Extracting CNG TLS/SSL artifacts from LSASS memory

Jacob M Kambic, Purdue University


Currently, there is no publicly accessible, reliable, automated way to forensically decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) connections that leverage ephemeral key negotiations as implemented by the modern Windows operating system. This thesis explores the Local Security Authority Sub-System (LSASS) process used for Key Isolation within the Windows 10 operating system in pursuit of identifying artifacts that would allow a solution to that problem, along with any other connection artifacts that could provide forensic value. The end result was the identication of TLS/SSL secrets from the key exchange and contextual artifacts that provide identication of the other party to a connection and negotiated parameters. This led to an automated method for extraction through implementation of a plugin for the Volatility framework, a widely used and accepted memory forensics framework.




Rogers, Purdue University.

Subject Area

Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server