Discussion needed

profileJohn_matt
chapter_7.docx

DIGITAL FORENSIC 25

In this chapter, you'll learn more about:

· Encryption basics

· Common encryption practices

· Weaknesses of encryption

· What to do when you find encrypted data

Computer forensics is all about perspective and process. A forensic investigator's main perspective must be as a neutral party in all activities. Approach each investigation the same way, ensuring that it is repeatable and sound. After evidence is identified and preserved, analyze it to determine its impact on your case. In many situations, forensic investigators don't have the authority to disclose any evidence except to authorized individuals. It all depends on who owns the computer and who is paying for the investigation. As a forensic investigator, you need to know how to exercise your authority and access protected data properly. The two most common controls that protect data from disclosure are access controls and data encryption. This chapter covers the most common type of access control—the password—and the general topic of encryption.

You will learn basic techniques to obtain passwords to gain access to evidence. You will learn about basic encryption methods and how to recover encrypted evidence.

Passwords

Computer users must commonly provide a user ID to log on to, or otherwise access, a system. User IDs identify a specific user and tell the security subsystem what permissions to grant to that user. Unfortunately, some computer users attempt to impersonate other users by fraudulently providing another person's user ID. By doing so, the impersonator can perform actions that will point back to the stolen user ID owner's account when audited. As a forensic investigator, you'll need to determine the difference between actions taken using a valid user ID and actions conducted by an impersonator using a stolen or otherwise compromised user ID.

user ID

A string of characters that identifies a user in a computing environment.

Real word Scenario

Who Are You, Really?

Fred is an enterprising university student who enjoys testing the limits of his school's computer use policy. The policy clearly states that users may only use their own user IDs to access the computer system. If Fred wants to create some mischief on the university's computer system, he could ignore the policy and use Mary's user ID to access the system. In effect, he could pretend to be Mary. With no controls in place to stop him, Fred could cause many problems and to the untrained eye, it would appear that Mary was the guilty party. A control is anything that stands between Fred and his unauthorized actions. In this case, there actually is at least one control to deter him—the university's computer use and access policy. The university's computer use policy is an administrative control. While administrative controls dictate proper behavior and the penalty of noncompliance, they don't stop unauthorized actions by those who are determined to ignore such policies (as in Fred's case).

There is a simple solution. User IDs provide identification for users. Another piece of information that only the real user should know provides authentication that the user is who he or she claims to be. The most common method of authentication is a password. To authenticate using a password, users provide not only a user ID, but the proper password as well during login. The security system then validates that the password provided matches by comparing it to the stored value for that user ID. If the two match, the security system authenticates and trusts the user and allows access to the computer system.

password

A string of characters that security systems use to authenticate, or verify, a user's identity. Security systems compare passwords a user provides during login to stored values for the user account. If the value provided (password) matches the stored value, the security subsystem authenticates the user. Most operating systems store passwords when users create login accounts.

There are two main reasons for investigators to crack passwords. First, you may need a password to log in to a computer or access a resource. Second, you may need a password or key to access encrypted data that may be vital to the success of the investigation.

During an investigation, forensic investigators commonly need access to one or more computer accounts. When a suspect or other knowledgeable user cooperates with an investigation, obtaining a user ID and password can be as easy as asking for it. Never forget to try the simple approach: When users cooperate, it can save valuable time. Always ask for any needed user IDs and passwords. When passwords aren't readily available, here are three alternative methods to acquire them:

· Find passwords

· Deduce passwords

· Crack passwords

Forensic investigators not only understand what each of these three techniques is, but know when and how to use each one as well.

Although passwords are the most common user authentication technique, they aren't always secure. In the next sections, we'll examine each password recovery technique and show you how quickly and easily some passwords can become available.

Finding Passwords

By far, the easiest way to obtain a password is simply to ask someone who knows the password to provide it to you. If asking nicely doesn't work, try social engineering. Build trust with a person who knows information you need to further the investigation. This person could be anyone who knows the password. The password or other information sought could be as simple as a phone call away.

For example, you could call and pretend to be a member of the network administrator team. A simple statement like, "Hi, this is Tom from network support. Your computer looks like it is sending out a virus to other computers. I need to log on to stop it. What is the user ID and password you used to log on this morning?" Fortunately for the forensic investigator, far too many people are only too willing (and in fact, often eager) to help and quickly provide the requested information. Mission accomplished! When using social engineering techniques to gather information, experienced forensic investigators will ensure they have permission to conduct these types of activities before proceeding. As long as you abide by any applicable security policies, encouraging a suspect to give you the information you need is perfectly fine. Law enforcement officials are good at doing this. Ask them for help, especially if this is a criminal investigation.

If social engineering isn't an option, or the person who knows the password won't cooperate, then there are other simple approaches you can try. There are two basic types of passwords: those that are easy to remember and those that are hard to remember. With more people becoming aware of security issues, passwords now tend to be more secure than in the past. Most people equate password complexity with security. That is, long, hard-to-remember passwords appear to be more secure than simple ones.

Tip 

Longer passwords can be less secure than shorter ones. Passwords that expire frequently can be less secure as well. The reason is that when a user must use a password that is too hard to remember, he will often write it down. The hassle of retrieving a lost password often encourages users to keep sticky notes with passwords written on them. When encouraging the use of strong passwords, allow users to create ones they can remember.

Because a password is a string of characters that authenticates a user's identity, it is important that the user always have access to the password. The more complex a password is, the more likely it is that the user has it written down or otherwise recorded somewhere. Look around the computer for written notes. It's not uncommon for forensic investigators to find sticky notes with passwords written on them in plain sight, or in some cases, even taped to the computer system itself. You'll find that this phenomenon occurs in a surprisingly large percentage of the sites you investigate. As a forensic investigator, you'll become an expert at recognizing common "hiding places" for password notes, such as:

· On the monitor (front, sides, top, etc.)

