Encryption

Strong encryption systems using sophisticated algorithms are readily available as both free downloads and commercial products. The company might choose to use its own encryption to protect sensitive data (for example, laptops that are vulnerable to theft). Office automation programs, such as email and word processing, provide some encryption capabilities within the application.

As a general rule, law enforcement and the legal profession tend to treat encrypted files as locked containers. If the investigator has the authority to search the device, he has the authority to compel the owner to provide the encryption keys. In the corporate environment, the acceptable-use policy should address the use of encryption products (both authorized and unauthorized) on corporate systems. Encryption keys and pass phrases for corporate systems (including email and encrypted file systems) are the property of the company, and the policy should explicitly state that the company can require the user to provide the key or pass phrase. Failure to provide the keys can result in termination.

Unauthorized encryption should also be explicitly addressed in the policy. As a general recommendation, the policy should state that any encryption programs or files not provided by the company are unauthorized and that the company, again, has the authority to compel the user to provide the keys.

Some commonly available encryption schemes provide little protection. The PKZIP format provides the capability to encrypt archives. This format, however, is vulnerable to certain types of attack, and programs can be downloaded to extract the files. Microsoft Office programs also use a weak encryption scheme, and programs and services to defeat the encryption are available either free or commercially. Bokler Corporation, a company that makes strong encryption tools for developers, has an excellent page on the weakness of some of these products and offers links to password-recovery services at www.bokler.com/bokler/bsw_crak.html. Some of these services include Access Data (www. accessdata .com), Crak Software (www.crak.com), and Passware (www.lostpassword.com).

If the user chooses a strong encryption algorithm, it is probably not feasible to defeat the encryption. For all the talk about the weakness of 56-bit DES, it is almost certainly not cost-effective to attempt a brute force attack. However, a major weakness of PC-based encryption is that the plain text must exist on the computer at some point. A search for deleted files and file fragments might reveal, for example, the temporary files used by the word-processing program when the file was created. A search of the temporary directories (including browser cache) and the virtual memory file might also yield results. A recent thread on the BugTraq vulnerability forum addressed the Windows 2000 Encrypted File System. In some configurations, plain text files are written to disk when used and might not be completely purged. ^[3]

^[3] More information on this is available at www.securityfocus.com/ frames /?content=/vdb/bottom.html%3Fvid%3D2243.

Steganography

Steganography, from the Greek steganos (hidden) and graphy (writing), is a method of concealing information within other files. Computer files contain redundant or insignificant bits of data within their file structure. Steganography works by replacing those data bits with content. The file appears unchanged to the casual viewer, but the hidden data can be extracted through the use of a key. Steganogaphy can be viewed as the digital equivalent of invisible ink.

Free and shareware programs are available to hide files or content and to detect it as well. The security of a steganographic algorithm is, like any form of encryption, dependent on both the algorithm and the key. Better programs use robust keys, similar to DES or Triple-DES. Poor programs use either known algorithms or short keys.

Steganography is also used in digital watermarking. An identifying piece of content can be inserted within an image or multimedia file. The content does not discernibly change the file and would be unnoticed by an observer. With the proper key, however, the "watermark" can be recovered to demonstrate the original ownership of the file.

The major problem with steganography as an alternative to more conventional forms of cryptography is that the amount of hidden content has to be small in comparison to the size of the file exchanged. Although it could be used, for example, to hide a pass phrase or some critical piece of information about the company, large documents would require an extremely large file to conceal it.

Some shareware tools can detect hidden content, depending on the algorithm used. These might be valuable to the investigator. More information and links to some of the tools are maintained at a web site called www.stegoarchive.com.

In addition, if the original file can be obtained, it can be compared through the use of a hash algorithm to detect whether it was modified in any way. For example, a person might take an MP3 audio file and conceal a small image file within it. The hash of the original audio file would be different from the one containing the image, however, and further investigation might be warranted at that point.