Award Information
Description of original award (Fiscal Year 2007, $364,400)
This project will give computer forensic examiners the capability to defeat encrypted file systems using memory analysis. Because the encryption keys are stored in memory, it is possible to recover them from a properly obtained memory image. This proposal explains how these encryption programs work, how memory analysis can be used to recover their keys, and provides a demonstration of the method. The method allows examiners to defeat a number of commercially available products and can easily be expanded to support new programs as they are released. ca/ncf