At some point in your investigation, you will likely encounter encrypted data. Your course of action depends on the particular type of encryption and the value of the expected evidence once you decrypt the data. If you suspect the encrypted data holds a high value to your case, it will warrant more time and effort to get at the data. Decrypting data can require a substantial effort. Only pursue that course of action when necessary.
Identifying encrypted files is pretty easy. You try to access a file with the appropriate application and you end up getting garbage. The first step you should take is to find out the type of file with which you are dealing. Most operating systems make assumptions about file types by looking at the file's extension. For example, a file with the . doc extension is assumed to be a word processing document, and a file with the .zip extension is assumed to be a compressed archive file. You can't always trust extensions. One way to 'hide' files from casual observers is to change their extensions to another file type.
For example, an easy way to hide pictures from standard viewer applications would be to change the extension from .jpg to .txt . Any extension would work, but the .txt extension would represent all such files as text files in most file browser windows . If you wanted to represent your hidden pictures as another file type, simply use another defined file extension. Alternatively, you could use an undefined file extension, but these files would likely attract more attention.
To ensure you are not simply looking at altered file extensions, always use a file viewer that is designed to look at the file extension as well as the file contents. Such a utility will notify you if it finds files that have been changed to a non- standard extension. If your file viewer finds such files, you may be dealing with files that were deliberately hidden.
Another telltale sign that you are dealing with encrypted data is the generated file- name . Although many applications generate filenames, many encryption utilities have the option to obscure filenames as the plaintext file is encrypted. That makes it harder for an investigator to identify the file named My Illegal Activities.doc . Instead, the encryption utility might name the file 100455433798.094 . If you find a collection of files with obviously generated filenames, find out why. Those files might be encrypted.
In summary, when you find files that don't fit their extensions or have unknown extensions, consider them potentially encrypted. Look at their location in the file system, and check any path history of file accesses and encryption utility activity. The file encryption utility might keep track of recent write locations. Take hints wherever you find them.
Let's assume you have identified one or more files that appear to be encrypted. What do you do next ? The simple answer is to crack the encryption. The full answer is a little more complex.
Before you even start thinking about exhausting your budget on the latest encryption busting utilities, take the simple approach. Ask the suspect. If you have not found encryption keys written down or otherwise recorded in obvious places, just ask. Your suspect might provide the keys. He might not. If asking does not work or you know the suspect is unlikely to cooperate, use social engineering. If you can convince a suspect to divulge secrets like encryption keys, you can save yourself a lot of work. Only resort to technical means when you have exhausted more conventional methods of collecting information.
The suggestion to use social engineering in no way suggests that you should engage in activities that are questionable. Make sure all of your activities are documented and approved before you start. Evidence that is deemed inadmissible is worthless in court .
First, evaluate the type of encryption you have encountered . A common type of encryption is that provided by popular applications. Microsoft, WordPerfect, and PKZIP all provide options within the application to encrypt the contents of its data files. Although convenient , application-supported encryption tends to be very weak. You can find a wide variety of utilities that are specifically developed to crack application encryption. Here is a short list of utilities that help recover file contents of specific file formats:
PKZip Cracker Decrypts ZIP archive files
Zip Crack Decrypts ZIP archive files
Word Unprotect Decrypts Microsoft Word documents
WP Crack Decrypts WordPerfect documents
There are many other utilities that will help you defeat application-specific file encryption. The ease of availability should point out that such encryption has far less value than generic file encryption algorithms. In short, don't rely on any application vendor to provide strong embedded encryption for your own privacy needs.
After ruling out embedded encryption, you will need to move to a more sophisticated method. Always begin by looking for the low-hanging fruit. Let's assume you are looking at an encrypted document. Find out as much as possible about the file's context. Here are a few questions to consider:
Does the file have a defined extension?
Unless you have information to the contrary, assume the file's extension is valid.
Encrypting a file and then changing the extension to throw off an investigator is too much work for most people.
Where is the file located?
File location, especially unusual locations, may give clues to the originating application.
If you find files stored in unusual locations, check the default document directories for installed applications. That information might tell you what application created the file.
What application(s) likely created the file?
If you know, or suspect, what application created the file, see if the application uses a cache or temporary files.
Look at deleted files in the application's temporary directory. Any files here will likely be pre-encryption data.
What is the last access time for the file?
Look for any deleted files with access times just prior to the last access time of the encrypted file. Although good encryption utilities will not leave such obvious traces behind, the application that generated the file might not be so careful.
Do installed applications create temporary files during creation/editing?
Attempt to recover all of the files you can. Even the most innocent ones can be valuable .
Are any files in the Recycle Bin?
Don't laugh ; it happens!
