发新话题
打印

[转载]一篇介绍对加密文件进行分析取证的文章

[转载]一篇介绍对加密文件进行分析取证的文章

  信息来源:www.quzheng.com

Practical Approaches to Recovering Encrypted Digital Evidence

The threat [of encryption] is manifest in four ways: failure to get evidence needed for convictions, failure to get intelligence vital to criminal investigations, failure to avert catastrophic or harmful attacks, and failure to get foreign intelligence vital to national security. Encryption can also delay investigations, increase their costs, and necessitate the use of investigative methods which are more dangerous or invasive of privacy. (Demming, Baugh, 1997a)

Abstract
As more criminals use encryption to conceal incriminating evidence, forensic examiners require practical methods for recovering some or all of the encrypted data. This paper presents lessons learned from investigations involving encryption in various contexts. By presenting successful and unsuccessful case examples, this paper gives forensic examiners a clearer understanding of the feasibility and limitations of various approaches to dealing with encryption. Additionally, by demonstrating how encryption has been successfully dealt with in past investigations, this paper provides examiners with techniques that we can apply in our work and encourages us to aggressively confront encryption.

1.0 Introduction
As criminals become more aware of the capabilities of forensic examiners to recover digital evidence they are making more use of encryption technology to conceal incriminating data. Organized criminals use readily available encryption software (United States v. Scarfo) and online child pornographers encrypt their communications and the files they exchange (McAuliffe, 2001). Terrorist groups such as Al Qaeda are making use of encryption to protect the contents of their computers and their Internet communications (Kelley, 2002). Also, the Web site of the Earth Liberation Front encourages members to use encryption.

Since criminals generally encrypt the more incriminating communications and stored data, it is often exactly this evidence that investigators seek. Therefore, in addition to an understanding of cryptography, it is critical for forensic examiners to develop practical techniques for dealing with encryption to obtain some, if not all, of this digital evidence. This paper presents lessons learned from investigations involving encryption in various contexts. As strong encryption becomes more widely used by criminals, it is infeasible to attack the encryption directly using brute force methods. Instead, practical approaches to recovering encrypted data using readily available tools are discussed such as locating unencrypted copies of data, obtaining encryption passphrases, and guessing encryption passphrases. Legal challenges that arise when dealing with encryption are discussed and directions for future tool development are proposed.

2.0 Overcoming Weak Encryption
Computer intruders often use simple encryption to obfuscate network traffic and portions of rootkits they install on compromised systems to conceal their presence. One common form of simple encryption used by intruders is to exclusive OR (XOR) each byte against the value 255 (0xFF), effectively inverting every byte in the file. In one case, examiners found a configuration file that they suspected was a key component of a rootkit but appeared to contain only binary data. Viewing the file using a hexadecimal viewer showed that all of the characters in the file were above decimal value 127. This absence of ASCII characters suggested some form of character substitution. Guessing that XOR was used, the examiners reversed the encryption to reveal the contents of the rootkit configuration file shown here:

# perl -e 'while () { print ~$_; }' palmcrypt -d B8791D707A2359435082DA4E599FBE4BEE675CCE541B346C041B6C55AE81CDF
PalmOS Password Codec
kingpin@atstake.com
@stake Research Labs
http://www.atstake.com/research
August 2000
0x62 0x69 0x72 0x74 0x68 0x64 0x61 0x79 [birthday]

Substitution ciphers are another popular form of weak encryption that are relatively easy to reverse but can absorb a significant amount of time. Obviously, such simple encryption schemes are less appealing to criminals when they want to conceal incriminating evidence of more serious crimes.

3.0 Strong Encryption: The Cost of Brute Force Attacks
Secret and public key encryption schemes provide offenders with a higher degree of protection, making it more difficult for forensic examiners to access evidence. When an encryption algorithm like DES is used, it is theoretically possible to try every possible key to decrypt a given piece of ciphertext. However, this approach requires significant computing power to run through the vast number (2^56, over 72 quadrillion) of potential decryption keys and can take an inordinate amount of time depending on the strength of the encryption.

There are some inexpensive solutions for brute forcing 40-bit encryption in certain file types. For instance, Access Data’s Distributed Network Attack (DNA) application can brute force Adobe Acrobat and Microsoft Word/Excel files that are encrypted with 40-bit encryption as shown in Figure 1. Beowulf clusters are another inexpensive option for brute force attacks, making use of readily available computer equipment to create powerful parallel processing.



Figure 1: Decrypting MS Word files using Distributed Network Attack (DNA)

So, anyone with a cluster of approximately 100 off-the-shelf desktop computers and the necessary software can attempt every possible 40-bit key in 5 days. For example, the Wall Street Journal was able to decrypt files found on an Al Qaeda computer that were encrypted using the 40-bit export version of Windows NT Encrypting File System (UK Usborne, 2002).

However, Microsoft Windows EFS generally uses 128-bit keys and because each additional bit doubles the number of possibilities to try, a brute force search quickly becomes too expensive for most organizations or simply infeasible, taking million of years. Therefore, before brute force methods are attempted, some exploration should be performed to determine if the files contain valuable evidence and if the evidence can be obtained in any other way.

