Abstract
Currently, there is no publicly accessible, reliable, automated way to forensically decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) connections that leverage ephemeral key negotiations as implemented by the modern Windows operating system. This thesis explores the Local Security Authority Sub-System (LSASS) process used for Key Isolation within the Windows 10 operating system in pursuit of identifying artifacts that would allow a solution to that problem, along with any other connection artifacts that could provide forensic value. The end result was the identication of TLS/SSL secrets from the key exchange and contextual artifacts that provide identication of the other party to a connection and negotiated parameters. This led to an automated method for extraction through implementation of a plugin for the Volatility framework, a widely used and accepted memory forensics framework.
Keywords
Applied sciences, CNG, Cyber forensics, LSASS, Memory, Transport layer security
Disciplines
Computer Sciences
Degree Type
Thesis
Degree Name
Master of Science (MS)
Department
Computer and Information Technology
First Advisor
Marcus K. Rogers
Committee Chair
Marcus K. Rogers
Committee Member 1
Philip T. Rawles
Committee Member 2
Anthony H. Smith
Date of Award
4-2016
Recommended Citation
Kambic, Jacob M., "Extracting CNG TLS/SSL artifacts from LSASS memory" (2016). Open Access Theses. 782.
https://docs.lib.purdue.edu/open_access_theses/782