Slides (pdf) - Jesse Kornblum

More documents

Recommendations

Info

Computer Forensics Tool Marks • Anything detectable that software stores in RAM or on disk that identifies the tool in question – Most Recently Used lists – Header and footer carving – Registry keys left after program removed – Preferences files in user directories – Wiping programs leave traces behind
• Hard to detect the keys – Small – Should be random • Can detect the cryptographic tool itself – Programs – Drivers – Mounted volumes • Can detect the structure surrounding the keys Cryptographic Tool Marks
Page 1 and 2: C Y B E R S E C T O R Practical Met
Page 3 and 4: No Encryption Application Operating
Page 5 and 6: Data on the Hard Drive Four score a
Page 7 and 8: Searching for Keys in RAM
Page 9 and 10: Current Methods • Brute Force - T
Page 11 and 12: Current Methods • Source code ana
Page 13: Tool Marks • Were the screwdriver
Page 17 and 18: BitLocker Drive Encryption • I am
Page 19 and 20: • Brute Force works - FVEK is in
Page 21 and 22: • AES key schedules - Encryption
Page 23 and 24: BitLocker Tool Marks • 0x0 FVEc p
Page 25 and 26: BitLocker Tool Marks • Not perfec
Page 27 and 28: Finding Tool Marks • How did we d
Page 29 and 30: Forensics Tool Marks • Requires a
Page 31 and 32: • Full Volume Encryption Key (FVE
Page 33 and 34: • Contains E(FVEK, VMK) - FVEK en
Page 35 and 36: Scenario • Legitimate user has Ex
Page 40 and 41: Outline • Introduction • Types
Page 42 and 43: Thank you • ManTech International
Page 44: References • Key Schedule Searchi

Slides (pdf) - Jesse Kornblum

Create successful ePaper yourself

Delete template?

Save as template?