At some point in the investigation, you’ll likely encounter encrypted data. The course of action depends on the particular type of encryption and the value of the expected evidence once the data is decrypted. If you suspect the encrypted data holds a high value for your case, it will warrant more time and effort to get at that data. Decrypting data can require a substantial effort. Only pursue that course of action when necessary.
Identifying Encrypted Files
Identifying encrypted files is easy. You try to access a file with the appropriate application and you end up getting garbage. The first step you should take in this instance is to find out the type of file you’re dealing with. Most operating systems make assumptions about file types by looking at the file’s extension. For example, a file with the .doc extension is normally a word processing document, and a file with the .zip extension is normally a compressed archive file. Never trust extensions. One way to “hide” files from casual observers is simply to change their extensions to another file type.
For example, an easy way to hide pictures from standard viewer applications would be to change the extension from .jpg to .txt. Any extension would work, but the .txt extension would represent all such files as text files in most file browser windows. If an unscrupulous user wants to represent hidden pictures as another file type, it’s simple to use another defined file extension. Alternatively, an undefined file extension, such as ‘xxx’, could be used, but these files would likely attract more attention.
As a forensic investigator, you need to ensure that you aren’t simply looking at altered file extensions. Always use a file viewer that looks at both the file extension and the file contents. Such a utility will notify you if it finds files that use a nonstandard extension. When you find such files, you may be dealing with files that someone deliberately hid.
Another telltale sign that you are dealing with encrypted data is a generated filename. Many encryption utilities have the option to obscure the filename as they encrypt the plaintext file. It is harder for a forensic investigator to identify a file named 100455433798.094 than one named My Illegal Activities.doc. Although many applications generate filenames, any time a collection of files with obviously generated filenames is found, the experienced forensic investigator finds out why. They might be encrypted files.
In summary, if during the course of an investigation, forensic investigators find files that don’t fit their extensions or have unknown extensions, the investigators should consider them potentially encrypted. Look at their location in the file system, and check any path history of file accesses and encryption utility activity. The file encryption utility might keep track of recent write locations. Take hints wherever you find them.
Decrypting Files
Assume that you have identified one or more encrypted files. What does the forensic investigator do next? The simple answer is to crack the encryption. The complete answer is a little more complex.
Before exhausting an investigative budget on the latest encryption busting utilities, take the simple approach first. Ask the suspect. If you haven’t found encryption keys written down or otherwise recorded in obvious places, just ask. If you’re lucky (and you might be), your suspect might provide the keys voluntarily. If asking doesn’t work or you know the suspect is unlikely to cooperate, use social engineering next. If a suspect can be convinced to divulge secrets like encryption keys, lots of time and work can be saved. Only resort to technical means when you have exhausted all conventional methods of collecting information.
The suggestion to use social engineering doesn’t mean that forensic investigators should engage in questionable activities. Make sure all activities are documented and approved before you engage in social engineering activities. Evidence that the court deems as inadmissible is worthless to any case.
First, evaluate the type of encryption you see. A common type of encryption is provided by popular applications. Microsoft Office and WinZip both provide options to encrypt the contents of its data files. Although convenient, application-supported encryption tends to be very weak. There is a wide variety of utilities that specialize in cracking application encryption available for use by forensic investigators. Here is a short list of utilities that help recover file contents of specific file formats:
- Zip Password by LastBit (http://lastbit.com/zippsw/)—Password recovery utility. Decrypts ZIP/WinZip/pkzip files
- Passware Password Recovery Software (http://www.lostpassword.com)—Recovers passwords from MS-Office application files
- ElcomSoft password recovery software (http://www.crackpassword.com)—These products recover passwords from various application files
Many other utilities are available to help forensic investigators defeat application-specific file encryption. Their wide availability should emphasize that such encryption has far less value than generic file encryption algorithms. In short, don’t rely on any application vendor to provide strong embedded encryption for your own privacy needs.
After ruling out embedded encryption, forensic investigators need to move to more sophisticated methods. Always begin by looking for low-hanging fruit. Let’s assume you are looking at an encrypted document. Find out as much as possible about the file’s context. Here are a few questions to consider:
- Does the file have a defined extension?
- Unless you have information to the contrary, assume the file’s extension is valid.
- Encrypting a file and then changing the extension to throw off an investigator is too much work for most people.
- Where is the file located?
- File location, especially unusual locations, may give clues to the originating application.
- If you find files stored in unusual locations, check the default document directories for installed applications. That information might tell you what application created the file.
- What application(s) likely created the file?
- If you know, or suspect, what application created the file, see if the application uses a cache or temporary files.
- Look at deleted files in the application’s temporary directory. Any files here are likely to include pre-encryption data.
- What is the last access time for the file?
- Look for any deleted files with access times just prior to the last access time of the encrypted file. Although good encryption utilities won’t leave such obvious traces behind, the application that generated the file might not be so careful.
- Do installed applications create temporary files during creation/editing?
- Attempt to recover all the files you can. Even the most innocent ones may be valuable.
- Are there any files in the Recycle Bin?
- Don’t laugh; it happens!
