GPG memory forensics
After nearly 25 years of existence, GnuPG is still a widely used solution for message encryption. GPG works with an agent (gpg-agent) containing multiple functions, including caching passphrases and encryption keys. This work demonstrates techniques to retrieve passphrases and encryption keys from a memory dump, either of the gpg-agent process or a full system dump. We also provide a Volatility3 plugins to retrieve associated key material and the original plaintext. We also show how this can be used as a defensive countermeasure in some scenarios like ransomware attacks.
Nils is a Senior Security Engineer on Kudelski Security’s research team performing research on various topics including privacy, authentication, big data analytics, and internet scanning. He also writes blog posts on various topics for Kudelski’s research blog. Nils likes open source software and has presented his research at DEF CON and Black Hat Arsenal. He was part of creating a massively distributed system for breaking RSA public keys.
Sylvain is a Cryptography expert in the research team at Kudelski Security. His favorite topics are Cryptography, Hardware attacks and vulnerability research in general. He worked on security of Cryptography algorithms implementations on different platforms as well as on critical code security audits. He like playing and organizing CTFs.