Upload File

encryption trucrypt encase

13
 TrueCrypt T rueC ryp t i s f r ee, op en- sou rc e sof t w are t h at can cu rr en t l y b e f ou n d at  h tt p : / / w w w . t r uecr yp t . org . I t w orks by creati n g en cr y p t ed vo l u m e l es t h at are m ou n t ed as l o g i cal d ri ves, each w i t h a d ri ve l et t er . D u e t o a r est rict i o n of t h e op er ati n g syst em , vo l u m es c an on l y be mou n t ed by a u ser w i t h ad m i n i st r ative p ermission s u n l ess t h e T ru eC ryp t sof t w are h as rst b een f u l l y i ns t al l ed by an ad m i n i st r at o r. T h e prog r am com es w i t h an i n- d ept h m an ual i n P D F f orm at , bu t s ome of its key f eat ur es ar e: 1. A bi lity to cr eat e F A T and N TFS f orm at t ed vo l u m e les 2. A llows t he u ser to tr an spar ent l y r ead/ w r i t e dat a t o t h e encr yp ted volu m e on ce m ou n t ed 3. E n cr yp t ed d at a i s decr yp t ed on - t h e- y, so an en cr yp t ed vo l u m e l e t h at i s op en at t h e t i m e of a sys t em cr as h w i l l n ot be com p r omi s ed 4. C an i m p l em ent al l m ai nst r eam s ymmet r i c encr yp t i on al gori t h ms , i ncl u d i ng B l ow s h and A ES- 25 6 5. V ol u m e header key ( d er i ved f r om passwor d / p hr as e – used to encr yp t mas t er key) and m aster key d er i ved u s i ng SH A - 1 or R IP E MD - 160 hash algorit hms 6. C an cr eat e a hi d d en en cr yp t ed vol u m e w i t h i n t h e un al l ocat ed s p ace of a p ar ent en cr y p t ed vo l u m e; each v ol um e can h ave i ts ow n p ass p h rase t h u s al l ow i n g f or ‘ p l au si bl e d en i a b i l i t y 7. Tr ave l er D i s k Set u pcon g ure s vol ume l es f or mounti ng fr om r em ovabl e m edi a on any Wi n d ow s N T-based syst em w ith ou t p re-i n s t al li n g any sof t w ar e 8. Fu l l com m an d - l i n e u sage al l owi n g f or qu iet / s t eal t h op er ati on , l eavi n g mi n i m al f oo t p ri n t on h ost s yst em 9. E ncr yp t ed vol u m e l es h ave no d et ec t abl e l e s i gn at u r e/ head er ; ar e n ot bo u n d t o u se t h e reg i st ered l e e xten si o n “. t c” F rom a u ser’ s p ers p ecti ve , t h e b en e t s of u si n g t h i s p arti cu larly e ect i ve soft w are are sel f - ev i d en t. We wil l u se the sof t w ar e t o d em on strate th e op t i on s op en to an exam i ner w h en cont em p lati n g th e i d en ti cat i on / exami n ation o f en cr y p t ed d at a. T h e f ol l ow i n g scr een shot s s h owt h e succes sf u l cr eat ion of a 50- m egab yt e, FA T, en cr yp t ed vo l u m e l e u si n g T r u eC r yp t. N ote t h e p res en ce of t h e r an d om p oo l d at a ( u se d as part of t h e key ge n er at i o n p r ocess) , t h e h ead er , an d mast er key s.

Upload: brandon-mayo

Post on 05-Oct-2015

27 views

Category:

Documents


1 download

Report

DESCRIPTION

xx

TRANSCRIPT

TrueCrypt

TrueCrypt is free, open-source software that can currently be found at http://www.truecrypt.org.

It works by creating encrypted volume files that are mounted as logical drives, each with a drive letter. Due to a restriction of the operating system, volumes can only be mounted by a user with administrative permissions unless the TrueCrypt software has first been fully installed by an administrator.

