Handling Encrypted Data

Identifying Encrypted Files

Identifying encrypted files is pretty easy. You try to access a file with the appropriate application and you end up getting garbage. The first step you should take is to find out the type of file with which you are dealing. Most operating systems make assumptions about file types by looking at the file's extension. For example, a file with the . doc extension is assumed to be a word processing document, and a file with the .zip extension is assumed to be a compressed archive file. You can't always trust extensions. One way to 'hide' files from casual observers is to change their extensions to another file type.

For example, an easy way to hide pictures from standard viewer applications would be to change the extension from .jpg to .txt . Any extension would work, but the .txt extension would represent all such files as text files in most file browser windows . If you wanted to represent your hidden pictures as another file type, simply use another defined file extension. Alternatively, you could use an undefined file extension, but these files would likely attract more attention.

To ensure you are not simply looking at altered file extensions, always use a file viewer that is designed to look at the file extension as well as the file contents. Such a utility will notify you if it finds files that have been changed to a non- standard extension. If your file viewer finds such files, you may be dealing with files that were deliberately hidden.

Another telltale sign that you are dealing with encrypted data is the generated file- name . Although many applications generate filenames, many encryption utilities have the option to obscure filenames as the plaintext file is encrypted. That makes it harder for an investigator to identify the file named My Illegal Activities.doc . Instead, the encryption utility might name the file 100455433798.094 . If you find a collection of files with obviously generated filenames, find out why. Those files might be encrypted.

In summary, when you find files that don't fit their extensions or have unknown extensions, consider them potentially encrypted. Look at their location in the file system, and check any path history of file accesses and encryption utility activity. The file encryption utility might keep track of recent write locations. Take hints wherever you find them.

Decrypting Files

Let's assume you have identified one or more files that appear to be encrypted. What do you do next ? The simple answer is to crack the encryption. The full answer is a little more complex.

Before you even start thinking about exhausting your budget on the latest encryption busting utilities, take the simple approach. Ask the suspect. If you have not found encryption keys written down or otherwise recorded in obvious places, just ask. Your suspect might provide the keys. He might not. If asking does not work or you know the suspect is unlikely to cooperate, use social engineering. If you can convince a suspect to divulge secrets like encryption keys, you can save yourself a lot of work. Only resort to technical means when you have exhausted more conventional methods of collecting information.

First, evaluate the type of encryption you have encountered . A common type of encryption is that provided by popular applications. Microsoft, WordPerfect, and PKZIP all provide options within the application to encrypt the contents of its data files. Although convenient , application-supported encryption tends to be very weak. You can find a wide variety of utilities that are specifically developed to crack application encryption. Here is a short list of utilities that help recover file contents of specific file formats:

• PKZip Cracker    Decrypts ZIP archive files

• Zip Crack    Decrypts ZIP archive files

• Word Unprotect    Decrypts Microsoft Word documents

• WP Crack    Decrypts WordPerfect documents

  Note

  There are many other utilities that will help you defeat application-specific file encryption. The ease of availability should point out that such encryption has far less value than generic file encryption algorithms. In short, don't rely on any application vendor to provide strong embedded encryption for your own privacy needs.

After ruling out embedded encryption, you will need to move to a more sophisticated method. Always begin by looking for the low-hanging fruit. Let's assume you are looking at an encrypted document. Find out as much as possible about the file's context. Here are a few questions to consider:

• Does the file have a defined extension?

  • Unless you have information to the contrary, assume the file's extension is valid.

  • Encrypting a file and then changing the extension to throw off an investigator is too much work for most people.

• Where is the file located?

  • File location, especially unusual locations, may give clues to the originating application.

  • If you find files stored in unusual locations, check the default document directories for installed applications. That information might tell you what application created the file.

• What application(s) likely created the file?

  • If you know, or suspect, what application created the file, see if the application uses a cache or temporary files.

  • Look at deleted files in the application's temporary directory. Any files here will likely be pre-encryption data.

• What is the last access time for the file?

  • Look for any deleted files with access times just prior to the last access time of the encrypted file. Although good encryption utilities will not leave such obvious traces behind, the application that generated the file might not be so careful.

• Do installed applications create temporary files during creation/editing?

  • Attempt to recover all of the files you can. Even the most innocent ones can be valuable .

• Are any files in the Recycle Bin?

  • Don't laugh ; it happens!

These questions will get you started. The best outcome of searching for deleted and unencrypted copies of files would be to find a pristine copy of the one file you need-before it was encrypted. Although you may find just what you are looking for, it is more likely that you will find another piece of the puzzle. Any unencrypted file or file fragment that you can relate to an encrypted file will increase your chances of successfully decrypting files. Let's look at a few attack methods to decrypt suspect files.

Real World Scenario-Tales from the Trenches: Opening Encrypted Files

The process of opening encrypted files is one that the computer forensics expert will be called upon to per

form from time to time.

One day I was contacted by Bill, a previous client, who insisted I meet with him right away. I told him I would be right over. He said we needed to meet 'away from the office' and suggested a local restaurant where we could talk in private.

As soon as I arrived, Bill told me he was having major troubles at work with a small group of employees who he thought were planning to leave the company and form their own firm, competing against him. Bill knew there was nothing he could do to keep the employees from leaving, but he wanted to ensure that they did not take any proprietary information belonging to his company with them when they left.

He was specifically concerned because the company's 'network guy' came to him and reported that he had observed an unusually large amount of network activity by a few employees recently including accessing of the customer database and billing system. While this type of access was not against company policy and was within the employee's job description, it was unusual enough for the network guy to report it. Bill asked him to 'keep an eye open ' for any additional unusual activity.

A few days later the 'network guy' informed Bill he had observed an increase in the amount and size of e-mail these same employees were sending through the company e-mail server. When he explored further, he noted these employees had sent a large number of e-mails to a former employee and that these e-mails were encrypted. He was, of course, unable to read the e- mails . Encryption was not a normal process used by the company, but it was not against the company policy to use encryption.

Bill needed proof that these employees were sending proprietary information out of the company to this former employee so that he could terminate their employment and so that he could obtain a ' cease and desist' order against his former employee to prevent him from using the proprietary information.

As expected, while examining the employees' computers, I located a large number of encrypted files and attempted to crack the password protection so I could see the content of the files. The majority of files were protected with a very strong encryption utility known as PGP. I knew that the possibility of cracking a PGP-protected file was very slim, but I also knew that I had human nature working in my favor.

On one of the computers, I located a small collection of Microsoft Word documents that were password protected using the built-in Microsoft password-protection security. On another one of the computers, I located a small collection of Microsoft Word documents (created with Office 97) that were password protected using the built-in Microsoft password-protection security. This protection scheme can be very simple to crack using a variety of available commercial cracking utilities. I was able to open each of these files within a few minutes and review their content. None of these files had anything to do with the case, but I was not deterred. I had learned a long time ago that people are generally very lazy when it comes to choosing passwords and typically will use the same password over and over again.

I attempted to use the recovered password to open the PGP files and was able to access all of the information that was stored on this employee's computer. I located enough evidence to assist Bill in obtaining the 'cease and desist' order and to terminate the employees without fear of being sued for wrongful termination.

Although this is one example of overcoming an encryption technology by using a weakness in the implementation of the technology (the human weakness of reusing passwords) and not a weakness in the technology itself, you will find many situations where a weak encryption technology will work in the investigator's favor.