· Under the keyboard

· In drawers (look under pencil holders and organizers)

· Attached to the underside of drawers

· Anywhere that is easily accessible from the seat in front of the computer but not readily visible

· Personal digital assistants (PDAs) and smartphones

· Obvious files on the hard disk (such as passwords.txt)

While this approach may seem too simple and obvious, never dismiss this important method for finding passwords. Few people trust their memories for important passwords. There is a good chance some users you'll be investigating wrote down their passwords and put them somewhere handy.

Deducing Passwords

So, you've looked all around the physical hardware and desk but you still can't find the password you are looking for. What next? Don't worry—there are still other options available to obtain passwords. In spite of all the common rules for creating "strong" passwords, many users routinely break the rules. If you are trying to guess a password, try the obvious ones. The more the forensic investigator knows about the user, the better the chances of guessing the password. Try some of these ideas:

· User ID

· Birth date

· Social security number

· Home address

· Telephone number

· Spouse/children/friend name

· Pet name

· Favorite team name or mascot

· Common word or name from a hobby

Note 

Use this section as a lesson for creating your own passwords. Because so many people ignore password best practices, take it upon yourself to be unique. Take the time to create strong passwords and keep them secure. Passwords can also easily be secured through the use of password vault programs such as RoboForm Pro ( www.roboform.com ).

Although guessing a password is possible, it isn't very productive in most cases. Don't spend a lot of time trying to guess a password. This method is most effective if you have a strong hunch that you will be successful. It may be possible for forensic investigators to solve password puzzles by piecing several pieces of information together. People often hide the real password but leave clues that can help you to guess the password contents. For example, during an investigation, a note was found that read "me 4 her -7." After trying several combinations, we hit on a password that consisted of the subject's initials, "ajd," and his wife's initials, "rgd." The password was "ajd4rgd7. (Just in case you're wondering, this wasn't the actual password—the initials were changed to protect the innocent!)

Even though you might get lucky occasionally, really "guessing" a password isn't very common. It looks good in the movies, but it doesn't happen that often in the real world. Deduced passwords normally come from piecing several pieces of information together. For instance, when analyzing a subject's activity, keep track of visited Web sites and locally protected applications. Cookies for recently visited Web sites may be left behind that store an unprotected password. People are creatures of habit and many tend to use the same passwords repeatedly, so if you find an unprotected password for one resource, try it in other areas.

As much as it violates good security practices and common sense, the same password is often used to protect both secured servers and to subscribe to a Web site's news services. If you find a password, see if the user also uses it elsewhere.

Note 

When poking around and guessing passwords, forensic investigators might end up locking the resource they are attempting to access owing to excessive failed logon attempts. Always make sure you have at least two copies of media. If one copy is corrupted, you can always make a new working copy from your second image. You never want to explain to the judge that you had to check out the original media from the evidence locker twice because you messed up the first copy.

Up to now, our password discussion has focused on nonspecific strategies. Finding, guessing, or deducing a password is more of an art than a science. It involves knowing your subject and knowing how people think. It might take a lot of homework, but it is fun and can yield that gold nugget that opens up the evidence you need.

Cracking Passwords

The last method of obtaining a password is the most technical and complete. When a password can't be obtained by any other means, forensic investigators try a process known as password cracking. Cracking a password involves trying every possible combination, or every combination in a defined subset, until the right one is found.

password cracking

Attempting to discover a password by trying multiple options and continuing until you find a successful match.

Different utilities allow forensic investigators to crack passwords online or offline. These utilities employ several different methods. Because older UNIX systems stored encoded passwords in a single file, the /etc/passwd file, several utilities emerged that tried different combinations of password strings until they found a match for each line in the file. All forensic investigators had to do was copy the /etc/passwd file to their own computer, launch the password cracker, and let it run.

This approach became so popular and dangerous that newer flavors of UNIX, and now Linux, go to great lengths to hide encoded passwords in another file. Most UNIX and Linux systems store passwords in the /etc/shadow file. This file has highly restricted access permissions and requires super user permission to access. If you are investigating a computer system running UNIX or Linux, look at the /etc/passwd file. An x character between two colons indicates that the actual password is stored in the shadow file. For example, here is what a line from the /etc/passwd file looks like if password shadowing is in use (notice the "x" after the user name, msolomon):

msolomon:x:517:644::/home/msolomon:/bin/bash

Real word Scenario

Tales from the Trenches: The Contract Ends Now!

Several contractors were working at a manufacturing plant in southern California. These contractors filled various functions, including project management and application development. The project goal was to modify a manufacturing software package to meet the client's specific needs. One morning, the company's system administrator noticed that his assigned IP address was in use when he booted his computer. After a couple comments under his breath, he rebooted again and found that the IP address was available. He took note of the people who were in the office that morning and started doing a little investigative work on his own to find out if anyone was using his IP address. He found that a particular contractor had installed a common password cracker in his home directory. A further look at the contractor's history file showed that he had been engaging in attempts to crack the system's password file.

The system administrator immediately removed the contractor's access and had him terminated. The company's policy regarding appropriate use of computing systems forbade any use of password-cracking software and provided grounds for immediate termination.

There are many password-cracking utilities available to forensic investigators. Some commons ones include:

· Cain and Abel (http://www.oxid.it/cain.html)

· Cain and Abel is a free (donation requested) password recovery utility for Microsoft Windows operating systems that uses several techniques to find passwords.

