I’d like to post a link to a very neat paper I found which discusses the ability analyze RAM in hopes of targeting encrypted drives, volumes, files or folders (cited below). A forensic investigator can recover encryption keys and even acquire passphrases with no hash cracking needed. Once a key and/or passphrase is obtained, any encrypted medium on the hard drive using the same credentials may be compromised.
Brian Kaplan’s RAM is Key – Extracting Disk Encryption Keys From Volatile Memory, Carnegie Mellon University (May 2007).
The paper is somewhat dated as it was released in 2007. But what’s cool about it is that such analysis wasn’t as common then as it is now (live acquisition was frowned upon). While it doesn’t highlight anything new (and, indeed, shows its age at times), the paper does make for some interesting reading.
While I’m still relatively new to forensics and currently studying DFIR, I figured that this paper may be of interest to some (I found it interesting from a historical aspect). Plus this article is a good way of introducing more forensic posts to the blog.
Feel free to share similar (or more timely) articles using the comments field below!
Related Tools
Volatility by Volatile Systems
Memoryze/AuditViewer & Redline by Mandiant
Finding Encrypted Drives/Volumes on Hard Drive
EDD and, I hear, TCHunt are both excellent tools. I’ve only played around with EDD but I plan on exploring other forms of encrypted drive/volume discovery and decryption in the future.