Memory Forensics - Lime | Volatility

LiME  is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices,  allows full memory captures .

Download from Github : https://github.com/504ensicsLabs/LiME

 #  git clone https://github.com/504ensicsLabs/LiME.git

Looks like below :-

Go to the directory Src / then type the command   Make

Once the donce the make command kernel object file will create with the extension.ko

  

:::  lime-4.11.0-kali-amd64.ko

Use below command to extract the memory dump file.

#    Sudo insmod ./keranlobjectname.ko ‘’path = /root/Desktop/dump_filename.mem format=raw”

Open another terminal and check the size –     ls –lha   

Use Volatility to do the analysis .

Volatility Framework - Volatile memory extraction utility framework
============================================================================

The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Concepts | Encryption Methods | Digital Certificates

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) concepts

The SSL and TLS protocols enable two parties to identify and authenticate each other and communicate with confidentiality and data integrity. 

The SSL and TLS protocols provide communications security over the internet, and allow client/server applications to communicate in a way that is confidential and reliable. The protocols have two layers: a Record Protocol and a Handshake Protocol, and these are layered above a transport protocol such as TCP/IP. They both use asymmetric and symmetric cryptography techniques.

An SSL or TLS connection is initiated by an application, which becomes the SSL or TLS client. The application which receives the connection becomes the SSL or TLS server. Every new session begins with a handshake, as defined by the SSL or TLS protocols.

overview of the SSL or TLS handshake

Symmetric vs. Asymmetric Encryption

The simplest kind of encryption that involves only one secret key to cipher and decipher information. Symmetrical encryption is an old and best-known technique. It uses a secret key that can either be a number, a word or a string of random letters. It is a blended with the plain text of a message to change the content in a particular way. The sender and the recipient should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.

The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it.

Asymmetrical Encryption

Asymmetrical encryption is also known as public key cryptography, which is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It ensures that malicious persons do not misuse the keys. It is important to note that anyone with a secret key can decrypt the message and this is why asymmetrical encryption uses two related keys to boosting security. A public key is made freely available to anyone who might want to send you a message. The second private key is kept a secret so that you can only know.

A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key. Security of the public key is not required because it is publicly available and can be passed over the internet. Asymmetric key has a far better power in ensuring the security of information transmitted during communication.

Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques, PKCS.

Asymmetric Encryption in Digital Certificates

To use asymmetric encryption, there must be a way of discovering public keys. One typical technique is using digital certificates in a client-server model of communication. A certificate is a package of information that identifies a user and a server. It contains information such as an organization’s name, the organization that issued the certificate, the users’ email address and country, and users public key.

When a server and a client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party’s public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.

SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed certificates issued by trusted certificate authorities (CAs).

Digital certificates

Digital certificates protect against impersonation, certifying that a public key belongs to a specified entity. They are issued by a Certificate Authority.

Digital certificates provide protection against impersonation, because a digital certificate binds a public key to its owner, whether that owner is an individual, a queue manager, or some other entity. Digital certificates are also known as public key certificates, because they give you assurances about the ownership of a public key when you use an asymmetric key scheme. A digital certificate contains the public key for an entity and is a statement that the public key belongs to that entity:

• When the certificate is for an individual entity, the certificate is called a personal certificate or user certificate.
• When the certificate is for a Certificate Authority, the certificate is called a CA certificate or signer certificate.