{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T13:36:40Z","timestamp":1762004200419},"reference-count":31,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2009,9,1]],"date-time":"2009-09-01T00:00:00Z","timestamp":1251763200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2019,1,18]],"date-time":"2019-01-18T00:00:00Z","timestamp":1547769600000},"content-version":"vor","delay-in-days":3426,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Digital Investigation"],"published-print":{"date-parts":[[2009,9]]},"DOI":"10.1016\/j.diin.2009.06.002","type":"journal-article","created":{"date-parts":[[2009,8,19]],"date-time":"2009-08-19T08:33:54Z","timestamp":1250670834000},"page":"S132-S140","source":"Crossref","is-referenced-by-count":46,"special_numbering":"S","title":["The persistence of memory: Forensic identification and extraction of cryptographic keys"],"prefix":"10.1016","volume":"6","author":[{"given":"Carsten","family":"Maartmann-Moe","sequence":"first","affiliation":[]},{"given":"Steffen E.","family":"Thorkildsen","sequence":"additional","affiliation":[]},{"family":"Andr\u00e9 \u00c5rnes","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.diin.2009.06.002_bib24","series-title":"Serpent: a proposal for the advanced encryption standard","author":"Anderson","year":"2000"},{"key":"10.1016\/j.diin.2009.06.002_bib15","series-title":"Security engineering: a guide to building dependable distributed systems","author":"Anderson","year":"2001"},{"key":"10.1016\/j.diin.2009.06.002_bib1","unstructured":"Carrier B, Spafford E. An event-based digital forensic investigation framework. Digital Forensic Research Workshop, 2004."},{"key":"10.1016\/j.diin.2009.06.002_bib22","article-title":"Windows forensic analysis","author":"Carvey","year":"2007","journal-title":"Syngress"},{"key":"10.1016\/j.diin.2009.06.002_bib7","unstructured":"Chow J, Pfaff B, Garfinkel T, Rosenblum M. Shredding your garbage: reducing data lifetime. In Proc. 14th USENIX Security Symposium, August 2005."},{"key":"10.1016\/j.diin.2009.06.002_bib2","doi-asserted-by":"crossref","first-page":"500","DOI":"10.1007\/3-540-49116-3_47","article-title":"How to forget a secret","volume":"1563","author":"Crescenzo","year":"1999","journal-title":"Lecture Notes in Computer Science"},{"key":"10.1016\/j.diin.2009.06.002_bib4","unstructured":"Dornseif M. Firewire \u2013 all your memory are belong to us. Presentation at CanSecWest\/Core05, 2005."},{"key":"10.1016\/j.diin.2009.06.002_bib17","unstructured":"Gutmann P. Secure deletion of data from magnetic and solid-state memory. Proc. 6th USENIX Security Symposium, pp. 77\u201390, July\u00a01996."},{"key":"10.1016\/j.diin.2009.06.002_bib16","unstructured":"Gutmann P. Data remanence in semiconductor devices. Proc. 10th USENIX Security Symposium, pp. 39\u201354, August 2001."},{"key":"10.1016\/j.diin.2009.06.002_bib14","doi-asserted-by":"crossref","unstructured":"Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Calandrino JA, et\u00a0al. Lest we remember: cold boot attacks on encryption keys, 2008.","DOI":"10.1145\/1506409.1506429"},{"key":"10.1016\/j.diin.2009.06.002_bib18","unstructured":"Kaplan B. Ram is key: extracting disk encryption keys from volatile memory. Master's thesis, Carnegie Mellon University, 2007."},{"key":"10.1016\/j.diin.2009.06.002_bib11","unstructured":"Klein T. All your private keys are belong to us. Tech. Rep., 2006."},{"key":"10.1016\/j.diin.2009.06.002_bib20","doi-asserted-by":"crossref","first-page":"91","DOI":"10.1016\/j.diin.2006.06.015","article-title":"\u201cIdentifying almost identical files using context triggered piecewise hashing\u201d","volume":"3","author":"Kornblum","year":"2006","journal-title":"Digital Investigation"},{"key":"10.1016\/j.diin.2009.06.002_bib19","unstructured":"Kornblum J. Practical cryptographic key recovery. In Open Memory Forensics Workshop (OMFW), 2008."