{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T05:03:40Z","timestamp":1750309420973,"version":"3.41.0"},"reference-count":44,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"DFG (German Research Foundation) as part of the Research and Training Group 2475 \u201cCybercrime and Forensic Computing\u201d","award":["393541319\/GRK2475\/1-2019"],"award-info":[{"award-number":["393541319\/GRK2475\/1-2019"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2024,9,30]]},"abstract":"<jats:p>Remote forensic investigations, i.e., the covert lawful infiltration of computing devices, are a generic method to acquire evidence in the presence of strong defensive security. A precondition for such investigations is the ability to execute software with sufficient privileges on target devices. The standard way to achieve such remote access is by exploiting yet unpatched software vulnerabilities. This in turn puts other users at risk, resulting in a dilemma for state authorities that aim to protect the general public (by patching such vulnerabilities) and those that need remote access in criminal investigations. As a partial solution, we present a framework that enables privileged remote forensic access without using privileged exploits. The idea is to separate the remote forensic software into two parts: a Forensic Software, designed by law enforcement agencies to execute investigative actions, and a (privileged) Control Software, provided by the device vendor to selectively grant privileges to the Forensic Software based on a court warrant within the rules of criminal procedure. By leveraging trusted execution environments for running the Control Software in a tamper-proof manner, we enable trustful deployment and operation of remote forensic software. We provide a proof-of-concept implementation of InvesTEE that is based on ARMv8-A TrustZone.<\/jats:p>","DOI":"10.1145\/3680294","type":"journal-article","created":{"date-parts":[[2024,7,22]],"date-time":"2024-07-22T12:35:47Z","timestamp":1721651747000},"page":"1-20","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["InvesTEE: A TEE-supported Framework for Lawful Remote Forensic Investigations"],"prefix":"10.1145","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2369-2196","authenticated-orcid":false,"given":"Christian","family":"Lindenmeier","sequence":"first","affiliation":[{"name":"Department of Computer Science, Friedrich-Alexander-Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1862-2900","authenticated-orcid":false,"given":"Jan","family":"Gruber","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Friedrich-Alexander-Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8279-8401","authenticated-orcid":false,"given":"Felix","family":"Freiling","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Friedrich-Alexander-Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,10,26]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.5555\/275079.275104"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyad020"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/2814825"},{"key":"e_1_3_2_5_2","unstructured":"ARM. 2013. ARM Architecture Reference Manual Armv8. Retrieved from https:\/\/developer-service.arm.com\/static\/60119835773bb020e3de6fee?token="},{"key":"e_1_3_2_6_2","unstructured":"ARM. 2015. ARM Cortex-A Series Programmer\u2019s Guide for ARMv8-A. Retrieved from https:\/\/developer.arm.com\/documentation\/den0024\/latest\/"},{"key":"e_1_3_2_7_2","unstructured":"ARM. ARM TrustZone. Retrieved from https:\/\/developer.arm.com\/ip-products\/security-ip\/trustzone"},{"key":"e_1_3_2_8_2","unstructured":"ARM. AArch64 exception vector table. Retrieved from https:\/\/developer.arm.com\/documentation\/100933\/0100\/AArch64-exception-vector-table"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-140515"},{"key":"e_1_3_2_10_2","first-page":"41","volume-title":"Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference","author":"Bellard Fabrice","year":"2005","unstructured":"Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference, 41\u201346."},{"key":"e_1_3_2_11_2","unstructured":"BKA. 2018. Standardisierende Leistungsbeschreibung f\u00fcr Software zur Durchf\u00fchrung von Ma\u00dfnahmen der Quellen-Telekommunikations\u00fcberwachung und der Online-Durchsuchung. Retrieved from https:\/\/www.bka.de\/SharedDocs\/Downloads\/DE\/Sonstiges\/standardisierendeLeistungsbeschreibungQuellenTKUE.html"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68734-2_2"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664272"},{"key":"e_1_3_2_14_2","first-page":"657","volume-title":"27th USENIX Security Symposium, USENIX Security 2018","author":"Frankle Jonathan","year":"2018","unstructured":"Jonathan Frankle, Sunoo Park, Daniel Shaar, Shafi Goldwasser, and Daniel Weitzner. 2018. Practical accountability of secret processes. In 27th USENIX Security Symposium, USENIX Security 2018. William Enck and Adrienne Porter Felt (Eds.). USENIX Association, 657\u2013674."