SmartKex: Machine Learning Assisted SSH Keys Extraction From The Heap Dump
This addresses a specific challenge in digital forensics for cybersecurity practitioners, though it appears incremental as it applies machine learning to an existing bottleneck.
The paper tackles the problem of identifying and extracting SSH session keys from heap memory dumps in digital forensics by proposing SmartKex, a machine-learning assisted method, and shows it achieves high accuracy and throughput compared to brute-force approaches.
Digital forensics is the process of extracting, preserving, and documenting evidence in digital devices. A commonly used method in digital forensics is to extract data from the main memory of a digital device. However, the main challenge is identifying the important data to be extracted. Several pieces of crucial information reside in the main memory, like usernames, passwords, and cryptographic keys such as SSH session keys. In this paper, we propose SmartKex, a machine-learning assisted method to extract session keys from heap memory snapshots of an OpenSSH process. In addition, we release an openly available dataset and the corresponding toolchain for creating additional data. Finally, we compare SmartKex with naive brute-force methods and empirically show that SmartKex can extract the session keys with high accuracy and high throughput. With the provided resources, we intend to strengthen the research on the intersection between digital forensics, cybersecurity, and machine learning.