· John the Ripper (http://www.openwall.com/john/)

· John the Ripper is an open source password cracker that reveals weak passwords in most operating systems.

· Hydra (http://freeworld.thc.org/thc-hydra/)

· Hydra is a free, fast network authentication cracker. Hydra can attack the most common network protocols.

· ElcomSoft (http://www.elcomsoft.com/)

· ElcomSoft produces a variety of commercial software that recovers passwords from operating systems and application software.

· LastBit (http://lastbit.com/)

· LastBit produces a variety of commercial software that recovers passwords from operating systems and application software.

· L0phtCrack (http://www.l0phtcrack.com/)

· L0phtCrack is a commercial tool that recovers passwords and more from computers running multiple operating systems.

· RainbowCrack (http://project-rainbowcrack.com/)

· RainbowCrack is a free tool for cracking Linux and Windows passwords using precomputed hash tables, called rainbow tables.

Anytime passwords are found stored in a file or database, forensic investigators can use offline password-cracking techniques. Online password cracking methods are used if the password repository can't be found or you don't have access to it (it might reside on another system). Online password cracking is much slower and may fail more frequently (and for more reasons) than offline cracking. Online password-cracking utilities attempt to pass logon credentials to target systems until it finds a successful user ID/password pair. The number of attempts that are necessary to find a password is the same as an offline cracking utility, but the act of passing the logon credentials to another process requires substantially more time. If the target computer is remote to the client password-cracking utility, network propagation further slows the process and adds to the possibility of failure.

Unauthorized Password Cracking is Illegal

Never attempt to crack passwords unless you have specific, and written, authority to do so. The person or organization who owns the computer system can provide the necessary permission. Without written permission, you may be at risk of substantial civil and criminal penalties. Ensure that the permission you receive comes from someone with the authority to give it to you, is in writing, and is specific about what you can (and can't) do.

The main reason to crack a password is to obtain password-protected evidence. Permission to crack a password is obtained from the computer owner or a court. In cases where the computer's owner is unwilling to provide permission to crack a password, a court order will suffice.

Regardless of the type of utility used, there are three basic approaches, or "attack types," that password-cracking utilities commonly employ.

Dictionary Attack

A dictionary attack is the simplest and fastest attack. The cracking utility uses potential passwords from a predefined list of commonly used passwords. The password dictionary stores the list of passwords. The larger the dictionary, the higher the probability the utility will succeed (but the longer it will take to attempt the entire dictionary file). A little research on the Internet will yield several dictionaries of common passwords.

dictionary attack

An attack that tries different passwords defined in a list, or database, of password candidates.

An offline dictionary attack calculates hashed values of passwords from a password dictionary. The utility compares the hashed value with stored passwords to find a match. Since the cracking utility spends most of its time calculating hash values, there is an opportunity to speed up the process. If you plan to use a password dictionary for several attempts at password cracking, you can precompute the password hashes from the password dictionary. These precalculated password hashes, or rainbow tables, make offline dictionary attack processes much faster. As a forensic investigator you'll find that passwords are statistically located halfway through any given process. For example, if given the choice to choose a password between 1 and 100, 50 percent of people will choose a password below the number 50 while the other half will choose a password above 50.

The reason this type of attack works so well lies in human nature. People tend to use common, easy-to-remember passwords. Most would be surprised to find their favorite password in a password dictionary. Any passwords found in a password dictionary are too weak and should be changed.

AccessData's Password Recovery Toolkit offers a great benefit when used with their FTK software. The investigator exports a "dictionary" file from FTK and then uses it as the dictionary file to crack encrypted files found on the suspect hard drives. The dictionary file is made up of every word found on the suspect hard drive. This enables you to crack a password by using a list of every word on the suspect computer, potentially including when the user entered the password (as is the case with a password that was cached from memory).

Brute Force Attack

On the other end of the spectrum is the brute force attack. A brute force attack simply attempts every possible password combination until it finds a match. If the utility attempts to use every possible combination, it will eventually succeed. However, the amount of time required depends on the complexity of the password. The longer the password, the more time it will take to crack.

Brute force attacks should never be your primary method for cracking passwords for two reasons. First, brute force attacks are slow. They can take a substantial amount of investigative time. Also, the length of the password may not be known. In this case, the utility will have to try many, many combinations that won't succeed before finding the right one.

Second, the client, resource server, or authentication credentials (passwords) may be located on different computers. If so, the brute force attack will generate a huge volume of network traffic. Excessive network traffic and multiple failed logon attempts may make a tangible impact on the network. Unless you can set up a copy of the suspect network in your lab, you may not be able to secure permission to launch a brute force attack.

Hybrid Attack

The final type of attack, the hybrid attack, combines the dictionary and brute force attack methods. In a hybrid attack, the utility starts with a dictionary entry and tries various alternative combinations. For example, if the dictionary entry were "lord," the hybrid attack utility would look for these possible alternatives:

· Lord

· l0rd

· 1ord

· 10rd

hybrid attack

A modification of the dictionary attack that tries different permutations of each dictionary entry.

And many, many others. As you can see from this list, it is common to obscure passwords derived from dictionary words by replacing the letter "l" with the digit "1," or replacing the letter "o" with the digit "0." Don't do this with your own passwords. Even simple cracking utilities know this trick.

Regardless of the type of utility used, there are tools that can help you get the passwords you need to access evidence.

The next section addresses one of the methods of protecting data from disclosure—encryption.

Encryption Basics

After they gain access to the file that contain needed evidence, forensic investigators may well find that the file itself is unreadable. As computer investigators begin to use more sophisticated tools, both regular and malicious users are taking more sophisticated steps to hide information. One method used to hide information is to modify a message or file in such a way that only the intended recipient can reconstruct the original.