The program comes with an in-depth manual in PDF format, but some of its key features are:

1. Ability to create FAT and NTFS formatted volume files

2. Allows the user to transparently read/write data to the encrypted volume once mounted

3. Encrypted data is decrypted on-the-fly, so an encrypted volume file that is open at the time of a system crash will not be compromised

4. Can implement all mainstream symmetric encryption algorithms, including Blowfish and AES-256

5. Volume header key (derived from password/phrase used to encrypt master key) and master key derived using SHA-1 or RIPEMD-160 hash algorithms

6. Can create a hidden encrypted volume within the unallocated space of a parent encrypted volume; each volume can have its own passphrase thus allowing for plausible deniability

7. Traveler Disk Setup configures volume files for mounting from removable media on any Windows NT-based system without pre-installing any software

8. Full command-line usage allowing for quiet/stealth operation, leaving minimal footprint on host system

9. Encrypted volume files have no detectable file signature/header; are not bound to use the registered file extension .tc

From a users perspective, the benefits of using this particularly effective software are self-evident.

We will use the software to demonstrate the options open to an examiner when contemplating the identification/examination of encrypted data.The following screenshots show the successful creation of a 50-megabyte, FAT, encrypted volume file using TrueCrypt. Note the presence of the random pool data (used as part of the key generation process), the header, and master keys.

Figure 7-5 Formatting created volume with FAT

Figure 7-6 Screenshots showing creation of TrueCrypt volume

IDENTIFYING ENCRYPTED DATA

There are a number of approaches to identifying encrypted data on a target disk.Encryption Software

Examination of installed software and shortcut links (on the Desktop, Start Menu, and Send To folders of each user and under the All Users profile folder) is a good way to triage a target system for installed encryption software.

Figure 7-7 Identifying the TrueCrypt program folder

It is particularly important not to neglect the Windows Registry. For instance TrueCrypt, even in quiet/stealth mode, has to create registry entries for it to function properly. This is the same for most if not all encryption software that supports encrypted volumes.The subsequent screenshot shows the reference to the TrueCrypt volume driver, truecrypt.sys, in the services\TrueCrypt subkey of the control set that was last active on the target machine.

Figure 7-8 The TrueCrypt volume driver registry setting

The volume driver allows the system to mount the encrypted volume file as a drive and then handles the process of reading/writing data to it, decrypting/encrypting it in the process.

This registry entry will be created whenever a TrueCrypt volume is mounted on current Windows operating systems. This applies even if the volume and system driver were on a removable disk and the software hadnt been installed on the system drive. The registry entry would, in that case, point to the TrueCrypt driver on the removable disk.

It used to be the case that if a TrueCrypt volume was mounted in stealth mode, the volume driver registry entry would be removed when the volume was dismounted. However this is no longer the case the registry entry is removed regardless of the mode of operation. The only exception to this is where TrueCrypt has been fully installed by an administrator of the computer in question. This is necessary where non-administrative users need to use the TrueCrypt software.

Regardless of whether the driver registry entry has been deleted post-operation, its still likely to be found in the unallocated space of the registry hive file or in unallocated clusters on disk as a result of paged memory operations.In addition to the volume driver registry entry, one other registry entry is created that cannot be removed by TrueCrypt because registry permissions do not permit it; only the system account has the permissions necessary to accomplish this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUECRYPT

This registry entry is shown in the following screenshot.

Figure 7-9 The TrueCrypt Enum registry setting

Like most programs TrueCrypt can maintain a history of encrypted volume files that have been opened. Prior to TrueCrypt version 4, this information was created in the NTUSER.DAT file of each user who had used the TrueCrypt software. This changed with TrueCrypt version 4.0 user configuration data is now stored in a file called Configuration.xml located in the \Application Data\TrueCrypt subfolder of the users user profile folder. In this example, we mounted the ntuser.dat of the Bob account.

Figure 7-10 NTUSER.DAT registry entries created by TrueCrypt 3.1a

Figure 7-11 TrueCrypt v4.2 XML configuration file viewed using Internet Explorer

Note that if user history is saved, TrueCrypt version 4.0 and later saves this data in a separate file (same location as mentioned previously) called History.xml.

Figure 7-12 Contents of the TrueCrypt History xml file

Prior to version 4, TrueCrypt would not create user configuration/history registry settings if stealth mode was enabled. Under version 4 and later, TrueCrypt will always create an Application Data\TrueCrypt folder, even if stealth mode is used. However the general configuration file will only be saved if the full TrueCrypt GUI is used.

