{"title":"InvesTEE: A TEE-supported Framework for Lawful Remote Forensic Investigations","authors":"Christian Lindenmeier, Jan Gruber, Felix Freiling","doi":"10.1145/3680294","DOIUrl":null,"url":null,"abstract":"Remote forensic investigations, i.e., the covert lawful infiltration of computing devices, are a generic method to acquire evidence in the presence of strong defensive security. A precondition for such investigations is the ability to execute software with sufficient privileges on target devices. The standard way to achieve such remote access is by exploiting yet unpatched software vulnerabilities. This in turn puts other users at risk, resulting in a dilemma for state authorities that aim to protect the general public (by patching such vulnerabilities) and those that need remote access in criminal investigations. As a partial solution, we present a framework that enables privileged remote forensic access without using privileged exploits. The idea is to separate the remote forensic software into two parts: a Forensic Software, designed by law enforcement agencies to execute investigative actions, and a (privileged) Control Software, provided by the device vendor to selectively grant privileges to the Forensic Software based on a court warrant within the rules of criminal procedure. By leveraging trusted execution environments for running the Control Software in a tamper-proof manner, we enable trustful deployment and operation of remote forensic software. We provide a proof-of-concept implementation of InvesTEE that is based on ARMv8-A TrustZone.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"24 16","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3680294","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Remote forensic investigations, i.e., the covert lawful infiltration of computing devices, are a generic method to acquire evidence in the presence of strong defensive security. A precondition for such investigations is the ability to execute software with sufficient privileges on target devices. The standard way to achieve such remote access is by exploiting yet unpatched software vulnerabilities. This in turn puts other users at risk, resulting in a dilemma for state authorities that aim to protect the general public (by patching such vulnerabilities) and those that need remote access in criminal investigations. As a partial solution, we present a framework that enables privileged remote forensic access without using privileged exploits. The idea is to separate the remote forensic software into two parts: a Forensic Software, designed by law enforcement agencies to execute investigative actions, and a (privileged) Control Software, provided by the device vendor to selectively grant privileges to the Forensic Software based on a court warrant within the rules of criminal procedure. By leveraging trusted execution environments for running the Control Software in a tamper-proof manner, we enable trustful deployment and operation of remote forensic software. We provide a proof-of-concept implementation of InvesTEE that is based on ARMv8-A TrustZone.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
