Research Output
Decrypting Live SSH Traffic in Virtual Environments
  Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDe-crypt framework to investigate they discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including detection and interception of data exfiltration of confidential data.

  • Type:


  • Date:

    29 March 2019

  • Publication Status:


  • DOI:


  • ISSN:


  • Library of Congress:

    QA75 Electronic computers. Computer science

  • Dewey Decimal Classification:

    005.8 Data security

  • Funders:

    Edinburgh Napier Funded


Mclaren, P., Russell, G., Buchanan, W. J., & Tan, Z. (2019). Decrypting Live SSH Traffic in Virtual Environments. Digital Investigation, 29, 109-117.



network traffic; decryption; memory analysis; IoT; Android; VMI; Secure Shell; SSH; AES; Secure File Transfer; data exfiltration; insider attacks

Monthly Views:

Available Documents