In addition to searching for files and registry entries, the examiner also has the option of using hash analysis to identify known encryption software, including software that uses steganography to hide encrypted data within other files typically picture and audio files

Hashsets for such software are available through the Hashkeeper user group (http://groups.yahoo.com/group/hashkeeper/); theyre also contained within the hashsets produced by the National Software Reference Library (NSRL - http://www.nsrl.nist.gov/).

Another approach is to search for keywords commonly associated with encryption software. Operating systems often have built-in encryption functionality, so its not unusual for such searches to reveal a large number of hits. Examining the location of the hits (using the option to tag the files associated with the hits under the Search Hits tab) can sometimes, however, help to identify encryption software that was previously overlooked.

Encrypted Files

As in the case of TrueCrypt, we have seen that the configuration data (registry or otherwise) created by encryption software may identify the encrypted data created or accessed by that software.

Even if this is not the case, we can use our knowledge of identified software, undertaking further research where necessary, to identify encrypted files or data on a target system.

The default extension for TrueCrypt files is .tc, and provided that the TrueCrypt software has been installed on a system, the file extension will be registered in the Windows Registry under two subkeys of the Classes key located in the SOFTWARE hive file.

Figure 7-13 File extension shows associated TrueCrypt volume

Figure 7-14 File extension registry entries for TrueCrypt.tc files

TrueCrypt files with a .tc extension are obviously quite easy to find.

Figure 7-15 TrueCrypt volume identified by file extension

Double-clicking on a file with a .tc extension will in this case start the TrueCrypt application automatically, and a shortcut link to the file will be created in the relevant users Recent folder in their user profile.

Figure 7-16 Shortcut link file to TrueCrypt volume

However TrueCrypt, by default, does not prompt the user to create encrypted volume files with any particular extension. An extension will only be used if the user specifically asks for it.

Where encrypted files cannot be identified by extension, we have to use other means to try and identify them.

One way of doing this could be to use registry data or other configuration data, as in the case of TrueCrypt (if saving file history is enabled).

Some files, Microsoft Word documents and ZIP files for instance, may contain encrypted data that may not be evident until the file is opened either by EnCase software (EnCase) or externally.

For example the following screenshot shows a ZIP file viewed within EnCase.

Figure 7-18 Mounted ZIP file containing encrypted data

Amongst other things, EnCase uses the Description column to indicate that, in this case, every file in the ZIP file is encrypted. The Protected column is populated as a result of running the Evidence Processor and selecting the Protected File Analysis option.

EnCase uses the same method to identify those files encrypted with the Encrypting File System (EFS).

Figure 7-19 EFS files shown in EnCase

Having discussed all of the previous options, what action can the examiner take with respect to those encrypted files that cannot be located through program information, link files, file extension, or content?Unfortunately TrueCrypt has the potential to fit all of these criteria. As already stated TrueCrypt is open source, so the structure of its volume files is no secret.

OffsetSize

(bytes)(bytes)Encrypted?Description

064NoSalt

644YesASCII string TRUE

682YesVolume header format version

702YesMinimum program version required to open

the volume

724YesCRC-32 checksum of the (decrypted) bytes 256-511

768YesVolume creation time

848YesHeader creation/modification time

928YesReserved (set to zero)

100156YesCurrently unused

256Var.YesSecondary key (LRW mode)

288Var.YesMaster key(s)

512Var.YesData area (actual volume contents)

Figure 7-20 The TrueCrypt volume format

Its clear that with the exception of the first 64 bytes the entire volume is encrypted.

The first 64 bytes make up a random value called a salt. A salt is used to make life difficult for any person who wants to crack an encrypted file.

The structure of a TrueCrypt volume makes life very difficult for the examiner because it contains no plaintext data that can help identify it.

Even the TrueCrypt software itself cannot identify a TrueCrypt volume without the correct passphrase. Entering an incorrect passphrase will result in the following dialog box.

Figure 7-21 TrueCrypt error message

If the examiner is lucky, there may be something unusual about the file that draws their attention. One example of this is the size of the file. TrueCrypt volumes are mounted as logical disks, so they are usually substantial in size.

