9.

Antiforensics
Topics

 Encryption
 Breaking Encryption
 Hiding and Destroying Data
Antiforensics

 Techniques to manipulate, erase, or

obfuscate digital data to make its
examination difficult, time-consuming,
or virtually impossible
Private Browsing
Simple Privacy Methods

 Weak, relatively ineffective

 Delete cookies
 Clear temporary internet files
 Clear history
 Changing filenames and extensions
 Burying files in unrelated directories
 Real obstacles to forensic examiners
 Hiding files within other files (steganography)
 Encryption
Encryption
Protecting Secrets

 We all need encryption for

 Credit card #s
 Passwords

 Medical data
 Without
encryption, the Web would be
much less useful
Encryption Defined

 Encryption converts data from plaintext

(readable) to ciphertext (scrambled)
 Algorithm is the mathematical process
to encrypt and decrypt the message
 Key is a value needed to encrypt and
decrypt the data, usually a long random
series of bits, sometimes derived from a
password or passphrase
Caesar Cipher

 Shift each letter forward one character

 ABCDEFGHIJKLMNOPQRSTUVWXYZ
 BCDEFGHIJKLMNOPQRSTUVWXYZA
 CCSF --> DDTG
ROT13
 Shift each letter forward 13 characters
 ABCDEFGHIJKLMNOPQRSTUVWXYZ
 NOPQRSTUVWXYZABCDEFGHIJKLM
 CCSF --> PPFS  CCSF
 Encrypting with ROT13 twice returns you to plaintext
 Decryption algorithm = Encryption algorithm
 Very weak - obfuscation, not encryption
 Used in TypedURLS registry key, and for passwords
in an early version of Netscape (Link Ch 6a)
Symmetric Cryptography

One key encrypts and decrypts data

Cleartext with Key makes Ciphertext

Winning Lotto #s: aWDHOP#@-w9

Ciphertext with Key makes Cleartext

aWDHOP#@-w9 Winning Lotto #s:

11
Asymmetric Cryptography Algorithms
 Use two keys that are mathematically related
 Data encrypted with one key can be decrypted only with the
other key
 Another name for asymmetric key cryptography is public key
cryptography

 Public key: known by the public

 Private key: known only by owner

12
Asymmetric Cryptography

Cleartext with Public Key makes Ciphertext

Winning Lotto #s: aWDHOP#@-w9

Ciphertext with Private Key makes Cleartext

aWDHOP#@-w9 Winning Lotto #s:

13
Popular Algorithms

 Symmetric Encryption
 DES, 3DES, AES, Blowfish
 Asymmetric Encryption
 RSA, ECC, ElGamal
 Themost secure algorithms are open-
source
 Proprietary,
secret algorithms are almost
always insecure
Keys

 A sequence of random bits

 The range of allowable values is called a
keyspace
 The larger the keyspace, the more secure
the key
 8-bitkey has 28 = 256 values in keyspace
 24-bit key has 224 = 16 million values
 56-bit key has 256 = 7 x 1016 values
 128-bit key has 2128 = 3 x 1038 values
15
Brute Force Attack

 In1997 a 56-bit key was broken by

brute force
 Testing all possible 56-bit keys
 Used 14,000 machines organized via
the Internet
 It took 3 months
 See link Ch 6d

16
How Many Bits Do You Need?
 How many keys could all the computers on
Earth test in a year?
 Pentium 4 processor: 109 cycles per second
 One year = 3 x 107 seconds
 There are less than 1010 computers on Earth
 One per person
 109 x 3 x 107 x 1010 = 3 x 1026 calculations
 128 bits should be enough (3 x 1038 values)
 Unless computers get much faster, or someone
breaks the algorithm
17
Practical Key Lengths

 Private keys of 128 bits or longer are

practically unbreakable at the
moment
 Public keys must be much longer
 2048 bits is the minimum recommended
key size for RSA (length Ch 6b)
Common Encryption Products

 Windows 7: BitLocker and EFS

 Apple: FileVault
 Linux: TrueCrypt

 Full Disk Encryption

 Much safer
 Does not encrypt a "boot partition"
 File and Folder encryption
Encrypting File System (EFS)

 In File Properties in Windows

 Easy to use
 Uses password to make a key
 Part of the NTFS file system
BitLocker

 Encrypts entire system partition

 BitLocker To Go encrypts USB sticks
 Requires Windows 7 Ultimate
 But it's available in all versions of Windows 8
 Uses Trusted Platform Module chip
 Bestforensic method: seize the running,
logged-in machine
 BitLocker is decrypted at that point
Apple FileVault

 128 bit AES

 Can encrypt whole drive
 Keys can be backed up with Apple
TrueCrypt

 Free open-source software

 Runs on Linux, Mac, or Windows
 Can encrypt part or all of a disk
 Can use AES, Serpent,or Twofish
 256-bit keys
Breaking Encryption
Breaking Passwords

 Ask the user for it

 Brute force attack
 Use every possible combination of characters
 Dictionary attack
 Use passwords from a dictionary of common
passwords
 Reset Passwords
 Possible with administrator privileges or a hacking
tool like UBCD
 Won't get you into EFS-encrypted files
Custom Dictionary

 Acquire the hard disk (and RAM, if possible) of

the evidence machine
 Extract all strings
 Use that as the password dictionary
Password Cracking Tools

 Password Recovery Toolkit (PRTK) from

AccessData
 John the Ripper
 Cain
 Ophcrack
 Hashcat (in Backtrack)
PRTK's Biographical Dictionary
Generator
Breaking BitLocker

 Cold Boot Attack

 Freeze the RAM and recover the key
 Dissolvethe TPM chip and recover the
key with a microelectrode
 Both are exotic, impractical attacks
 User may have backed up the key in a
Microsoft account (Ch 7c)
Steganography
Steganography
 Hiding a
payload file
inside another
carrier file
 Used by Osama
Bin Laden and
Russian spies
(link Ch 6d)
Steganography Detection Tools

 Link Ch 6e
Hiding and Destroying
Data
Data Destruction
 Drive Wiping
 Darik's Boot and Nuke (DBAN)
 Window Washer
 Evidence Eliminator
 Mac OS X Secure Erase
 Many others
 Some erase whole disk, some only erase files or
unused blocks, others erase only header & footer
 Presence of these tools may be treated as evidence
of guilt in court
 Especially if they were used just before evidence seizure
Some Wipers use Repeating
Patterns
 This is a sign of disk erasure
Defragmentation

 Moves clusters to tidy up disk

 Makes files open faster
 Causes some sectors to be overwritten
 Automatically performed weekly in
Windows 7