioned with a tool developed based on cold boot concept to acquire the RAM image. Observation of data obtained from the acquired image compared to the data loaded into memory shows the RAM chips exhibit some level of remanence which allows their content to persist after shutdown which is contrary to accepted knowledge that RAM loses its content immediately there is power cut. Results from experimental setups conducted with three different RAM chips labeled System A, B and C showed at a reduced temperature of -25C, the content suffered decay of 2.125% in 240 seconds, 0.975% in 120 seconds and 1.225% in 300 seconds respectively. Whereas at operating temperature of 25℃, there was decay of 82.33% in 60 seconds, 80.31% in 60 seconds and 95.27% in 120 seconds respectively. The content of RAM suffered significant decay within two minutes without power supply at operating temperature while at a reduced temperature less than 5% decay was observed. The findings show data can be recovered for forensic evidence even if the culprit shuts down the computer.
Keywords
Cold Boot Attack; Forensic Investigation; Encryption Keys; Remanence Effect; Volatile Data;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Gruhn, "Forensically sound data acquisition in the age of anti-forensic innocence," 2016, [Online]. Available: https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/7938.
2 Periyadi, G. A. Mutiara, and R. Wijaya, "Digital forensics random access memory using live technique based on network attacked," in Proc. of 2017 5th Int. Conf. Inf. Commun. Technol. ICoIC7 2017, vol. 1, no. c, 2017.
3 A. Case and G. G. Richard, "Memory forensics: The path forward," Digit. Investig., vol. 20, pp. 23-33, 2017.   DOI
4 B. Kaplan, "RAM is Key: Extracting Disk Encryption Keys From Volatile Memory," p. 20, 2017.
5 F. M. Granja and G. D. R. Rafael, "The preservation of digital evidence and its admissibility in the court," Int. J. Electron. Secur. Digit. Forensics, vol. 9, no. 1, pp. 1-18, 2017.   DOI
6 C. Hargreaves and H. Chivers, "Recovery of encryption keys from memory using a linear scan," in Proc. of ARES 2008 - 3rd Int. Conf. Availability, Secur. Reliab. Proc., no. March 2008, pp. 1369-1376, 2008.
7 C. Maartmann-Moe, S. E. Thorkildsen, and Andre Arnes, "The persistence of memory: Forensic identification and extraction of cryptographic keys," Digit. Investig., vol. 6, no. SUPPL., pp. 132-140, 2009.
8 J. Seo, S. Lee, and T. Shon, "A study on memory dump analysis based on digital forensic tools," Peer-to-Peer Netw. Appl., vol. 8, no. 4, pp. 694-703, 2015.   DOI
9 Trusted Computing Group, "TCG PC Client Platform Reset Attack Mitigation Specification," 2019.
10 L. Wilke, J. Wichelmann, M. Morbitzer, and T. Eisenbarth, "SEVurity: No security without integrity: Ng integrity-free memory encryption with minimal assumptions," in Proc. of IEEE Symp. Secur. Priv., pp. 1483-1496, 2020.
11 M. V. Ball, C. Guyot, J. P. Hughes, L. Martin, and L. C. Noll, "The XTS-AES Disk Encryption Algorithm and the Security of Ciphertext Stealing," Cryptologia, vol. 36, no. 1, pp. 70-79, 2012.   DOI
12 F. M. Ghabban, I. M. Alfadli, O. Ameerbakhsh, A. N. Abuali, A. Al-Dhaqm, and M. A. AlKhasawneh, "Comparative analysis of network forensic tools and network forensics processes," in Proc. of 2021 2nd Int. Conf. Smart Comput. Electron. Enterp. Ubiquitous, Adapt. Sustain. Comput. Solut. New Norm. ICSCEE 2021, pp. 78-83, 2021.
13 M. A. Alomari, K. Samsudin, and A. R. Ramli, "A study on encryption algorithms and modes for disk encryption," in Proc. of 2009 Int. Conf. Signal Process. Syst. ICSPS 2009, pp. 793-797, 2019.
14 Truecrypt Foundation, "TrueCrypt User Guide," System, 2016.
15 M. Broz and V. Matyas, "The trueCrypt on-disk format - An independent view," IEEE Secur. Priv., vol. 12, no. 3, pp. 74-77, 2014.   DOI
16 J. Alex Halderman et al., "Lest we remember: Cold boot attacks on encryption keys," in Proc. of 17th USENIX Secur. Symp., pp. 45-58, 2008.
17 K. Hausknecht, D. Foit, and J. Buric, "RAM data significance in digital forensics," in Proc. of 2015 38th Int. Conv. Inf. Commun. Technol. Electron. Microelectron. MIPRO 2015 - Proc., no. May, pp. 1372-1375, 2015.
18 K. Alam, J. Sang, H. Hu, A. Rahman, and M. Alam, "Encryption Data Recover from Memory," United Int. J. Res. Technol., vol. 02, no. 06, pp. 58-66, 2021.
19 D. Forte, "Do encrypted disks spell the end of forensics?," Comput. Fraud Secur., vol. 2009, no. 2, pp. 18-20, 2019.   DOI
20 C. Hilgers, H. Macht, T. Muller, and M. Spreitzenbarth, "Post-mortem memory analysis of coldbooted android devices," in Proc. of 8th Int. Conf. IT Secur. Incid. Manag. IT Forensics, IMF 2014, pp. 62-75, 2014.
21 N. Syazwani and A. Kahar, "THE ADMISSIBILITY OF DIGITAL DOCUMENT AS EVIDENCE UNDER MALAYSIAN CIVIL COURT," vol. 2021, no. ICoMM, pp. 248-257, 2021.
22 I. Zimerman, E. Nachmani, and L. Wolf, "Recovering AES Keys with a Deep Cold Boot Attack." 2021.
23 R. Carbone, C. Bean, and M. Salois, "An in-depth analysis of the cold boot attack - Can it be used for sound forensic memory acquisition?," Memory, no. January, 2011.
24 M. Gruhn and T. Muller, "On the practicability of cold boot attacks," in Proc.of 2013 Int. Conf. Availability, Reliab. Secur. ARES 2013, pp. 390-397, 2013.
25 Y. Shah, "Forensic Analysis of Volatile Memory for Non-string Data," 2017.
26 J. Aumasson, Serious Cryptography, No Starch Press, Inc., 2018.
27 N. Mainardi, A. Barenghi, and G. Pelosi, "Plaintext recovery attacks against linearly decryptable fully homomorphic encryption schemes," Comput. Secur., vol. 87, p. 101587, 2019.
28 S. Abdullah Kahar, A. F. Wan Ismail, A. S. Baharuddin, and L. Abdul Mutalib, "Requirement That Needed To Admit The Digital Document As Evidence In Syariah Court," in Proc. of 8th Int. Conf. Manag. Muamalah 2021 (ICoMM 2021), vol. 2021, no. ICoMM, pp. 2756-8938, 2021.
29 P. McGregor and T. Hollebeek, "Braving the cold: New methods for preventing cold boot attacks on encryption keys," Black Hat Secur. …, 2014, [Online]. Available: http://www.crazylazy.info/cons/bh08/attach/BH_US_08_McGregor_Cold_Boot_Attacks.pdf.