Digital Forensics and Encryption
Written by Andy Spruill   

Miss the photos and figures?
View, read, share, save, and print this article
as it appeared in the print edition now, online!


Advertisement

The use of encryption technology to protect computer data is growing—and that fact presents a challenge for forensic investigators. Without a decryption key, forensic tools cannot be used to find digital evidence. Even with the key, searching encrypted data can be tricky and time consuming. Below are some answers to common questions about trends in the use of encryption and what investigators can do to get as much evidence as possible from an encrypted file or drive.

Q: Why is the use of encryption growing in popularity?
A: Corporations and computer users like the idea of encryption as a way to protect their sensitive or personal data from breaches, but the average user still sees this technology as burdensome or too time consuming to implement on a constant basis. So the move to encryption is not necessarily coming from the users. Instead it is coming from hardware and software companies who are embedding encryption technology into their products. The BlackBerry is a good example because all data is encrypted and this protection is automatic. More important, the use of the encryption technology is completely invisible to the user.

Q: What is the impact of encryption on forensic investigation?
A:
As investigators, we are limited to the information on the device that we can access. If a hard drive is fully encrypted, we have no easy access to the stored data and our investigative options become limited. The first thing an investigator must do is to determine the level and extent of the encryption. Weak passwords can be cracked, but if the user has implemented a strong password it becomes almost impossible to access via brute force methods. It could be that just a few files are encrypted and there could be unencrypted copies elsewhere on the device. The user could also be a creature of habit and use the same set of passwords. These passwords can be quickly located in easily decipherable formats throughout the system. In all cases, though, I tell investigators that digital evidence is just one piece of the body of evidence in a case. Don’t fall into a trap where you spend too much time trying to decrypt a potentially probative item, when valuable unencrypted data may be found by simply continuing your examination.

Q: Are more criminals turning to encryption?
A:
Not in our experience. Again, most users, including criminals, like the idea—but they just don’t have the knowledge or patience to implement it on a continued-use basis. The majority of the encryption we have seen used is in corporate systems and typically it is not an issue as the company has the passwords. This allows us to leverage the software and hardware tools they already have to easily access the data. Once the data is decrypted an investigator can apply a forensic toolset to gather and analyze the stored data.

Q: Is there a greater chance of damaging or corrupting the encrypted evidence?
A:
There is always a slight chance when working with electronic media that data may be damaged or corrupted. The best advice I can give is to keep your evidence-handling procedure reasonable and defensible. Reasonable means using industry-standard tools. Defensible means you thoroughly document the process.

The bigger concern is that all of the data on the drive must be decrypted—and that can take hours. As you work a drive to decrypt this data, that drive could fail. Thus, it is important to be sure that your forensics tool supports encrypted data, which makes the process more seamless while contributing to the defensibility of the procedure.

Q: What new techniques do investigators need to consider when they come across an encrypted drive?
A:
For many investigators this is a new area. First, they should try to determine the extent of the encryption. There are many tools that allow you to encrypt the whole hard drive, a portion of the disk space, or even individual files. An investigator should first determine whether the whole drive is encrypted; if not, then they can scan for encrypted files. If encryption software like Encrypt It or TrueCrypt is on the drive, then there is a reasonable expectation that the user may have encrypted some of the content. Examiners can analyze the use of these applications and learn just how often and when an encryption program has been run. This can lead to a search for other digital files that were being accessed around the same time periods.

If there is encrypted information on the disk, the next step is to use any known passwords. So far courts in the United States have been reluctant to force defendants to divulge their personal passwords, but people are creatures of habit and they tend to use a single small set of passwords for everything. These can be found in many places on the hard drive where they are easily deciphered. For example, many web browsers allow a user to store their passwords for various websites. The repository where those passwords are stored is generally easy to crack.

The investigator has more options if certain files are encrypted. Computers are redundant by nature. The data that is inside the encrypted volume had to come from somewhere (another device for example) or it might be spread across the drive outside of the encrypted file.

For example, Microsoft Word automatically writes copies of a document to a hard drive as it is being modified. This way, the user has a backup if the computer fails. When that document is closed, the program deletes all the temporary versions. If you encrypt the document and you delete the original document, your machine still has the deleted files that can be accessed by using forensics. Another example: When a suspect is working with digital photos, thumbnail images are always being created. Finding non-encrypted copies of files will not always be possible, but investigators can and should look for copies of the data across all relevant devices.

About the Author

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is the senior director of risk management for Guidance Software. He is also a reserve police officer for the Westminster (California) Police Department.

 
< Prev   Next >






Recovering Latent Fingerprints from Cadavers

IN A HOMICIDE CASE, the recovery of latent impressions from a body is just one more step that should be taken in the process of completing a thorough search. This article is directed at crime-scene technicians and the supervisors who support and direct evidence-recovery operations both in the field and in the controlled settings of the medical examiner’s office or the morgue under the coroner’s direction.

Read more...