Scribd
Upload
25 views

Module 5-3 - Computer-Forensics

The document discusses techniques for hiding and protecting digital data from forensic analysis, including encryption, steganography, and data destruction methods. Encryption can be symmetric which uses a shared key or asymmetric which uses public/private keys. Weak encryption methods like ROT13 provide only obfuscation. Tools like BitLocker and TrueCrypt can fully encrypt drives or partitions. Steganography hides data within carrier files like images or audio. Data wiping tools can erase disk contents securely but may indicate an attempt to destroy evidence if used before seizure.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
25 views

Module 5-3 - Computer-Forensics

The document discusses techniques for hiding and protecting digital data from forensic analysis, including encryption, steganography, and data destruction methods. Encryption can be symmetric which uses a shared key or asymmetric which uses public/private keys. Weak encryption methods like ROT13 provide only obfuscation. Tools like BitLocker and TrueCrypt can fully encrypt drives or partitions. Steganography hides data within carrier files like images or audio. Data wiping tools can erase disk contents securely but may indicate an attempt to destroy evidence if used before seizure.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 43

Module 5.

Antiforensics
(part 3)
Topics

• Encryption
• Breaking Encryption
• Hiding and Destroying Data
Antiforensics

• Techniques to manipulate, erase, or obfuscate


digital data to make its examination difficult, time-
consuming, or virtually impossible
Private Browsing
Simple Privacy Methods

• Weak, relatively ineffective


– Delete cookies
– Clear temporary internet files
– Clear history
– Changing filenames and extensions
– Burying files in unrelated directories
• Real obstacles to forensic examiners
– Hiding files within other files (steganography)
– Encryption
Encryption
Protecting Secrets

• We all need encryption for


– Credit card #s
– Passwords
– Medical data
• Without encryption, the Web would be much less useful
Encryption Defined

• Encryption converts data from plaintext (readable) to


ciphertext (scrambled)
• Algorithm is the mathematical process to encrypt and
decrypt the message
• Key is a value needed to encrypt and decrypt the data,
usually a long random series of bits, sometimes derived
from a password or passphrase
Caesar Cipher

• Shift each letter forward one character


• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• BCDEFGHIJKLMNOPQRSTUVWXYZA
• CCSF --> DDTG
ROT13
• Shift each letter forward 13 characters
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• NOPQRSTUVWXYZABCDEFGHIJKLM
• CCSF --> PPFS  CCSF
• Encrypting with ROT13 twice returns you to plaintext
• Decryption algorithm = Encryption algorithm
• Very weak—obfuscation, not encryption
• Used in TypedURLS registry key, and for passwords in
an early version of Netscape
Two kinds of
Cryptography
Symmetric Asymmetric
1) Alice and Bob agree on a public-key
1) Alice and Bob agree on a cryptosystem
cryptosystem
2) Bob sends Alice his public key
2) Alice and Bob agree on a key
3) Alice encrypts her message using Bob’s
3) Alice takes her plaintext message and public key and sends it to Bob
encrypts it using the encryption
algorithm and the key. This creates a 4) Bob decrypts Alice’s message using his
ciphertext message private key
4) Alice sends the ciphertext message to
Bob
5) Bob decrypts the ciphertext message
with the same algorithm and key and
reads it

http://fpt.edu.vn 06/04/24 11
Problems

Symmetric Asymmetric
• Keys must be distributed in • slow (~1000 times slower
secret than the symmetric)
• If a key is compromised, Eve • vulnerable to chosen-plaintext
(eavesdropper) can attacks
 decrypt any message
 pretend to be one of the parties
• A network requires a great
number of keys
Symmetric Cryptography
One key encrypts and decrypts data

13
Asymmetric Cryptography
Algorithms
• Use two keys that are mathematically related
– Data encrypted with one key can be decrypted only
with the other key
• Another name for asymmetric key
cryptography is public key cryptography

– Public key: known by the public

– Private key: known only by owner

14
Asymmetric Cryptography

15
Popular Algorithms

• Symmetric Encryption
– DES, 3DES, AES, Blowfish
• Asymmetric Encryption
– RSA, ECC, ElGamal
• The most secure algorithms are open-source
– Proprietary, secret algorithms are almost always insecure
Keys

