Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations

Busch M, Nicolai F, Fleischer F, Rückert C, Safferling C, Freiling F (2021)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2021

Publisher: Springer

City/Town: Cham, Schweiz

Pages Range: 23 - 44

Conference Proceedings Title: Digital Forensics and Cyber Crime

Event location: Boston, MA, USA US

ISBN: 978-3-030-68733-5

DOI: 10.1007/978-3-030-68734-2

Abstract

Due to the increasing use of encrypted communication and
anonymous services, many countries introduced new regulations that
allow law enforcement to perform remote forensic investigations. During
such investigations, law enforcement agencies secretly obtain remote
access to a suspect’s computer to search for and collect evidence, including
full copies of the (unencrypted) communication data. In this paper,
we argue that the evidential value of the acquired evidence can be substantially
increased by two technical methods: (1) employing integrity
verification techniques offered by secure hardware, and (2) exfiltrating
the decryption key of encrypted communication only in order to decrypt
communication obtained by lawful interception. To prove the practicality
of both methods, we design and implement TEE-BI, a solution for
Trusted Execution Environment-based introspection. We deploy TEEBI
on an Android-based hardware platform featuring an ARM Trust-
Zone and demonstrate the stealthy extraction of Secure Sockets Layer
encryption keys from an Android userland application. We evaluate the
effectiveness, performance, and compatibility of our prototype and argue
that it provides a much higher level of evidential value than (the known)
existing remote forensic software systems.

Authors with CRIS profile

Marcel Busch Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Florian Nicolai Graduiertenkolleg 2475 Cyberkriminalität und Forensische Informatik Fabian Fleischer Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Christian Rückert Graduiertenkolleg 2475 Cyberkriminalität und Forensische Informatik Christoph Safferling Lehrstuhl für Strafrecht, Strafprozessrecht, Internationales Strafrecht und Völkerrecht Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Related research project(s)

Cyberkriminalität und forensische Informatik (Cybercrime) Oct. 1, 2019 - March 31, 2024

How to cite

APA:

Busch, M., Nicolai, F., Fleischer, F., Rückert, C., Safferling, C., & Freiling, F. (2021). Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations. In Sanjay Goel; Pavel Gladyshev; Daryl Johnson; Makan Pourzandi; Suryadipta Majumdar (Eds.), Digital Forensics and Cyber Crime (pp. 23 - 44). Boston, MA, USA, US: Cham, Schweiz: Springer.

MLA:

Busch, Marcel, et al. "Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations." Proceedings of the 11th EAI International Conference on Digital Forensics & Cyber Crime, Boston, MA, USA Ed. Sanjay Goel; Pavel Gladyshev; Daryl Johnson; Makan Pourzandi; Suryadipta Majumdar, Cham, Schweiz: Springer, 2021. 23 - 44.

BibTeX: Download