Note 

This chapter does not cover the mathematics behind encryption in any detail (such a discussion is beyond the scope of this book).

Cryptography scrambles the contents of a file or message and makes it unreadable to all but its intended recipient. In the context of a computer investigation, a forensic investigator is an unintended recipient. The word cryptography comes from Greek words krypto, which means "hidden," and graphein, which means "to write."

cryptography

The science of hiding the true contents of a message from unintended recipients.

Although cryptography's importance has become more widely acknowledged in recent years, its roots are traced back 5,000 years to ancient Egypt. The Egyptians used hieroglyphics to document many rituals and procedures. Only specially trained agents could interpret these early hieroglyphics.

Around 400 B.C., the Spartans used an innovative method to encrypt, or hide, the meaning of military communication from unauthorized eyes. They would wrap a strip of parchment around a stick in a spiral, similar to a barber's pole. The scribe would write the message on the parchment and then unwind it from the stick. With the parchment stretched out, the message was unintelligible. In fact, the only way to read the message, or decrypt it, was to wrap the parchment around another stick of the same diameter and equal, or greater, length. The "secrets" to reading the message were the dimensions of the stick and the knowledge of how to wrap the parchment. Anyone who possessed these two components could read the secret message.

encrypt

To obscure the meaning of a message to make it unreadable.

decrypt

To translate an encrypted message back into the original unencrypted message.

Roman Emperor Julius Caesar was the first to use a cryptography method, or cipher, similar to the decoder rings popular as children's trinkets. He used a method called a substitution cipher, to send secret messages to his military leaders. This cipher encrypts a message by substituting each letter of the original message with another letter. A substitution table provides the static mapping for each letter. For example, here is a simple Caesar cipher mapping table:

Original:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Mapped:

DEFGHIJKLMNOPQRSTUVWXYZABC

cipher

An algorithm for encrypting and decrypting.

substitution cipher

A cipher that substitutes each character in the original message with an alternate character to create the encrypted message.

For each character in the original message, read the character directly below it in the mapped character string. The string "HELLO" would become "KHOOR."

The recipient decrypts the message by reversing the process. The recipient translates each letter from the encrypted message to the original letter by reading the mapping table backward. The resulting message is identical to the original. One must possess the translation table to encrypt and decrypt messages using a simple substitution cipher. The main weakness of the cipher is the table itself. Anyone who discovers or acquires the translation table can decrypt messages.

Although the algorithms used in current encryption implementations are far more complex than the Caesar cipher, the basic approach and goals are the same. Next, we'll examine some common encryption practices.

Common Encryption Practices

In general, encryption provides:

· Confidentiality Assurance that only authorized users can view messages

· Integrity Assurance that only authorized users can change messages

· Authentication Assurance that users are who they claim to be

· Nonrepudiation Assurance that a message originated from the stated source

To a forensic investigator, the most common exposure to encryption occurs when confronted with encrypted files. Encryption is becoming more common for hiding file contents. Though there are other valuable uses for cryptography, such as securing communication transmissions and authenticating the originator of a message, they are beyond the scope of this discussion.

As a forensic investigator, you must understand cryptography basics and how you should react when you encounter encrypted files.

Usually you'll recognize encrypted files when an attempt to open a file with a known extension fails. For example, you might attempt to open an encrypted Microsoft Word document in Microsoft Word, but you receive an error message instead. The text of the error message tells you that you need a converter to read the file. In other words, Microsoft Word doesn't recognize the contents of the encrypted file.

Another sign of encrypted files is a collection of meaningless filenames. Many encryption utilities change filenames to hide the meaning and type of the file.

There are two main types of encryption algorithms. (An algorithm is the detailed sequence of steps necessary to accomplish a task.) Each type has strengths and weaknesses, but they both serve the same function.

· Private key algorithms use the same value to encrypt and decrypt the original text. Private key algorithms are sometimes referred to as symmetric key algorithms because the same key is used to encrypt and decrypt files.

· Public key algorithms (also known as asymmetric key algorithms) use one value to encrypt the text and another value to decrypt it. One implementation is to use public and private key pairs.

Encryption algorithms transform an original message, called plaintext, into an encrypted message, called ciphertext. The algorithm also generally provides a method for reversing the process by translating the ciphertext back into the original plaintext message. We looked at the Caesar cipher, which is a substitution cipher, in the previous "Encryption Basics" section. Another type of cipher is a transposition cipher. For example, suppose you want to send a message to a particular recipient that no one else can read. You choose a block transposition cipher to change the order of the letters in the original message. First, write the original message in a block with a specific number of columns. Next, you create the ciphertext by reading down each column.

Transposition cipher

An encryption method in which the positions of plaintext characters are shifted by a defined number of places to produce ciphertext. Ciphertext created with a transposition cipher is a permutation of the plaintext.

Our plaintext message is:

I would like to meet with you in private at pier 42 tonight at

midnight.

Using a block width of 10, you rewrite the message:

iwouldlike

tomeetwith

youinpriva

teatpier42

tonightatm

idnightxxx

You can add specific characters to make the message fill up the last row.

Next, construct the ciphertext by reading down the columns.

Our encrypted message is:

ityttiwooeodomuannueitiilenpggdtpihhlwrettiiiraxktv4txeha2mx

All you have to do to decrypt the message is to rewrite it in a block and read the message across the rows. The key to the process is knowing that the original block used 10 columns. Once you know the number of columns in the original block, simply divide the length of the ciphertext, 60, by the number of columns, 10. This tells you there are six rows in the original plaintext block. Write the ciphertext in columns using six rows and you can read the original message.