},{"key":"e_1_3_2_15_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium, (NDSS \u201903)","author":"Garfinkel Tal","year":"2003","unstructured":"Tal Garfinkel and Mendel Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium, (NDSS \u201903). Retrieved from https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/"},{"key":"e_1_3_2_16_2","unstructured":"GlobalPlatform. TEE internal core API specification v1.3. Retrieved from https:\/\/globalplatform.org\/specs-library\/tee-internal-core-api-specification\/"},{"key":"e_1_3_2_17_2","unstructured":"Google. Android Keystore system. Retrieved from https:\/\/developer.android.com\/privacy-and-security\/keystore"},{"key":"e_1_3_2_18_2","unstructured":"Google. DRM. Retrieved from https:\/\/source.android.com\/devices\/drm"},{"key":"e_1_3_2_19_2","unstructured":"Google. Trusty TEE. Retrieved from https:\/\/source.android.com\/docs\/security\/features\/trusty"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-77883-5_19"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/J.FSIDI.2022.301438"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/QRS.2018.00026"},{"key":"e_1_3_2_23_2","volume-title":"Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices","author":"Gutheil Mirja","year":"2017","unstructured":"Mirja Gutheil, Quentin Liger, Aur\u00e9lie Heetman, James Eager, Max Crawford, and Optimity Advisors. 2017. Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices. Study. European Union, Directorate-General for Internal Policies, 2017. Retrieved from https:\/\/www.europarl.europa.eu\/thinktank\/en\/document\/IPOL_STU(2017)583137"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1628\/002268808786375406"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1002\/tie.22321"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2024.301796"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2014.37"},{"key":"e_1_3_2_28_2","volume-title":"Linux System Programming: Talking Directly to the Kernel and C Library","author":"Love Robert","year":"2013","unstructured":"Robert Love. 2013. Linux System Programming: Talking Directly to the Kernel and C Library. 2nd ed. O\u2019Reilly Media, Inc.","edition":"2"},{"key":"e_1_3_2_29_2","volume-title":"Hide and seek: Tracking NSO group\u2019s Pegasus spyware to operations in 45 countries","author":"Marczak Bill","year":"2018","unstructured":"Bill Marczak. 2018. Hide and seek: Tracking NSO group\u2019s Pegasus spyware to operations in 45 countries. Tech. rep. The Citizen Lab, 2018."},{"key":"e_1_3_2_30_2","unstructured":"C\u00e9lestin Matte. 2017. Wi-Fi tracking: Fingerprinting attacks and counter-measures. PhD thesis. University of Lyon France. Retrieved from https:\/\/tel.archives-ouvertes.fr\/tel-01659783"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom.2015.400"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.5555\/601202"},{"key":"e_1_3_2_33_2","unstructured":"OPTEE. Secure Storage. Retrieved from https:\/\/optee.readthedocs.io\/en\/latest\/architecture\/secure_storage.html"},{"key":"e_1_3_2_34_2","unstructured":"OPTEE. Trusted Applications. Retrieved from https:\/\/optee.readthedocs.io\/en\/latest\/architecture\/trusted_applications.html"},{"key":"e_1_3_2_35_2","unstructured":"Qualcomm. Guard Your Data with the Qualcomm Snapdragon Mobile Platform. Retrieved from https:\/\/www.qualcomm.com\/content\/dam\/qcomm-martech\/dm-assets\/documents\/guard_your_data_with_the_qualcomm_snapdragon_mobile_platform2.pdf"},{"key":"e_1_3_2_36_2","unstructured":"RFC 3161. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). Retrieved from https:\/\/www.ietf.org\/rfc\/rfc3161.txt"},{"key":"e_1_3_2_37_2","unstructured":"Samsung. Device Health Attestation. Retrieved from https:\/\/docs.samsungknox.com\/admin\/fundamentals\/whitepaper\/samsung-knox-for-android\/core-platform-security\/device-health-attestation\/"},{"key":"e_1_3_2_38_2","unstructured":"Samsung. Samsung TEEGRIS. Retrieved from https:\/\/developer.samsung.com\/teegris\/overview.html"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243758"},{"key":"e_1_3_2_40_2","unstructured":"OP-TEE. Open Portable Trusted Execution Environment - OP-TEE. Retrieved from https:\/\/www.op-tee.org\/"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","unstructured":"Manuela Wagner Oliver Vettermann Steven Arzt Dominik Brodowski Roman Dickmann Sebastian Golla Niklas Goerke Michael Kreutzer Maximilian Leicht Johannes Obermaier Marc Schink Linda Schreiber and Christoph Sorge. 2023. Verantwortungsbewusster Umgang mit IT-Sicherheitsl\u00fccken: Problemlagen und Optimierungsoptionen f\u00fcr ein effizientes Zusammenwirken zwischen IT-Sicherheitsforschung und IT-Verantwortlichen. DOI: 10.25353\/ubtr-xxxx-8597-6cb4","DOI":"10.25353\/ubtr-xxxx-8597-6cb4"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10676-023-09707-9"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/EUROSP.2018.00028"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813714"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0029"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3680294","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3680294","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:58:26Z","timestamp":1750294706000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3680294"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":44,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,9,30]]}},"alternative-id":["10.1145\/3680294"],"URL":"https:\/\/doi.org\/10.1145\/3680294","relation":{},"ISSN":["2576-5337"],"issn-type":[{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-05-03","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-10-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}