
Research Article
Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations
@INPROCEEDINGS{10.1007/978-3-030-68734-2_2, author={Marcel Busch and Florian Nicolai and Fabian Fleischer and Christian R\'{y}ckert and Christoph Safferling and Felix Freiling}, title={Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations}, proceedings={Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings}, proceedings_a={ICDF2C}, year={2021}, month={2}, keywords={Remote forensic investigation ARM TrustZone Principle of proportionality Evidential value Translation table introspection Android}, doi={10.1007/978-3-030-68734-2_2} }
- Marcel Busch
Florian Nicolai
Fabian Fleischer
Christian Rückert
Christoph Safferling
Felix Freiling
Year: 2021
Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations
ICDF2C
Springer
DOI: 10.1007/978-3-030-68734-2_2
Abstract
Due to the increasing use of encrypted communication and anonymous services, many countries introduced new regulations that allow law enforcement to performremote forensic investigations. During such investigations, law enforcement agencies secretly obtain remote access to a suspect’s computer to search for and collect evidence, including full copies of the (unencrypted) communication data. In this paper, we argue that the evidential value of the acquired evidence can be substantially increased by two technical methods: (1) employing integrity verification techniques offered by secure hardware, and (2) exfiltrating the decryption key of encrypted communication only in order to decrypt communication obtained by lawful interception. To prove the practicality of both methods, we design and implement TEE-BI, a solution for Trusted Execution Environment-based introspection. We deploy TEE-BI on an Android-based hardware platform featuring an ARM TrustZone and demonstrate the stealthy extraction of Secure Sockets Layer encryption keys from an Android userland application. We evaluate the effectiveness, performance, and compatibility of our prototype and argue that it provides a much higher level of evidential value than (the known) existing remote forensic software systems.