Digital Commons Network^™

Extracting Cng Tls/Ssl Artifacts From Lsass Memory, Jacob M. Kambic

Open Access Theses

Currently, there is no publicly accessible, reliable, automated way to forensically decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) connections that leverage ephemeral key negotiations as implemented by the modern Windows operating system. This thesis explores the Local Security Authority Sub-System (LSASS) process used for Key Isolation within the Windows 10 operating system in pursuit of identifying artifacts that would allow a solution to that problem, along with any other connection artifacts that could provide forensic value. The end result was the identication of TLS/SSL secrets from the key exchange and contextual artifacts that provide identication of the other party …