Christopher James Hargreaves

Recovery of Encryption Keys from Memory Using a Linear Scan

As encrypted containers are encountered more frequently the need for live imaging is likely to increase. However, an acquired live image of an open encrypted file system cannot later be verified against any original evidence, since when the power is removed the decrypted contents are no longer accessible. This paper shows that if a memory image is also obtained at the same time as the live container image, by the design of on-the-fly encryption, decryption keys can be recovered from the memory dump. These keys can then be used offline to gain access to the encrypted container file, facilitating standard, repeatable, forensic file system analysis. The recovery method uses a linear scan of memory to generate trial keys from all possible memory positions to decrypt the container. The effectiveness of this approach is demonstrated by recovering TrueCrypt decryption keys from a memory dump of a Windows XP system.

Forensic data recovery from the Windows Search Database

Windows Search maintains a single database of the files, emails, programmes and Internet history of all the users of a personal computer, providing a potentially valuable source of information for a forensic investigator, especially since some information within the database is persistent, even if the underlying data are not available to the system (e.g. removable or encrypted drives). However, when files are deleted from the system their record is also deleted from the database. Existing tools to extract information from Windows Search use a programmatic interface to the underlying database, but this approach is unable to recover deleted records that may remain in unused space within the database or in other parts of the file system. This paper explores when unavailable files are indexed, and therefore available to an investigator via the search database, and how this is modified by the indexer scope and by attributes that control the indexing of encrypted content. Obtaining data via the programmatic interface is contrasted with a record carving approach using a new database record carver (wdsCarve); the strengths and weaknesses of the two approaches are reviewed, and the paper identifies several different strategies that may be productive in recovering deleted database records.

Windows Vista and digital investigations

Several of the new features of Windows Vista may create challenges for digital investigators. However, some also provide opportunities and create interesting new evidential artefacts which can be recovered and analysed. This paper examines several of these new features and describes methods for recovering shadow copies of files from Restore Points, identifying BitLocker on a system, the importance of recovery keys in dealing with BitLocker encrypted volumes and also the problems that User Account Control could cause for live investigations.

Using a software exploit to image RAM on an embedded system

The research in this paper is the result of a court case involving copyright infringement, specifically, a request for expert evidence regarding the proportion of copyrighted data present in the RAM of a games console. This paper presents a novel method to image the memory of an embedded device (a games console) where normal software and hardware memory imaging techniques are not possible. The paper describes how a buffer overflow exploit can be used in order to execute custom code written to create an image of the consoles memory. While this work is concerned with the Microsoft Xbox, the principles of vulnerability enabled data acquisition could be extended to other embedded devices, including other consoles, smart phones and PDAs.

Detecting hidden encrypted volumes

Hidden encrypted volumes can cause problems in digital investigations since they provide criminal suspects with a range of opportunities for deceptive anti-forensics and a countermeasure to legislation written to force suspects to reveal decryption keys. This paper describes how hidden encrypted volumes can be detected, and their size estimated. The paper shows how multiple copies of an encrypted container can be obtained from a single disk image of Windows Vista and Windows 7 systems using the Volume Shadow Copy feature, and how the changes between shadow copies can be visualised to detect hidden volumes. The visualisation assists in the presentation of this information to a court, and exposes patterns of change which allows the size and file system of the hidden volume to be determined.

Automated Identification and Reconstruction of YouTube Video Access

YouTube is one of the most popular video-sharing websites on the Internet, allowing users to upload, view and share videos with other users all over the world. YouTube contains many different types of videos, from homemade sketches to instructional and educational tutorials, and therefore attracts a wide variety of users with different interests. The majority of YouTube visits are perfectly innocent, but there may be circumstances where YouTube video access is related to a digital investigation, e.g. viewing instructional videos on how to perform potentially unlawful actions or how to make unlawful articles. When a user accesses a YouTube video through their browser, certain digital artefacts relating to that video access may be left on their system in a number of different locations. However, there has been very little research published in the area of YouTube video artefacts. The paper discusses the identification of some of the artefacts that are left by the Internet Explorer web browser on a Windows system after accessing a YouTube video. The information that can be recovered from these artefacts can include the video ID, the video name and possibly a cached copy of the video itself. In addition to identifying the artefacts that are left, the paper also investigates how these artefacts can be brought together and analysed to infer specifics about the user’s interaction with the YouTube website, for example whether the video was searched for or visited as a result of a suggestion after viewing a previous video. The result of this research is a Python based prototype that will analyse a mounted disk image, automatically extract the artefacts related to YouTube visits and produce a report summarising the YouTube video accesses on a system.