Browse > Article
http://dx.doi.org/10.13089/JKIISC.2013.23.5.931

A kernel memory collecting method for efficent disk encryption key search  

Kang, Youngbok (Chonnam National University System Security Research Center)
Hwang, Hyunuk (The Attached Institute of ETRI)
Kim, Kibom (The Attached Institute of ETRI)
Lee, Kyoungho (Chonnam National University System Security Research Center)
Kim, Minsu (Mokpo National University)
Noh, Bongnam (Chonnam National University System Security Research Center)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.23, no.5, 2013 , pp. 931-938 More about this Journal
Abstract
It is hard to extract original data from encrypted data before getting the password in encrypted data with disk encryption software. This encryption key of disk encryption software can be extract by using physical memory analysis. Searching encryption key time in the physical memory increases with the size of memory because it is intended for whole memory. But physical memory data includes a lot of data that is unrelated to encryption keys like system kernel objects and file data. Therefore, it needs the method that extracts valid data for searching keys by analysis. We provide a method that collect only saved memory parts of disk encrypting keys in physical memory by analyzing Windows kernel virtual address space. We demonstrate superiority because the suggested method experimentally reduces more of the encryption key searching space than the existing method.
Keywords
Physical Memory; Disk Encryption; Kernel Memory;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Niedermeier, "In Re Boucher", United States District Court No. 2:06-mj-91 2009 WL 424718, Nov. 2009.
2 Sasa Mrdovic, Alvin Huseinovic "Forensic Analysis of Encrypted Volumes Using Hibernation File," Telecommunications Forum, pp. 1277 - 1280, Nov. 2011.
3 Christopher Hargreaves, Howard Chivers "Recovery of Encryption Keys from Memory Using a Linear Scan March," ARES 08. Third International Conference on, pp. 1369-1376, Mar. 2008.
4 Average RAM, http://techtalk.pcpitsto p.com/research-charts-memory/, May. 2008.
5 마크 러시노비치, 데이비드 솔로몬, 알렉스 이오네 스쿠, "Windows Internals 5," 에이콘출판사, pp. 901-912, 2010년 7월
6 Robin Snyder, "Some Security Alternatives for Encrypting Information on Storage Devices," InfoSecCD 06 Proceedings ofthe 3rd annual conference on Informationsecurity curriculum development, pp. 79-84, 2006.
7 TrueCrypt, http://www.truecrypt.org
8 BitLocker, http://windows.microsoft.com /ko-kr/windows7/products/features/bit locker
9 Brian Kaplan, Advisor Matthew Geiger, "RAM is Key," Master of Science in Information Security Policy and Management, pp. 14-18, May. 2007.
10 ExAllocate Pool With Tag , http://msdn.microsoft.com/en-us/libra ry/windows/hardware/ff544520(v=vs.8 5).aspx
11 VirtualLock, http://msdn.microsoft.com /en-us/library/windows/desktop/aa366 895(v=vs.85).aspx
12 Volatility memdump, http://code.google. com/p/volatility/wiki/CommandReference22# memdump
13 ProcessExplorer, http://technet.micro soft.com/ko-kr/sysinternals/bb896653. aspx
14 AMD64 Technology, "AMD64 Architecture Programmer's Manual Volume 2:System Programming," Advanced Micro Device Inc, Publication No. 24593, pp. 127-144, May. 2013.
15 Volatility driverscan, http://code.google. com/p/volatility/wiki/CommandReference 22#driverscan
16 Volatility psscan, http://code.google.com /p/volatility/wiki/CommandReference22 #psscan
17 Password Recovery, http://www.lostpassword. com/kit-forensic.htm