},{"key":"10.1016\/j.diin.2009.06.002_bib31","unstructured":"Maartmann-Moe C. Forensic key discovery and identification. Master's thesis, Norwegian University of Science and Technology, 2008."},{"key":"10.1016\/j.diin.2009.06.002_bib5","unstructured":"Martin A. Firewire memory dump of a Windows XP computer: a forensic approach. Tech. Rep., 2007."},{"key":"10.1016\/j.diin.2009.06.002_bib27","series-title":"An observation on the key schedule of Twofish","author":"Mirza","year":"1999"},{"key":"10.1016\/j.diin.2009.06.002_bib23","series-title":"Announcing the advanced encryption standard (AES)","author":"NIST","year":"2001"},{"key":"10.1016\/j.diin.2009.06.002_bib9","unstructured":"Pettersson T. Cryptographic key recovery from linux memory dumps. In Chaos Communication Camp, 2007."},{"key":"10.1016\/j.diin.2009.06.002_bib10","author":"Ptacek"},{"key":"10.1016\/j.diin.2009.06.002_bib3","article-title":"Windows memory forensics","author":"Ruff","year":"2007","journal-title":"Journal in Computer Virology"},{"key":"10.1016\/j.diin.2009.06.002_bib29","series-title":"Microsoft windows internals","author":"Russinovich","year":"2005"},{"key":"10.1016\/j.diin.2009.06.002_bib28","unstructured":"Schneier B, Kelsey J, Whiting D, Wagner D, Hall C, Ferguson N. Further observations on the key schedule of Twofish. Twofish Technical Report, 1999."},{"key":"10.1016\/j.diin.2009.06.002_bib25","unstructured":"Schneier B, Kelsey J, Whiting D, Wagner D, Hall C, Ferguson N. Twofish: a 128-bit block cipher. In Third AES Candidate Conference, 2000."},{"key":"10.1016\/j.diin.2009.06.002_bib30","series-title":"Applied cryptography: protocols, algorithms, and source code in C","author":"Schneier","year":"1995"},{"key":"10.1016\/j.diin.2009.06.002_bib26","article-title":"On the Twofish key schedule","volume":"1556","author":"Schneier","year":"1998","journal-title":"Lecture Notes in Computer Science"},{"key":"10.1016\/j.diin.2009.06.002_bib21","series-title":"DFRWS","article-title":"Searching for processes and threads in microsoft windows memory dumps","author":"Schuster","year":"2006"},{"key":"10.1016\/j.diin.2009.06.002_bib8","series-title":"Financial cryptography (LNCS 1648)","first-page":"118","article-title":"Playing hide and seek with stored keys","author":"Shamir","year":"1998"},{"key":"10.1016\/j.diin.2009.06.002_bib6","doi-asserted-by":"crossref","first-page":"68","DOI":"10.1016\/j.diin.2007.03.002","article-title":"User data persistence in physical memory","volume":"4","author":"Solomona","year":"2007","journal-title":"Digital Investigation"},{"key":"10.1016\/j.diin.2009.06.002_bib12","series-title":"Truecrypt source code","author":"Truecrypt Foundation","year":"2008"},{"key":"10.1016\/j.diin.2009.06.002_bib13","series-title":"Volatools: integrating volatile memory forensics into the digital investigation process","author":"Walters","year":"2007"}],"container-title":["Digital Investigation"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1742287609000486?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1742287609000486?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2019,5,22]],"date-time":"2019-05-22T02:28:23Z","timestamp":1558492103000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S1742287609000486"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,9]]},"references-count":31,"alternative-id":["S1742287609000486"],"URL":"https:\/\/doi.org\/10.1016\/j.diin.2009.06.002","relation":{},"ISSN":["1742-2876"],"issn-type":[{"value":"1742-2876","type":"print"}],"subject":[],"published":{"date-parts":[[2009,9]]}}}