All algorithms use some type of value to translate the plaintext to ciphertext. Each algorithm performs steps using the supplied value to encrypt the data. The special value that the algorithm uses is the encryption key. Some encryption algorithms use a single key, while others use more than one. The Caesar cipher uses a single key value. The key value tells how many positions to add to the plaintext character to encrypt and the number to subtract from the ciphertext character to decrypt. As long as the sender and receiver both use the same algorithm and key, the process works.

encryption key

A code that enables the user to encrypt or decrypt information when combined with a cipher or algorithm.

Private, or Symmetric, Key Algorithms

The easiest type of encryption to understand and use is the private key algorithm, also referred to as a symmetric key algorithm. It is symmetric because the decrypt function is a simple reversal of the encrypt function. In other words, it looks the same on both sides. (See Figure 7.1.)

Figure 7.1: Symmetric key algorithm

private key algorithm

An encryption algorithm that uses the same key to encrypt and decrypt. Also known as symmetric key algorithm.

This type of algorithm is simple, fast, and a frequent choice for encrypting data. The key and the algorithm are all that is required to decrypt the file. (Sounds simple doesn't it? And it is, if you have the key and algorithm.) Although this type of algorithm is common for encrypting files, it can be more difficult to use for message encryption. The problem is managing the encryption key. The key is required to decrypt a file or message. Plus, you have to find a way to get the key to the recipient in a secure manner.

If someone is eavesdropping on all communication between you and your intended recipient, then he or she will likely intercept the encryption key as well as any encrypted data. With the key, they will be able to decrypt files at will. For the purposes of computer forensics, you will more likely find symmetric algorithm—encrypted files on media. The simple reason for this is that symmetric algorithms are fast and easy to use. Because you have only a single key, you don't need to specifically generate keys and then keep up with multiple values. That means you need the single key.

Note 

Don't assume that computer investigators only deal with file encryption using symmetric keys. You will encounter various types of encryption and algorithms. Encryption is a discipline in itself. This section just highlights those issues you are most likely to encounter.

Key discovery is similar to password discovery. Forensic investigators need to find, deduce, or crack the encryption to get to the key. The biggest difference between cracking passwords and cracking encryption keys is that cracking encryption keys is usually much harder and takes far longer. The simple explanation is that the plaintext for a password is generally limited to a couple dozen characters. The plaintext for a file could be gigabytes. Cracking the encryption key takes substantially longer than cracking a password.

Many well-known symmetric encryption algorithms exist. Here are a few of the more common ones forensic investigators are likely to encounter:

· Data Encryption Standard (DES)

First published in 1977

Adopted by the U.S. government standard for all data communications

Uses 56-bit key (plus eight parity bits)

Old and weak by today's standards

· Triple DES (3DES)

More secure than DES

Uses three separate DES encryption cycles

· Blowfish

Stronger alternative to DES

Key size can vary from 32 bits to 448 bits

· Advanced Encryption Standard (AES)

The latest, strongest standard adopted by the U.S. government after an exhaustive competition among algorithms designs developed by leading world experts in cryptography

Based on the Rijndael cipher

Key sizes are 128, 192, or 256 bits

· Serpent

Came in second place in the AES competition

Similar block sizes and key sizes to AES

· Twofish

Related to the Blowfish algorithm

One of the five finalists in the AES competition

Advanced Encryption Standard (AES) competition

Sponsored by the National Institute for Standards and Technology (NIST), the AES competition was for an encryption standard to replace DES. The competition began in 1997 and culminated with the announcement in 2000 that the winner of the Advanced Encryption Standard was the Rijndael cipher.

Each algorithm in the previous list can effectively encrypt files. For more security, use a newer algorithm and a secure key. Research some of the common encrypt/decrypt utilities and compare the algorithms they support.

Public, or Asymmetric, Key Algorithms

The other type of encryption algorithm is the public key algorithm. This type of algorithm is also called asymmetric because the decrypt process differs from the encrypt process. An asymmetric encryption algorithm addresses the issue of key distribution by requiring two keys to complete the encrypt-decrypt process.

public key algorithm

An encryption algorithm that uses one key to encrypt plaintext and another key to decrypt ciphertext. Also called asymmetric algorithm.

The process starts with key generation. The software that encrypts plaintext will also have a utility to generate keys. When asked, the user supplies a passcode and the utility uses the passcode to generate a private key and a public key. This is called a key pair. Private keys are meant to be secret and should not be disclosed to anyone. On the other hand, public keys can be distributed to anyone. The encryption algorithm uses the private key to encrypt plaintext and the public key to decrypt resulting ciphertext. (See Figure 7.2.)

Figure 7.2: Asymmetric algorithm

passcode

A character string used to authenticate a user ID to perform some function, such as encryption key management.

The resulting process allows you to encrypt data with your private key. Anyone who has the public key can decrypt the file or message. This process lets anyone verify that a file or message originated from a specific person. If you can decrypt a file with Fred's public key, Fred had to encrypt it with his private key. Although this is great for sending messages and verifying the sender's identity, it doesn't add much value if all you want to do is encrypt some files.

The most common type of encryption you will run into during evidence analysis is file encryption. For that reason, we focus on symmetric key algorithms.

Steganography

Both symmetric and asymmetric encryption algorithms share one common trait: Encrypted files can be recognized by examining their contents. The fact that a file has encrypted content draws attention to its value. A forensic investigator may want to decrypt a file just because it contains encrypted content and, therefore, probably contains some data of value or other evidence.

Encrypt It All!

