InvesTEE: A TEE-supported Framework for Lawful Remote Forensic Investigations

Abstract

Remote forensic investigations, i.e., the covert lawful infiltration of computing devices, are a generic method to acquire evidence in the presence of strong defensive security. A precondition for such investigations is the ability to execute software with sufficient privileges on target devices. The standard way to achieve such remote access is by exploiting yet unpatched software vulnerabilities. This in turn puts other users at risk, resulting in a dilemma for state authorities that aim to protect the general public (by patching such vulnerabilities) and those that need remote access in criminal investigations. As a partial solution, we present a framework that enables privileged remote forensic access without using privileged exploits. The idea is to separate the remote forensic software into two parts: a Forensic Software, designed by law enforcement agencies to execute investigative actions, and a (privileged) Control Software, provided by the device vendor to selectively grant privileges to the Forensic Software based on a court warrant within the rules of criminal procedure. By leveraging trusted execution environments for running the Control Software in a tamper-proof manner, we enable trustful deployment and operation of remote forensic software. We provide a proof-of-concept implementation of InvesTEE that is based on ARMv8-A TrustZone.