About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings

Research Article

Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations

Download(Requires a free EAI acccount)
4 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-030-68734-2_2,
        author={Marcel Busch and Florian Nicolai and Fabian Fleischer and Christian R\'{y}ckert and Christoph Safferling and Felix Freiling},
        title={Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations},
        proceedings={Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings},
        proceedings_a={ICDF2C},
        year={2021},
        month={2},
        keywords={Remote forensic investigation ARM TrustZone Principle of proportionality Evidential value Translation table introspection Android},
        doi={10.1007/978-3-030-68734-2_2}
    }
    
  • Marcel Busch
    Florian Nicolai
    Fabian Fleischer
    Christian Rückert
    Christoph Safferling
    Felix Freiling
    Year: 2021
    Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations
    ICDF2C
    Springer
    DOI: 10.1007/978-3-030-68734-2_2
Marcel Busch,*, Florian Nicolai, Fabian Fleischer, Christian Rückert, Christoph Safferling, Felix Freiling
    *Contact email: marcel.busch@fau.de

    Abstract

    Due to the increasing use of encrypted communication and anonymous services, many countries introduced new regulations that allow law enforcement to performremote forensic investigations. During such investigations, law enforcement agencies secretly obtain remote access to a suspect’s computer to search for and collect evidence, including full copies of the (unencrypted) communication data. In this paper, we argue that the evidential value of the acquired evidence can be substantially increased by two technical methods: (1) employing integrity verification techniques offered by secure hardware, and (2) exfiltrating the decryption key of encrypted communication only in order to decrypt communication obtained by lawful interception. To prove the practicality of both methods, we design and implement TEE-BI, a solution for Trusted Execution Environment-based introspection. We deploy TEE-BI on an Android-based hardware platform featuring an ARM TrustZone and demonstrate the stealthy extraction of Secure Sockets Layer encryption keys from an Android userland application. We evaluate the effectiveness, performance, and compatibility of our prototype and argue that it provides a much higher level of evidential value than (the known) existing remote forensic software systems.

    Keywords
    Remote forensic investigation ARM TrustZone Principle of proportionality Evidential value Translation table introspection Android
    Published
    2021-02-07
    Appears in
    SpringerLink
    http://dx.doi.org/10.1007/978-3-030-68734-2_2
    Copyright © 2020–2025 ICST
    EBSCOProQuestDBLPDOAJPortico
    EAI Logo

    About EAI

    • Who We Are
    • Leadership
    • Research Areas
    • Partners
    • Media Center

    Community

    • Membership
    • Conference
    • Recognition
    • Sponsor Us

    Publish with EAI

    • Publishing
    • Journals
    • Proceedings
    • Books
    • EUDL