If you are going to use encryption, then it's generally a good practice to encrypt everything to avoid drawing attention to particular encrypted files. As an analogy, if every letter mailed was written on a post card, and you suddenly found a post card placed inside of an envelope, you'd want to know why. Placing the post card in an envelope would draw attention to the fact that something might be hidden in that message. The same is true for encrypting files. If forensic investigators find encrypted files when all other files are unencrypted, they'll want to know what the user is hiding in the encrypted file.

There is another approach. Steganography is the practice of hiding one message in another, larger message. The original message, or file, becomes the carrier and the hidden message is the payload. Large pictures and sound files make good carriers because the payload can be inserted without changing the original file in an obvious way. Steganographic utilities insert payload bytes into the carrier by slightly changing bytes in the carrier file. If the original data in the carrier separates the changed bytes by wide enough margin, changes are unnoticeable. If you change every 100th pixel in a picture by a single shade of color, the resulting picture appears almost identical to the original.

Steganography allows users to embed desired data into seemingly innocent files and messages. A secret message embedded in a picture file can be sent via e-mail as an attachment and raise no suspicion. Or better yet, the user can simply post the picture on a Web site and there won't be a direct connection between the user and the person they are communicating with. The ease with which anyone can obtain steganographic utilities makes covert data communication and storage easy.

Real World Scenario

Keeping Secrets

Intelligence experts suspect that the terrorists who planned and carried out the attacks on New York and Washington, D.C. on September 11, 2001, may have used steganography to communicate with one another. Investigators suspected the terrorists of embedding messages in digital pictures and then e-mailing the pictures (and embedded messages) as attachments to normal e-mail messages. The messages looked like common e-mails with attached pictures. The pictures could have been anything. Nothing was there to provide a clue that the pictures held secret messages. That is the power of steganography.

Detecting steganography is difficult. It can be detected only by noticing the changes to the carrier file or using statistical analysis to detect an anomaly. Detecting changes to the carrier file requires a noticeable difference that you can see or hear. Statistical analysis depends less on human perception because it compares the frequency distribution of colors of a picture with the expected frequency distribution of colors for the file. For audio carrier files, a statistical analysis utility would use sound patterns instead of colors.

Another method for detecting steganography is finding steganographic utilities on a suspect machine. Although the mere presence of such software doesn't prove steganography is in use, it certainly provides motivation to look harder for carrier files with embedded messages. Few people go to the trouble of acquiring and installing steganographic utilities without using them.

Here are a few steganographic utilities that you might encounter in your career as a forensic investigator. Look at several of these for more information about and examples of how steganography works:

· Puff (http://members.fortunecity.it/blackvisionit/PUFFV200.HTM)
The freeware Puff steganography tool runs in Microsoft Windows and handles many carrier file types.

· Invisible Secrets (www.invisiblesecrets.com)
Invisible Secrets is a full-featured commercial Microsoft Windows application that makes it easy to hide data in several different types of carrier files.

· PhilTools Image Steganography (http://philtools.com/image_steganography/)
PhilTools is a Web site that allows users to submit an image file and a message. The web site hides the message in the image and returns the new image to the user. Hidden messages can also be extracted from a carrier image at this site.

Remember that the appeal of steganography is that its very nature masks the existence of the message. Forensic investigators can look at a suspect drive and easily overlook embedded data if they aren't careful. Look for utilities that create steganographic files. Also, look for files that would make good carriers. If the circumstantial evidence points to hidden data, chances are steganography is in use.

Next, let's examine the quality of encryption by considering key length and key management.

Strengths and Weaknesses of Encryption

Encryption is not a perfect safeguard. With some effort, forensic investigators can access encrypted data. Encryption is far from worthless, though. As a forensic investigator, you'll likely need to access information that is encrypted and break the encryption algorithms.

Before you're ready to defeat file encryption, you need a better understanding of the strengths and weaknesses of encryption. This knowledge will provide a better awareness of where to start and what steps to take for each unique situation.

Key Length

The length of the encryption key directly relates to the encryption algorithm's strength. Although there are differences in the relative strength of each algorithm, the key length choice has the greatest impact on how secure an encrypted object will be. Simply put, longer keys provide a larger number of possible combinations used to encrypt an object.

A key that is 4 bits in length can represent 16 different key values, because 24 = 16. A key length of 5 bits allows 32 key values, and so forth. It may be easy to decrypt a file or message with only 32 different key values. However, larger keys mean more potential key values.

Some older algorithms approved for export by the U.S. government used 40-bit keys. These algorithms aren't secure by today's standards because of their small key length. A 40-bit key can hold one of 240 values, or 1,099,511,627,776 (1 trillion). Assuming that you have a computer that can make 1.8 million comparisons per second, it would take about a week to evaluate all possible key values.

The Data Encryption Standard (DES) algorithm uses 56-bit keys. Although DES is too weak for most security uses, it is far stronger than a 40-bit key algorithm. A DES key can store one of 256, or 72,057,594,037,927,936 (that is 72 quadrillion) values. Using the same computer as before, it would take about 1,260 years to evaluate all possible key values.

As key values increase in size, the computing power required to crack encryption algorithms grows exponentially. At first glance, it looks like an algorithm with a key length that requires over 1,000 years to crack is sufficient. Unfortunately, that isn't the case. Today's supercomputers can evaluate far more than 1.8 million comparisons per second. With parallel-processing capability, you could realistically create a unit that can crack DES in a matter of minutes (or even seconds). That is the reason key lengths are commonly over 100 bits. Longer keys provide more security by reducing the possibility of using a brute force attack to discover the encryption key.

