Extracting CNG TLS/SSL artifacts from LSASS memory

Author

Jacob M. Kambic, Purdue University

Date of Award

4-2016

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Computer and Information Technology

First Advisor

Marcus K. Rogers

Committee Chair

Marcus K. Rogers

Committee Member 1

Philip T. Rawles

Committee Member 2

Anthony H. Smith

Abstract

Currently, there is no publicly accessible, reliable, automated way to forensically decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) connections that leverage ephemeral key negotiations as implemented by the modern Windows operating system. This thesis explores the Local Security Authority Sub-System (LSASS) process used for Key Isolation within the Windows 10 operating system in pursuit of identifying artifacts that would allow a solution to that problem, along with any other connection artifacts that could provide forensic value. The end result was the identication of TLS/SSL secrets from the key exchange and contextual artifacts that provide identication of the other party to a connection and negotiated parameters. This led to an automated method for extraction through implementation of a plugin for the Volatility framework, a widely used and accepted memory forensics framework.

Recommended Citation

Kambic, Jacob M., "Extracting CNG TLS/SSL artifacts from LSASS memory" (2016). Open Access Theses. 782.
https://docs.lib.purdue.edu/open_access_theses/782