PGP Key
RAM is Key: Extracting Disk Encryption Keys From Volatile Memory
This paper addresses the shortcomings of the traditional forensic response methodology with respect to disk encryption. It highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from volatile memory to facilitate the analysis of encrypted media in a forensically sound manner. A proof of concept tool capable of decrypting an encrypted disk image using a volatile memory dump is included to demonstrate the practicality of the outlined techniques. This research was completed in May 2007 in partial fulfillment of the requirements for my Master's Degree, but unfortunately was not made publicly available until now. Note that the Disk Decryptor PoC tool only comes with a "decryptor module" for PGP Whole Disk 9.x encrypted disks. It has been tested with PGP WDE v9.06 and v9.5 (current versions at the time this work was completed) and I've been told it works on 9.6 as well. This tool also requires a working Java installation.
Live View Forensics Tool
Live View is an open source (GPL) Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. It enables a forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.
This work was done while working for the CERT forensics team. As of July 2007 they have taken over the primary development and maintenance responsibilites for the project. Government and law enforcement should contact pdt-forensics [at] cert [dot] org for a copy of the LE edition, which has some extra features that are not available in the standard version.
Thank you to Matthew Geiger, Rich Nolan, and the rest of the CERT forensics team for their help, and support. Thank you to CERT/SEI for sponsoring this work.