Using Amazon to Crack Passwords

In November 2010, an article reported that a security researcher was able to crack SHA-1 passwords by renting processing power on Amazon's EC2 cloud computing service:

· http://threatpost.com/en_us/blogs/cloud-makes-short-work-strong-encryption-111910

Key Management

Because the encryption key is crucial to the encryption process, it must be protected at all costs. If the key is disclosed, the encrypted data is no longer secure. Symmetric algorithms use a single key. The sender and receiver must both posses the key to encrypt and decrypt the data. For local file encryption, the same person is likely to encrypt and decrypt the data. The purpose of encryption in such a case is to protect file contents from any unauthorized access.

As a forensic investigator, you may find encrypted files on both hard disks and removable media. In fact, suspects with a basic knowledge of security will often encrypt files before archiving them to removable media. In many such cases, an encryption utility is found on the main computer. Look for a stored copy of the key. Many people keep copies of important information in ordinary text files. Look for a file with an obvious name (such as key.txt or enc.txt) or one that contains a single large number and little else. Personal notes or other personal information manager files with an unusually large number that seems to have no other meaning are also great places to look. A forensic investigator's task in such a situation is similar to finding passwords.

The next section addresses proper handling of encrypted data by first identifying encrypted files and then decrypting them to extract the data.

Handling Encrypted Data

At some point in the investigation, you'll likely encounter encrypted data. The course of action depends on the particular type of encryption and the value of the expected evidence once the data is decrypted. If you suspect the encrypted data holds a high value for your case, it will warrant more time and effort to get at that data. Decrypting data can require a substantial effort. Only pursue that course of action when necessary.

Identifying Encrypted Files

Identifying encrypted files is easy. You try to access a file with the appropriate application and you end up getting garbage. The first step you should take in this instance is to find out the type of file you're dealing with. Most operating systems make assumptions about file types by looking at the file's extension. For example, a file with the .doc extension is normally a word processing document, and a file with the .zip extension is normally a compressed archive file. Never trust extensions. One way to "hide" files from casual observers is simply to change their extensions to another file type.

For example, an easy way to hide pictures from standard viewer applications would be to change the extension from .jpg to .txt. Any extension would work, but the .txt extension would represent all such files as text files in most file browser windows. If an unscrupulous user wants to represent hidden pictures as another file type, it's simple to use another defined file extension. Alternatively, an undefined file extension, such as 'xxx', could be used, but these files would likely attract more attention.

As a forensic investigator, you need to ensure that you aren't simply looking at altered file extensions. Always use a file viewer that looks at both the file extension and the file contents. Such a utility will notify you if it finds files that use a nonstandard extension. When you find such files, you may be dealing with files that someone deliberately hid.

Another telltale sign that you are dealing with encrypted data is a generated filename. Many encryption utilities have the option to obscure the filename as they encrypt the plaintext file. It is harder for a forensic investigator to identify a file named 100455433798.094 than one named My Illegal Activities.doc. Although many applications generate filenames, any time a collection of files with obviously generated filenames is found, the experienced forensic investigator finds out why. They might be encrypted files.

In summary, if during the course of an investigation, forensic investigators find files that don't fit their extensions or have unknown extensions, the investigators should consider them potentially encrypted. Look at their location in the file system, and check any path history of file accesses and encryption utility activity. The file encryption utility might keep track of recent write locations. Take hints wherever you find them.

Decrypting Files

Assume that you have identified one or more encrypted files. What does the forensic investigator do next? The simple answer is to crack the encryption. The complete answer is a little more complex.

Before exhausting an investigative budget on the latest encryption busting utilities, take the simple approach first. Ask the suspect. If you haven't found encryption keys written down or otherwise recorded in obvious places, just ask. If you're lucky (and you might be), your suspect might provide the keys voluntarily. If asking doesn't work or you know the suspect is unlikely to cooperate, use social engineering next. If a suspect can be convinced to divulge secrets like encryption keys, lots of time and work can be saved. Only resort to technical means when you have exhausted all conventional methods of collecting information.

Note 

The suggestion to use social engineering doesn't mean that forensic investigators should engage in questionable activities. Make sure all activities are documented and approved before you engage in social engineering activities. Evidence that the court deems as inadmissible is worthless to any case.

First, evaluate the type of encryption you see. A common type of encryption is provided by popular applications. Microsoft Office and WinZip both provide options to encrypt the contents of its data files. Although convenient, application-supported encryption tends to be very weak. There is a wide variety of utilities that specialize in cracking application encryption available for use by forensic investigators. Here is a short list of utilities that help recover file contents of specific file formats:

· Zip Password by LastBit (http://lastbit.com/zippsw/)—Password recovery utility. Decrypts ZIP/WinZip/pkzip files

· Passware Password Recovery Software (http://www.lostpassword.com)—Recovers passwords from MS-Office application files

· ElcomSoft password recovery software (http://www.crackpassword.com)— These products recover passwords from various application files

Note 

Many other utilities are available to help forensic investigators defeat application-specific file encryption. Their wide availability should emphasize that such encryption has far less value than generic file encryption algorithms. In short, don't rely on any application vendor to provide strong embedded encryption for your own privacy needs.

After ruling out embedded encryption, forensic investigators need to move to more sophisticated methods. Always begin by looking for low-hanging fruit. Let's assume you are looking at an encrypted document. Find out as much as possible about the file's context. Here are a few questions to consider:

· Does the file have a defined extension?

Unless you have information to the contrary, assume the file's extension is valid.

Encrypting a file and then changing the extension to throw off an investigator is too much work for most people.

· Where is the file located?

File location, especially unusual locations, may give clues to the originating application.

If you find files stored in unusual locations, check the default document directories for installed applications. That information might tell you what application created the file.