4.0 Practical Approaches to Recovering Encrypted Files
In theory strong encryption can create an insurmountable challenge for forensic examiners. In practice, encryption applications have weaknesses that can be exploited to recover some or all encrypted data. Additionally, general human use of encryption software introduces weaknesses such as selecting weak passphrases or writing strong passphrases down.

The crypt utility on Unix machines clearly demonstrates some of the weaknesses of relatively strong, secret key encryption.

% crypt -key ‘birthday’ ciphertext

One obvious weakness is the plaintext file. If the plaintext file is simply deleted rather than wiped, it may be possible to recover this copy from the hard disk. Furthermore, if the plaintext file was stored in memory, swapped to disk, or backed up to external media, it may be possible to retrieve some or all of
this data.

Another obvious weakness in the above example is the secret key. If an easy to remember key such as “birthday” is used, it may be possible for someone to guess it and gain access to the encrypted data. If a difficult to remember key is used, it may be necessary for the user to write it down in a location that can be referenced the next time the data is decrypted, potentially exposing it to others. Additionally, it is possible for someone to observe the secret key as it is typed into the system or by capturing keystrokes or simply looking over the user’s shoulder. It may be possible for an attorney or judge to convince or compel a suspect to disclose the secret key.

Public key algorithms like Pretty Good Privacy (PGP) , S/MIME, and SSL have similar weaknesses that will be discussed in more detail in the following subsections. For instance, Ramsey Yousef, a major participant in several terrorist attacks including the 1993 bombing of the World Trade Center, stored information about planned attacks on his laptop in encrypted form but investigators were able to recover plaintext versions (Demming, Baugh, 1997b). Yousef’s encryption passphrase was also obtained, enabling investigators to verify that the plaintext files matched the encrypted versions.

4.1 Finding Unencrypted Copies of Data
At some point before data is encrypted, it exists in unencrypted form. For example, while a file is being encrypted using EFS a temporary copy of the plaintext is made in case a problem is encountered during the encryption process. Also, the plaintext might be stored temporarily in a paging file (pagefile.sys) prior to encryption. If data was decrypted and re-encrypted for any purpose, it may have been stored temporarily on disk. For instance, if an EFS encrypted file is printed and the System32SpoolPrinters folder is not encrypted, spool files will contain unencrypted copies of the encrypted files.

In one case the offender used PGP to encrypt Microsoft Word do*****ents. Although the original do*****ents were wiped, fragments of the files were scattered around the disk in deleted MS Word temporary files, some of which could be found by searching for Microsoft Word headers. The fragments that were located in this initial search contained metadata similar to the following:

.S.U.S.P.E.C.T...N.A.M.E...C.:.S.E.C.R.E.T..P.R.I.V.A.T.E...doc...p.g.p...
S.U.S.P.E.C.T...N.A.M.E.

Searching the disk for this and other similar metadata, the examiner found many additional fragments that were not retrieved in the initial search, the most interesting of which contained dates in a particular format (e.g, 1./.2.9./.0.1). Another search for occurrences dates in the same format revealed a large number of
additional fragments.

Although it may not be possible to confirm that the recovered evidence is identical to an encrypted file, this may not be necessary once the incriminating evidence is in hand. This issue becomes less clear when unencrypted versions of data are obtained by searching a database of known files for characteristics of pre-encrypted files such as names and original file sizes. For instance, in United States v. Hersh:

… encrypted files found on a high-capacity Zip disk. The images on the Zip disk had been encrypted by software known as F-Secure, which was found on Hersh's computer. When agents could not break the encryption code, they obtained a partial source code from the manufacturer that allowed them to interpret information on the file print outs. The Zip disk contained 1,090 computer files, each identified in the directory by a unique file name, such as "s*****mo2," "naked31," "boydoggy," "dvsex01, dvsex02, dvsex03," etc., that was consistent with names of child pornography files. The list of encrypted files was compared with a government database of child pornography. Agents compared the 1,090 files on Hersh's Zip disk with the database and matched 120 file names. Twenty- two of those had the same number of pre-encryption computer bytes as the pre-encrypted version of the files on Hersh's Zip disk. (Unites States v. Hersh)


This methodology is open to criticism given the probability of two different files having the same name and size. Finding 22 matches increases the chances that the encrypted files contain child pornography but such assumptions are difficult to verify without decrypting the files.

Another source of unencrypted data is in RAM. For instance, if the contents of an application window (such as Outlook’s e-mail composition window) is encrypted using PGP, a copy of the plaintext is often held in memory by the application. Similarly, when PGP is used to encrypt or decrypt text on Windows 2000, a copy of the plaintext is held in memory by PGPtray for an indefinite period. The memory of this process can be dumped to a file using a program like pmdump and searched for unencrypted data as shown here:

D:>pslist pgptray
Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time
PGPtray 1332 8 7 150 1264 0:00:00.060 0:00:00.270 2:20:33.466
D:>pmdump 1332 pgptray.mem
D:>less pgptray.mem

_^@^@^@^@^@^@^@^@_^@^V^@^@^@^P^@__^V^@`
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

发新话题