After they gain access to the file that contain needed evidence, forensic investigators may well find that the file itself is unreadable. As computer investigators begin to use more sophisticated tools, both regular and malicious users are taking more sophisticated steps to hide information. One method used to hide information is to modify a message or file in such a way that only the intended recipient can reconstruct the original.
This chapter does not cover the mathematics behind encryption in any detail (such a discussion is beyond the scope of this book).
cryptography
The science of hiding the true contents of a message from unintended recipients.
Cryptography scrambles the contents of a file or message and makes it unreadable to all but its intended recipient. In the context of a computer investigation, a forensic investigator is an unintended recipient. The word cryptography comes from Greek words krypto, which means “hidden,” and graphein, which means “to write.”
Although cryptography’s importance has become more widely acknowledged in recent years, its roots are traced back 5,000 years to ancient Egypt. The Egyptians used hieroglyphics to document many rituals and procedures. Only specially trained agents could interpret these early hieroglyphics.
encrypt
To obscure the meaning of a message to make it unreadable.
decrypt
To translate an encrypted message back into the original unencrypted message.
Around 400 B.C., the Spartans used an innovative method to encrypt, or hide, the meaning of military communication from unauthorized eyes. They would wrap a strip of parchment around a stick in a spiral, similar to a barber’s pole. The scribe would write the message on the parchment and then unwind it from the stick. With the parchment stretched out, the message was unintelligible. In fact, the only way to read the message, or decrypt it, was to wrap the parchment around another stick of the same diameter and equal, or greater, length. The “secrets” to reading the message were the dimensions of the stick and the knowledge of how to wrap the parchment. Anyone who possessed these two components could read the secret message.
cipher
An algorithm for encrypting and decrypting.
substitution cipher
A cipher that substitutes each character in the original message with an alternate character to create the encrypted message.
Roman Emperor Julius Caesar was the first to use a cryptography method, or cipher, similar to the decoder rings popular as children’s trinkets. He used a method called a substitution cipher, to send secret messages to his military leaders. This cipher encrypts a message by substituting each letter of the original message with another letter. A substitution table provides the static mapping for each letter. For example, here is a simple Caesar cipher mapping table:
| Original: | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| Mapped: | DEFGHIJKLMNOPQRSTUVWXYZABC |
For each character in the original message, read the character directly below it in the mapped character string. The string “HELLO” would become “KHOOR.”
The recipient decrypts the message by reversing the process. The recipient translates each letter from the encrypted message to the original letter by reading the mapping table backward. The resulting message is identical to the original. One must possess the translation table to encrypt and decrypt messages using a simple substitution cipher. The main weakness of the cipher is the table itself. Anyone who discovers or acquires the translation table can decrypt messages.
Although the algorithms used in current encryption implementations are far more complex than the Caesar cipher, the basic approach and goals are the same. Next, we’ll examine some common encryption practices.