· What application(s) likely created the file?

If you know, or suspect, what application created the file, see if the application uses a cache or temporary files.

Look at deleted files in the application's temporary directory. Any files here are likely to include pre-encryption data.

· What is the last access time for the file?

Look for any deleted files with access times just prior to the last access time of the encrypted file. Although good encryption utilities won't leave such obvious traces behind, the application that generated the file might not be so careful.

· Do installed applications create temporary files during creation/editing?

Attempt to recover all the files you can. Even the most innocent ones may be valuable.

· Are there any files in the Recycle Bin?

Don't laugh; it happens!

These questions will get you started. The best outcome from searching for deleted and unencrypted copies of files is to find a pristine, unencrypted copy of the one file you need. Although it's possible to find just what you're looking for, it is more likely that you will simply find another piece of the puzzle. Any unencrypted file or file fragment that relates to an encrypted file will increase chances of successfully decrypting files. Let's look at a few attack methods to decrypt suspect files.

Real word Scenario

Tales from the Trenches: Opening Encrypted Files

Customers retain computer forensic experts to open encrypted files from time to time.

One day, Bill, a previous client, contacted me and insisted I meet with him right away. Naturally, I told him I would be right over. He said we needed to meet "away from the office" and suggested a local restaurant where we could talk in private.

As soon as I arrived, Bill told me he was having major troubles at work with a small group of employees whom he thought were planning to leave the company, form their own firm, and compete against him. Bill knew there was nothing he could do to keep the employees from leaving, but he wanted to ensure that they didn't take any proprietary information belonging to his company with them when they left.

He was specifically concerned because the company's "network guy" came to him and reported that he had recently observed an unusually large amount of network activity for a few employees, including accessing the customer database and billing system. While this type of access wasn't against company policy and was within the employee's job description, it was unusual enough for the network guy to report it. Bill asked him to "keep an eye open" for any more unusual activity.

A few days later, the network guy informed Bill he observed an increase in the amount and size of e-mail these same employees were sending through the company e-mail server. When he explored further, he noted these employees sent a large number of encrypted e-mails to a former employee. He was, of course, unable to read the e-mails. Encryption wasn't normally used by the company, but it wasn't against the company policy to use encryption, either.

Bill needed proof that these employees were sending proprietary information out of the company to this former employee so that he could terminate their employment and so that he could obtain a "cease and desist" order against his former employee to prevent him from using the proprietary information.

As expected, while examining the employees' computers, I located a large number of encrypted files and attempted to crack the password protection so I could see the content of the files. The employee protected the majority of files with PGP, a very strong encryption utility. I knew that the possibility of cracking a PGP-protected file was very slim, but I also knew that I had human nature working in my favor.

On one of the computers, I located a small collection of Microsoft Word documents that were password protected using the built-in Microsoft password-protection security. This protection scheme can be very simple to crack using a variety of available commercial cracking utilities. I was able to open each of these files within a few minutes and review their contents. The fact that none of these files had anything to do with the case didn't deter me. I learned a long time ago that people are generally very lazy when it comes to choosing passwords and typically will use the same password in several places.

I attempted to use the recovered password to open the PGP files and was able to access all of the information that was stored on this employee's computer. I located enough evidence to assist Bill in obtaining the "cease and desist" order and to terminate the employees without fear of being sued for wrongful termination.

Although this is one example of overcoming an encryption technology by using a weakness in the implementation of the technology (the human weakness of reusing passwords) and not a weakness in the technology itself, you will find many situations where a weak encryption technology works in the investigator's favor.

Known Plaintext Attack

The known plaintext attack is a method of cracking encryption that uses the plaintext and the associated ciphertext. If a forensic investigator is lucky enough to have both the unencrypted and encrypted versions of a file, the relationship between the two can be analyzed and the encryption key deduced. Some archive file password crackers utilize this type of attack. Simply provide an unencrypted file and an encrypted ZIP archive, and the utility will compare the two and attempt to find the key used in the encryption.

known plaintext attack

An attack to decrypt a file characterized by comparing known plaintext to the resulting ciphertext.

As a part of an investigation, forensic investigators often have access to files that may appear to be unrelated to the evidence that is needed. Savvy forensic investigators won't be deterred by this because they know these files could help provide the key the suspect used to encrypt the files. Keeping track of multiple encryption keys is difficult, so forensic investigators are often able to use that discovered key to decrypt other encrypted files.

Chosen Plaintext Attack

Forensic investigators may have access to the encryption engine, but not the key. It is possible the encryption utility allows users to encrypt files using stored credentials without disclosing those credentials. In such cases, forensic investigators may be able to discover the encryption key using a chosen plaintext attack. In a chosen plaintext attack, files are encrypted and then compared to the resulting encrypted file. After you create the plaintext and ciphertext, the attack progresses just like the known plaintext attack.

chosen plaintext attack

An attack to decrypt a file characterized by comparing ciphertext to a plaintext message you chose and encrypted.

Brute Force Attack

The brute force attack method for decrypting files is the worst choice and should be used only after exhausting other methods first. It uses the same approach as brute force password cracking. The utility tries every possible key value to see if the decryption results in an intelligible object. Use this option as your last resort.

Which Way to Go?

Each type of attack requires different input, output, and access to the encryption utility. Always try the easiest methods first. If these don't work, move on to more complex approaches. There are no guarantees that discovering a method to decrypt files will be successful within a reasonable timeframe. A brute force attack will always work eventually. However, remember that "eventually" can mean several thousand years.

Use what you can and take the time to think about the evidence. Evidence collection and analysis is very much like assembling a puzzle. Forget about the picture; look at how the pieces fit together.