Recovering Cryptographic Keys from Memory

Recovering Cryptographic Keys from Memory

Cryptography is used to restrict access to confidential data, its application has been amended to support authentication (e.g. Public Key Infrastructure) to replace traditional techniques such as text passwords. Hence, it is a requirement for forensic investigations to consider looking at cryptographic keys further to recover passwords. In cryptography, when the algorithm used is relatively sophisticated to the cracking tools and computational power available; then the confidentiality of the protected asset depends on the secrecy of the used key. It is in fact a design objective of cryptosystems to consider Kerchoffs’s principle that states that: “everything apart from the key can be public knowledge without weakening the system”. Therefore, recovering the key in digital forensics, whenever possible, will always be the fastest and most reliable approach to defeat the cryptographic application. The scope of this article will be on memory dumps to locate cryptographic keys and relevant secrets (some keys are protected by text passwords).