These questions will get you started. The best outcome from searching for deleted and unencrypted copies of files is to find a pristine, unencrypted copy of the one file you need. Although it’s possible to find just what you’re looking for, it is more likely that you will simply find another piece of the puzzle. Any unencrypted file or file fragment that relates to an encrypted file will increase chances of successfully decrypting files. Let’s look at a few attack methods to decrypt suspect files.
Tales from the Trenches: Opening Encrypted Files
Customers retain computer forensic experts to open encrypted files from time to time.
One day, Bill, a previous client, contacted me and insisted I meet with him right away. Naturally, I told him I would be right over. He said we needed to meet “away from the office” and suggested a local restaurant where we could talk in private.
As soon as I arrived, Bill told me he was having major troubles at work with a small group of employees whom he thought were planning to leave the company, form their own firm, and compete against him. Bill knew there was nothing he could do to keep the employees from leaving, but he wanted to ensure that they didn’t take any proprietary information belonging to his company with them when they left.
He was specifically concerned because the company’s “network guy” came to him and reported that he had recently observed an unusually large amount of network activity for a few employees, including accessing the customer database and billing system. While this type of access wasn’t against company policy and was within the employee’s job description, it was unusual enough for the network guy to report it. Bill asked him to “keep an eye open” for any more unusual activity.
A few days later, the network guy informed Bill he observed an increase in the amount and size of e-mail these same employees were sending through the company e-mail server. When he explored further, he noted these employees sent a large number of encrypted e-mails to a former employee. He was, of course, unable to read the e-mails. Encryption wasn’t normally used by the company, but it wasn’t against the company policy to use encryption, either.
Bill needed proof that these employees were sending proprietary information out of the company to this former employee so that he could terminate their employment and so that he could obtain a “cease and desist” order against his former employee to prevent him from using the proprietary information.
As expected, while examining the employees’ computers, I located a large number of encrypted files and attempted to crack the password protection so I could see the content of the files. The employee protected the majority of files with PGP, a very strong encryption utility. I knew that the possibility of cracking a PGP-protected file was very slim, but I also knew that I had human nature working in my favor.
On one of the computers, I located a small collection of Microsoft Word documents that were password protected using the built-in Microsoft password-protection security. This protection scheme can be very simple to crack using a variety of available commercial cracking utilities. I was able to open each of these files within a few minutes and review their contents. The fact that none of these files had anything to do with the case didn’t deter me. I learned a long time ago that people are generally very lazy when it comes to choosing passwords and typically will use the same password in several places.
I attempted to use the recovered password to open the PGP files and was able to access all of the information that was stored on this employee’s computer. I located enough evidence to assist Bill in obtaining the “cease and desist” order and to terminate the employees without fear of being sued for wrongful termination.
Although this is one example of overcoming an encryption technology by using a weakness in the implementation of the technology (the human weakness of reusing passwords) and not a weakness in the technology itself, you will find many situations where a weak encryption technology works in the investigator’s favor.
Known Plaintext Attack
known plaintext attack
An attack to decrypt a file characterized by comparing known plaintext to the resulting ciphertext.
The known plaintext attack is a method of cracking encryption that uses the plaintext and the associated ciphertext. If a forensic investigator is lucky enough to have both the unencrypted and encrypted versions of a file, the relationship between the two can be analyzed and the encryption key deduced. Some archive file password crackers utilize this type of attack. Simply provide an unencrypted file and an encrypted ZIP archive, and the utility will compare the two and attempt to find the key used in the encryption.
As a part of an investigation, forensic investigators often have access to files that may appear to be unrelated to the evidence that is needed. Savvy forensic investigators won’t be deterred by this because they know these files could help provide the key the suspect used to encrypt the files. Keeping track of multiple encryption keys is difficult, so forensic investigators are often able to use that discovered key to decrypt other encrypted files.
Chosen Plaintext Attack
chosen plaintext attack
An attack to decrypt a file characterized by comparing ciphertext to a plaintext message you chose and encrypted.
Forensic investigators may have access to the encryption engine, but not the key. It is possible the encryption utility allows users to encrypt files using stored credentials without disclosing those credentials. In such cases, forensic investigators may be able to discover the encryption key using a chosen plaintext attack. In a chosen plaintext attack, files are encrypted and then compared to the resulting encrypted file. After you create the plaintext and ciphertext, the attack progresses just like the known plaintext attack.
Brute Force Attack
The brute force attack method for decrypting files is the worst choice and should be used only after exhausting other methods first. It uses the same approach as brute force password cracking. The utility tries every possible key value to see if the decryption results in an intelligible object. Use this option as your last resort.
Which Way to Go?
Each type of attack requires different input, output, and access to the encryption utility. Always try the easiest methods first. If these don’t work, move on to more complex approaches. There are no guarantees that discovering a method to decrypt files will be successful within a reasonable timeframe. A brute force attack will always work eventually. However, remember that “eventually” can mean several thousand years.
Use what you can and take the time to think about the evidence. Evidence collection and analysis is very much like assembling a puzzle. Forget about the picture; look at how the pieces fit together.