Trusted memory acquisition using UEFI
2014 (English)Student thesis
Context. For computer forensic investigations, the necessity of unmodified data content is of vital essence. The solution presented in this paper is based on a trusted chain of execution, that ensures that only authorized software can run. In the study, the proposed application operates in an UEFI environment where it has a direct access to physical memory, which can be extracted and stored on a secondary storage medium for further analysis. Objectives. The aim is to perform this task while being sheltered from influence from a potentially contaminated operating system. Methods. By identifying key components and establishing the foundation for a trusted environment where the memory imaging tool can, unhindered, operate and produce a reliable result Results. Three distinct states where trust can be determined has been identified and a method for entering and traversing them is presented. Conclusions. Tools that does not follow the trusted model might be subjected to subversion, thus they might be considered inadequate when performing memory extraction for forensic purposes.
Place, publisher, year, edition, pages
2014. , 30 p.
UEFI, Secure Boot, trust, computer forensics
IdentifiersURN: urn:nbn:se:bth-3582Local ID: oai:bth.se:arkivex60B493F52AF54C8AC1257D0800677023OAI: oai:DiVA.org:bth-3582DiVA: diva2:830892
DVACD Master of Science in Computer Security