Physical Sciences and Mathematics Commons^™

Convicted By Memory: Automatically Recovering Spatial-Temporal Evidence From Memory Images, Brendan D. Saltaformaggio

Open Access Dissertations

Memory forensics can reveal “up to the minute” evidence of a device’s usage, often without requiring a suspect’s password to unlock the device, and it is oblivious to any persistent storage encryption schemes, e.g., whole disk encryption. Prior to my work, researchers and investigators alike considered data-structure recovery the ultimate goal of memory image forensics. This, however, was far from sufficient, as investigators were still largely unable to understand the content of the recovered evidence, and hence efficiently locating and accurately analyzing such evidence locked in memory images remained an open research challenge.

In this dissertation, I propose breaking from …

Extracting Cng Tls/Ssl Artifacts From Lsass Memory, Jacob M. Kambic

Open Access Theses

Currently, there is no publicly accessible, reliable, automated way to forensically decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) connections that leverage ephemeral key negotiations as implemented by the modern Windows operating system. This thesis explores the Local Security Authority Sub-System (LSASS) process used for Key Isolation within the Windows 10 operating system in pursuit of identifying artifacts that would allow a solution to that problem, along with any other connection artifacts that could provide forensic value. The end result was the identication of TLS/SSL secrets from the key exchange and contextual artifacts that provide identication of the other party …