• A sequence of random bits


– The range of allowable values is called a keyspace
• The larger the keyspace, the more secure the key
– 8-bit key has 28 = 256 values in keyspace
– 24-bit key has 224 = 16 million values
– 56-bit key has 256 = 7 x 1016 values
– 128-bit key has 2128 = 3 x 1038 values

17
Brute Force Attack

• In 1997 a 56-bit key was broken by brute force


– Testing all possible 56-bit keys
– Used 14,000 machines organized via the Internet
– It took 3 months

18
How Many Bits Do You Need?

• How many keys could all the computers on


Earth test in a year?
– Pentium 4 processor: 109 cycles per second
– One year = 3 x 107 seconds
– There are less than 1010 computers on Earth
• One per person
– 109 x 3 x 107 x 1010 = 3 x 1026 calculations
– 128 bits should be enough (3 x 1038 values)
• Unless computers get much faster, or someone
breaks the algorithm

19
Practical Key Lengths

• Private keys of 128 bits or longer are practically


unbreakable at the moment
• Public keys must be much longer
– 2048 bits is the minimum recommended key size for RSA
Common Encryption Products

• Windows 7: BitLocker and EFS


• Apple: FileVault
• Linux: TrueCrypt

• Full Disk Encryption


– Much safer
– Does not encrypt a "boot partition"
• File and Folder encryption
Encrypting File System (EFS)

• In File Properties in Windows


• Easy to use
• Uses password to make a key
• Part of the NTFS file system
BitLocker

• Encrypts entire system partition


• BitLocker To Go encrypts USB sticks
• Requires Windows 7 Ultimate
– But it's available in all versions of Windows 8
• Uses Trusted Platform Module chip
• Best forensic method: seize the running, logged-in
machine
– BitLocker is decrypted at that point
Apple FileVault

• 128 bit AES


• Can encrypt whole drive
• Keys can be backed up with Apple
TrueCrypt

• Free open-source software


• Runs on Linux, Mac, or Windows
• Can encrypt part or all of a disk
• Can use AES, Serpent,or Twofish
• 256-bit keys
Breaking Encryption
Breaking Passwords

• Ask the user for it


• Brute force attack
– Use every possible combination of characters
• Dictionary attack
– Use passwords from a dictionary of common passwords
• Reset Passwords
– Possible with administrator privileges or a hacking tool like UBCD
– Won't get you into EFS-encrypted files
Custom Dictionary

• Acquire the hard disk (and RAM, if possible) of the evidence


machine
• Extract all strings
• Use that as the password dictionary
Password Cracking Tools

• Password Recovery Toolkit (PRTK) from


AccessData
• John the Ripper
• Cain
• Ophcrack
• Hashcat (in Backtrack)
PRTK's Biographical Dictionary Generator
Breaking BitLocker

– Cold Boot Attack


• Freeze the RAM and recover the key
– Dissolve the TPM chip and recover the key with a
microelectrode
• Both are exotic, impractical attacks
• User may have backed up the key in a Microsoft
account
Steganography
Steganography , or stego for short, is another and very effective
way to conceal data.
SearchSecurity.com defines steganography as “the hiding of a
secret message within an ordinary message and the extraction of it at its
destination” (TechTar-get,2000)
Two files comprise the finished stego file:
- Carrier files can be image files, video files, audio files, or word
processing documents, just to name a few
- The embedded secret document is called the payload

http://fpt.edu.vn 06/04/24 34
http://fpt.edu.vn 06/04/24 35
Steganography

• Hiding a
payload file
inside another
carrier file
• Used by Osama
Bin Laden and
Russian spies
Stegan0graphy Detection Tools
Hiding and Destroying Data
Data Destruction

• Drive Wiping
– Darik's Boot and Nuke (DBAN)
– Window Washer
– Evidence Eliminator
– Mac OS X Secure Erase
• Many others
• Some erase whole disk, some only erase files or unused blocks,
others erase only header & footer
• Presence of these tools may be treated as evidence of guilt in
court
– Especially if they were used just before evidence seizure
Some Wipers use Repeating Patterns

• This is a sign of disk erasure


Defragmentation

• Moves clusters to tidy up disk


• Makes files open faster
• Causes some sectors to be overwritten
• Automatically performed weekly in Windows 7
Q&A

http://fpt.edu.vn 06/04/24 43

You might also like