Plain text passwords: A forensic RAM-raid.

Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with 'string markers' which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases.

[1]  William J. Buchanan,et al.  A RAM triage methodology for Hadoop HDFS forensics , 2016, Digit. Investig..

[2]  Sherri Davidoff Cleartext Passwords in Linux Memory , 2008 .

[3]  S. Dija,et al.  Extraction of memory forensic artifacts from windows 7 RAM image , 2013, 2013 IEEE CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGIES.

[4]  Carsten Maartmann-Moe,et al.  The persistence of memory: Forensic identification and extraction of cryptographic keys , 2009, Digit. Investig..

[5]  Eoghan Casey,et al.  Extracting Windows command line details from physical memory , 2010 .

[6]  Bradley L. Schatz,et al.  Advances in volatile memory forensics , 2017, Digit. Investig..

[7]  Suratose Tritilanunt,et al.  Analyzing and searching process of internet username and password stored in Random Access Memory (RAM) , 2015, 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[8]  Lianhai Wang,et al.  Research on Extracting System Logged-In Password Forensically from Windows Memory Image File , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[9]  James S. Okolica,et al.  Extracting the windows clipboard from physical memory , 2011 .

[10]  Andreas Schuster,et al.  The impact of Microsoft Windows pool allocation strategies on memory forensics , 2008, Digit. Investig..

[11]  Mamoona Rafique,et al.  Exploring Static and Live Digital Forensics: Methods, Practices and Tools , 2013 .

[12]  Golden G. Richard,et al.  In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux , 2014, Digit. Investig..

[13]  Theodore Tryfonas,et al.  Acquiring volatile operating system data tools and techniques , 2008, OPSR.

[14]  Célia Ghedini Ralha,et al.  Case-Based Reasoning in Live Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[15]  Wojciech Mazurczyk,et al.  The Future of Digital Forensics: Challenges and the Road Ahead , 2017, IEEE Security & Privacy.

[16]  Mourad Debbabi,et al.  Extraction of forensically sensitive information from windows physical memory , 2009, Digit. Investig..

[17]  R. Schramp Live transportation and RAM acquisition proficiency test , 2017, Digit. Investig..

[18]  Lianhai Wang,et al.  A Model of Computer Live Forensics Based on Physical Memory Analysis , 2009, 2009 First International Conference on Information Science and Engineering.

[19]  Jill Slay,et al.  Recovery of Skype Application Activity Data from Physical Memory , 2010, 2010 International Conference on Availability, Reliability and Security.

[20]  Kresimir Hausknecht,et al.  RAM data significance in digital forensics , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[21]  Tianjie Cao,et al.  Collecting Sensitive Information from Windows Physical Memory , 2009, J. Comput..

[22]  Ewa Huebner,et al.  User data persistence in physical memory , 2007, Digit. Investig..