The Forensic Analysis of KeePass and Password Safe: An Evaluation of Open Source Password Managers By Daryl R. Middleton Graduate Student Capstone Project for Information Security and Intelligence Ferris State University Advisor: Dr. Greg Gogolin, Ph.D. F

Access control elements such as identification and authentication form part of the initial security landscape when integrated into a defense in depth strategy. Identification allows a user to profess an identity with a username while authentication with a password provides a challenge to that claimed identity. Identification and authentication credentials that are too easy to guess will lead to unauthorized access to network resources. Credentials that are based on business security policies have established requirements for complexity and change management that many times produce unintended consequences for users. Password management programs can help mitigate some of the complexities of access control but there must be trust in the processes ability to assure data integrity. This project systematically challenges two popular open source password management tools that are intentionally subjected to low memory resources within pre-configured virtual machines. Subsequent examination of forensic images and digital artifacts obtained from the prototype virtual machine architecture reveal that constrained memory resources seem to affect the efficiency of the underlying encryption algorithm. This phenomenon causes the Master Key and underlying database credentials in some cases to be captured by forensic software in plain text format from virtual memory and deleted files that remain on disk.