These questions will get you started. The best outcome of searching for deleted and unencrypted copies of files would be to find a pristine copy of the one file you need-before it was encrypted. Although you may find just what you are looking for, it is more likely that you will find another piece of the puzzle. Any unencrypted file or file fragment that you can relate to an encrypted file will increase your chances of successfully decrypting files. Let's look at a few attack methods to decrypt suspect files.
The process of opening encrypted files is one that the computer forensics expert will be called upon to per
form from time to time.
One day I was contacted by Bill, a previous client, who insisted I meet with him right away. I told him I would be right over. He said we needed to meet 'away from the office' and suggested a local restaurant where we could talk in private.
As soon as I arrived, Bill told me he was having major troubles at work with a small group of employees who he thought were planning to leave the company and form their own firm, competing against him. Bill knew there was nothing he could do to keep the employees from leaving, but he wanted to ensure that they did not take any proprietary information belonging to his company with them when they left.
He was specifically concerned because the company's 'network guy' came to him and reported that he had observed an unusually large amount of network activity by a few employees recently including accessing of the customer database and billing system. While this type of access was not against company policy and was within the employee's job description, it was unusual enough for the network guy to report it. Bill asked him to 'keep an eye open ' for any additional unusual activity.
A few days later the 'network guy' informed Bill he had observed an increase in the amount and size of e-mail these same employees were sending through the company e-mail server. When he explored further, he noted these employees had sent a large number of e-mails to a former employee and that these e-mails were encrypted. He was, of course, unable to read the e- mails . Encryption was not a normal process used by the company, but it was not against the company policy to use encryption.
Bill needed proof that these employees were sending proprietary information out of the company to this former employee so that he could terminate their employment and so that he could obtain a ' cease and desist' order against his former employee to prevent him from using the proprietary information.
As expected, while examining the employees' computers, I located a large number of encrypted files and attempted to crack the password protection so I could see the content of the files. The majority of files were protected with a very strong encryption utility known as PGP. I knew that the possibility of cracking a PGP-protected file was very slim, but I also knew that I had human nature working in my favor.
On one of the computers, I located a small collection of Microsoft Word documents that were password protected using the built-in Microsoft password-protection security. On another one of the computers, I located a small collection of Microsoft Word documents (created with Office 97) that were password protected using the built-in Microsoft password-protection security. This protection scheme can be very simple to crack using a variety of available commercial cracking utilities. I was able to open each of these files within a few minutes and review their content. None of these files had anything to do with the case, but I was not deterred. I had learned a long time ago that people are generally very lazy when it comes to choosing passwords and typically will use the same password over and over again.
I attempted to use the recovered password to open the PGP files and was able to access all of the information that was stored on this employee's computer. I located enough evidence to assist Bill in obtaining the 'cease and desist' order and to terminate the employees without fear of being sued for wrongful termination.
Although this is one example of overcoming an encryption technology by using a weakness in the implementation of the technology (the human weakness of reusing passwords) and not a weakness in the technology itself, you will find many situations where a weak encryption technology will work in the investigator's favor.
The brute force attack method of decrypting files is the worst choice. It uses the same approach as brute force password cracking. The utility tries every possible key value to see if the decryption results in an intelligible object. This option should be your last resort.
The known plaintext attack is a method of cracking encryption that uses the plaintext and the associated ciphertext . If you have both the unencrypted and encrypted versions of a file, you can analyze the relationship between the two and deduce the encryption key. The PkCrack utility utilizes this type of attack. You provide an unencrypted file and an encrypted ZIP archive, and PkCrack will compare the two and attempt to find the key used in the encryption.
known plaintext attack
An attack to decrypt a file characterized by comparing known plaintext to the resulting ciphertext.
Even though the files you have access to may seem to be unrelated to the evidence you are looking for, they could help provide the key the suspect used to encrypt. Keeping track of multiple encryption keys is difficult, so you can probably use that key to decrypt other files the suspect encrypted.
You may have access to the encryption engine, but not the key. It is possible the encryption utility allows you to encrypt files using stored credentials without disclosing those credentials. In such cases, you may be able to discover the encryption key using a chosen plaintext attack . In a chosen plaintext attack, you encrypt a file of your choosing and compare it to the resulting encrypted file. After you create the plaintext and ciphertext, the attack progresses just as the known plaintext attack.
chosen plaintext attack
An attack to decrypt a file characterized by comparing ciphertext to a plaintext message you chose and encrypted.
Each type of attack requires different input, output, and access to the encryption utility. Always try the easiest methods first. If they don't work, move on to the more complex approaches. There are no guarantees that discovering a method to decrypt files will be successful within a reasonable timeframe. A brute force attack will always work eventually. But remember that 'eventually' can mean several thousand years .
Use what you can and take the time to think about your evidence. Evidence collection and analysis is very much like assembling a puzzle. Forget about the picture; just look at how the pieces fit together.