Another more-advanced option is the identification of encrypted data by its binary structure. Most encryption algorithms create data that, in addition to being encrypted, is highly random across its entire length. If the data contained within a file is highly random then theres a good chance that its encrypted.


EnCase Forensic for Law Enforcementmedia.govtech.net/.../EnCase...for_Law_Enforcement.pdf · reporting on digital evidence. Powerful filters and scripts enable investigators to build

Encase Guide

Guidance Software EnCase Enterprise Security Target

EnCase Forensic Technology for Decrypting Stenography ...icact.org/upload/2016/0077/20160077_finalpaper.pdf · EnCase Forensic Technology for Decrypting Stenography Algorithm applied

Day 1 Day 2 - ForensicsGuru Advanced... · GUIDANCE SOFTWARE | EnCase® Forensic v7 EnCase® v7 Advanced Computer Forensics Day 1 Day one begins with instruction on the more advanced

EnCase Smartphone Examiner v7.10.00 - Homeland … · ... Nexus 4, iPhone 5, ... Samsung Galaxy Note 3 SM-N900V Android 4.3 N900V ... Internal Memory Data Objects . Encase Smartphone

Encase V7 Presented by Guidance Software august 2011

td2 quickstart guide website - EnCase€¦ · EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions

SysInfoTools EnCase Data Recovery Software

EnCase Forensic & Tableau v20.2 Release · OpenText Confidential. ©2020 All Rights Reserved. 1 EnCase Forensic & Tableau v20.2 Release OpenText commitment to Digital Forensics May

EnCase Forensic Ñ Transform Your Investigations · EnCase Forensic v7Õs New Approach to Digital Forensics: 1) Acquire Evidence - The key to acquiring forensically sound evidence

Chapter 2 – Classical Encryption Techniques Symmetric encryption Secret key encryption Shared key encryption

Robert Potter Vice President Americas Symantec · Symantec Endpoint Encryption Web Application Firewall HP Fortify Symantec Data Loss Prevention Symantec Endpoint ... Encase Product

C03. S03. P02 – P15 GypLyner encase - British Gypsum/media/Files/British-Gypsum/White-Book/... · C03. S03. P02 – P15 GypLyner encase Including C03. ... for example intumescent

Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable

EnCase Forensic Features and Functionality - Moonsoft · EnCase Forensic Features and Functionality Checklist ... Windows event log parser ... Kazaa toolkit Instant Messenger toolkit

encase enterprise

EnCase Enterprise Basic File Collection

Here encryption, there encryption, simple encryption ...€¦ · MQ Technical Conference v2.0.1.7 Here encryption, there encryption, simple encryption everywhere Roger Lacroix

Windows Memory Forensic Analysis using EnCase

EnCase eDiscoverystorage.googleapis.com/.../EnCase_eDiscovery.pdf · 2015. 4. 9. · EnCase eDiscovery, they know they’ve made a winning choice for their internal, legal, ... that

LTEC 2013 - EnCase v7.08.01 presentation

Welcome to EnCase Seminar - FORENSIC-PROOF

EnCase v6.15 Release Notes

Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2

EnCase Version 6.12 Modules Manual

EnCase Version 6.12 Modules Manual.español

Sherif Eldeeb EnCase v7 Essential Training بسم الله الرحمن الرحيم

Excerpts from EnCase® Introduction to Computer Forensicsgalaxy.cs.lamar.edu/~bsun/forensics/QuickStart_Training.pdf · 4 EnCase® Concepts Disk and Volume Hash Values EnCase calculates

EnCase Forensic Imager v7.06 User's Guide

EnCase Forensic — Transform Your Investigations

Know Your Adversary: An Adversary Model for Mastering ...3.4 Endpoint Forensics Collection RSA ECAT, Carbon Black, Guidant, EnCase 3.5 Malware Analysis Invincea, EnCase, Cisco ThreatGrid,

ENCASE CYBER-SECURITY FORENSICS Email Investigation Recovering

Forensic Reporting with EnCase - Georgia State University

Forensics: EnCase, Vista and the Recycle Bin · PDF fileForensics: EnCase, Vista and the Recycle Bin This article covers the examination of the recycle bin in Vista Contents Forensics: