{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,16]],"date-time":"2026-05-16T03:30:52Z","timestamp":1778902252712,"version":"3.51.4"},"reference-count":32,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2016,3,1]],"date-time":"2016-03-01T00:00:00Z","timestamp":1456790400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2016,1,27]],"date-time":"2016-01-27T00:00:00Z","timestamp":1453852800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004563","name":"Bayerisches Staatsministerium f\u00fcr Bildung und Kultus, Wissenschaft und Kunst","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004563","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Digital Investigation"],"published-print":{"date-parts":[[2016,3]]},"DOI":"10.1016\/j.diin.2016.01.014","type":"journal-article","created":{"date-parts":[[2016,3,28]],"date-time":"2016-03-28T12:38:59Z","timestamp":1459168739000},"page":"S114-S123","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":25,"special_numbering":"S","title":["TLSkex: Harnessing virtual machine introspection for decrypting TLS communication"],"prefix":"10.1016","volume":"16","author":[{"given":"Benjamin","family":"Taubmann","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Christoph","family":"Fr\u00e4drich","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dominik","family":"Dusold","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hans P.","family":"Reiser","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"key":"10.1016\/j.diin.2016.01.014_bib1","series-title":"Reliable distributed systems, 2010 29th IEEE symposium","first-page":"82","article-title":"DKSM: subverting virtual machine introspection for fun and profit","author":"Bahram","year":"2010"},{"key":"10.1016\/j.diin.2016.01.014_bib2","series-title":"Proc. of the network and distributed system security symposium, NDSS","article-title":"Efficient detection of split personalities in malware","author":"Balzarotti","year":"2010"},{"key":"10.1016\/j.diin.2016.01.014_bib3","series-title":"Transparent MITM with cuckoo sandbox","author":"Bremer","year":"2015"},{"key":"10.1016\/j.diin.2016.01.014_bib4","series-title":"Finding hidden threats by decrypting SSL, A SANS analyst whitepaper","author":"Butler","year":"2013"},{"key":"10.1016\/j.diin.2016.01.014_bib5","series-title":"Proceedings of the 2011 IEEE symposium on security and privacy, SP'11","first-page":"297","article-title":"Virtuoso: narrowing the semantic gap in virtual machine introspection","author":"Dolan-Gavitt","year":"2011"},{"key":"10.1016\/j.diin.2016.01.014_bib6","series-title":"Proc. network and distributed systems security symposium","first-page":"191","article-title":"A virtual machine introspection based architecture for intrusion detection","author":"Garfinkel","year":"2003"},{"key":"10.1016\/j.diin.2016.01.014_bib7","series-title":"Use SSLsplit to transparently sniff TLS\/SSL connections \u2013 Including non-HTTP(S) protocols","author":"Heckel","year":"2013"},{"key":"10.1016\/j.diin.2016.01.014_bib8","series-title":"Proc. of the 17th USENIX Security Symposium","article-title":"Lest we remember: cold boot attacks on encryption keys","author":"Halderman","year":"2008"},{"key":"10.1016\/j.diin.2016.01.014_bib9","series-title":"How to decrypt OpenSSL sessions using wireshark and SSL session identifiers","author":"Homan","year":"2013"},{"key":"10.1016\/j.diin.2016.01.014_bib10","series-title":"Using ssldump to decode\/decrypt SSL\/TLS packets","author":"Iveson","year":"2014"},{"key":"10.1016\/j.diin.2016.01.014_bib11","series-title":"Security and privacy (SP), 2014 IEEE symposium","first-page":"605","article-title":"Sok: introspections on trust and the semantic gap","author":"Jain","year":"2014"},{"key":"10.1016\/j.diin.2016.01.014_bib12","series-title":"All your private keys are belong to us \u2013 Extracting RSA private keys and certificates from process memory","author":"Klein","year":"2006"},{"key":"10.1016\/j.diin.2016.01.014_bib13","article-title":"HMAC: Keyed-hashing for message authentication","author":"Krawczyk","year":"1997","journal-title":"IETF, RFC 2104,"},{"key":"10.1016\/j.diin.2016.01.014_bib14","unstructured":"KVM, http:\/\/www.linux-kvm.org\/ (July 30 2015)."},{"key":"10.1016\/j.diin.2016.01.014_bib15","unstructured":"LibVMI, http:\/\/libvmi.com\/ (July 30 2015)."},{"key":"10.1016\/j.diin.2016.01.014_bib16","doi-asserted-by":"crossref","first-page":"S132","DOI":"10.1016\/j.diin.2009.06.002","article-title":"The persistence of memory: forensic identification and extraction of cryptographic keys","volume":"6","author":"Maartmann-Moe","year":"2009","journal-title":"Digit Investig"},{"key":"10.1016\/j.diin.2016.01.014_bib17","unstructured":"M. Marlinspike, sslsniff, http:\/\/www.thoughtcrime.org\/software\/sslsniff\/, [accessed 19.08.15] (2002)."},{"key":"10.1016\/j.diin.2016.01.014_bib18","unstructured":"M. Marlinspike, sslstrip, http:\/\/www.thoughtcrime.org\/software\/sslstrip\/, [accessed 19.08.15] (2009)."},{"key":"10.1016\/j.diin.2016.01.014_bib19","first-page":"96","article-title":"Nitro: hardware-based system call tracing for virtual machines","author":"Pfoh","year":"2011"},{"key":"10.1016\/j.diin.2016.01.014_bib20","series-title":"Significant SSL performance loss leaves much room for improvement","author":"Pric","year":"2013"},{"key":"10.1016\/j.diin.2016.01.014_bib21","first-page":"1","article-title":"Detecting system emulators","author":"Raffetseder","year":"2007"},{"key":"10.1016\/j.diin.2016.01.014_bib22","unstructured":"Rekall, Memory forensics analysis framework, http:\/\/www.rekall-forensic.com (January 15 2015)."},{"key":"10.1016\/j.diin.2016.01.014_bib23","article-title":"Transport Layer Security (TLS) Session Resumption Without Server-Side State","author":"Salowey","year":"2008","journal-title":"IETF, RFC 5077,"},{"key":"10.1016\/j.diin.2016.01.014_bib24","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/j.diin.2006.06.010","article-title":"Searching for processes and threads in microsoft windows memory dumps","volume":"3","author":"Schuster","year":"2006","journal-title":"Digit Investig"},{"key":"10.1016\/j.diin.2016.01.014_bib25","series-title":"Proc. of the 3rd Int. conf. on financial cryptography, FC'99","first-page":"118","article-title":"Playing \u201chide and seek\u201d with stored keys","author":"Shamir","year":"1999"},{"key":"10.1016\/j.diin.2016.01.014_bib26","series-title":"2nd Workshop on security in highly connected IT systems (SHCIS)","article-title":"Analysing malware attacks in the cloud: a use case for the tlsinspector toolkit","author":"Taubmann","year":"2015"},{"key":"10.1016\/j.diin.2016.01.014_bib27","unstructured":"Tcpdump contributors, TCPDUMP\/LIBPCAP public repository, http:\/\/www.tcpdump.org\/, [accessed 19.08.15]."},{"key":"10.1016\/j.diin.2016.01.014_bib28","unstructured":"Volatility Foundation, Volatility command reference, https:\/\/github.com\/volatilityfoundation\/volatility\/wiki\/Command-Reference [accessed 19.08.15]."},{"key":"10.1016\/j.diin.2016.01.014_bib29","series-title":"Wireshark wiki about secure socket layer (SSL)","author":"Wireshark contributors","year":"2015"},{"key":"10.1016\/j.diin.2016.01.014_bib30","unstructured":"Xen, http:\/\/www.xenproject.org (July 30 2015)."},{"key":"10.1016\/j.diin.2016.01.014_bib31","series-title":"Improving LibVMI introspection performance with shared memory snapshots","author":"Guanglin","year":"2013"},{"key":"10.1016\/j.diin.2016.01.014_bib32","article-title":"The secure shell (SSH) transport layer protocol","author":"Ylonen","year":"2006","journal-title":"IETF, RFC 4253,"}],"container-title":["Digital Investigation"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1742287616300081?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1742287616300081?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2022,7,16]],"date-time":"2022-07-16T03:09:25Z","timestamp":1657940965000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S1742287616300081"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,3]]},"references-count":32,"alternative-id":["S1742287616300081"],"URL":"https:\/\/doi.org\/10.1016\/j.diin.2016.01.014","relation":{},"ISSN":["1742-2876"],"issn-type":[{"value":"1742-2876","type":"print"}],"subject":[],"published":{"date-parts":[[2016,3]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"TLSkex: Harnessing virtual machine introspection for decrypting TLS communication","name":"articletitle","label":"Article Title"},{"value":"Digital Investigation","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.diin.2016.01.014","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"Copyright \u00a9 2016 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}]}}