Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including the detection and interception of data exfiltration of confidential data.

解密和检查加密的恶意通信可能有助于犯罪的发现和预防。访问客户端或服务器内存可以发现解密安全通信所需的伪像。本文开发了MemDecrypt框架，以研究内存中加密伪像的发现，并将该方法应用于解密虚拟机的安全通信。对于用于安全远程服务器管理，文件传输和隧道传输的Secure Shell，MemDecrypt实验可快速生成用于实时安全文件传输的AES加密详细信息，包括远程用户凭据，传输的文件名和文件内容。因此，MemDecrypt 发现加密伪像并迅速解密实时SSH恶意通信，包括检测和拦截机密数据的数据泄露。