1 / 41

Encryption and Data Recovery

Encryption and Data Recovery. Originally adapted and expanded from “Practical Approaches to Recovering Encrypted Digital Evidence” IJDE 2002 1:3 By Robert Wesley McGrew and Josh Coffey. Introduction. Like any good tool, cryptography flexibly serves the needs of those who use it

kyne
Download Presentation

Encryption and Data Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption and Data Recovery Originally adapted and expanded from “Practical Approaches to Recovering Encrypted Digital Evidence” IJDE 2002 1:3 By Robert Wesley McGrew and Josh Coffey

  2. Introduction • Like any good tool, cryptography flexibly serves the needs of those who use it • Anyone – Provides privacy, confidentiality, authentication, non-repudiation • Investigators – Security against tampering, confidentiality • Criminals – Protecting/Hiding illegal activities

  3. U.S. v. Scarfo • http://www.epic.org/crypto/scarfo.html • Much of this case is off-topic, but a couple of key points • A customized keystroke recorder was used to capture key/passphrase information for PGP • More pre-emptive than most computer forensics we discuss • Sets a tone for the sort of activities we may discuss and resort to, in order to recover evidence where encryption is used.

  4. Other (criminal) Uses of Cryptography • Child Pornographers • One of the primary reasons people cite for regulating/restricting the use of crypto • http://news.zdnet.co.uk/business/legal/0,39020651,2084388,00.htm • Communications via IRC, files traded via FTP, encrypted with BestCrypt • AES, etc, symmetric ciphers • no word on how keys were exchanged • http://www.password-crackers.com/crack3.html

  5. Other (criminal) Uses of Cryptography • Terrorism • Cases: http://www.cs.georgetown.edu/%7Edenning/crypto/cases.html • RSA and also custom crypto (was easily broken) • Note that there are cases where attempts at decryption failed, however other incriminating evidence was found • Plea bargain  keys, a useful trade • Lots of PGP usage

  6. The Rest of the Usual Suspects • Drug dealers • Hackers • White collar criminals • Nearly anyone that’s computer literate can implement this • If they don’t seem bright enough to have done it themselves, question the geek they hired to do it for them

  7. How common will encryption be? • Strong crypto tools are readily available • Interfaces to such tools are becoming more intuitive • More cases hinging on digital evidence encourages criminals to become more careful • In the push for security on personal computers, encryption is being integrated into the operating system • WinFS : http://msdn.microsoft.com/Longhorn/understanding/pillars/WinFS/default.aspx • EFS : http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp

  8. Symmetric Cryptography • Involves a single key, for both encryption and decryption • When used by itself, it is mostly used for encrypting data to be stored locally. • For data that is to be communicated, there is the problem of how to share the key (which we will address) • Algorithms involved: • AES • DES, Triple-DES • Tools: • BestCrypt • DriveCrypt • Many, Many others

  9. Asymmetric Cryptography • A relatively recent (70’s) discovery • Two can communicate securely, over an unsecured channel, without having a shared secret to start with. • Two keys • Public key – Made known to all, used to encrypt • Private key – Individual’s secret, used to decrypt • A passphrase protects the private key on the user’s machine • Slower, so usually used to communicate a key which can be used for further encrypted communications via symmetric • Most common implementation is PGP, GnuPG

  10. Why you’re in trouble if they did it right • Well known and used algorithms are very secure, mathematically. • Factoring is used as a one-way trapdoor function. It’s easy to compose a number as a product of primes, but hard to decompose it back. • Peer review

  11. Why you’re in trouble if they did it right • The implementations of these algorithms in commonly used software are often also quite secure • The more popular the product, the more likely it is that it has been discovered that it leaks data in some way, and fixed. • Good passphrases • Long, memorable, but random enough to make them hard to crack • Wastes a lot of your time with brute force attacks

  12. Brute Force is Our Last Resort • If modern cryptographic software is used correctly, with secure, long passphrases, we might be out of luck. • 2^1024 : 1.8 x 10^308 possible keys • Long, memorable passphrases are rarely random, but small, easily remembered changes would make them hard to guess • Beat it out of them (Not for the usual CS crowd) • What are some more creative ways of getting a key from a suspect?

  13. What they hopefully and probably did wrong • Single word passphrases • Sloppy procedures with their encryption software • Home-brew implementations/algorithms • Trusted the key to someone they shouldn’t have • Left enough unencrypted data on the media to work with

  14. A few questions • What types of encryption do you think would be easier to break in an investigation? • What kind of arguments can a suspect use to avoid assisting you in decrypting evidence? • What factors affect how long it may take an investigator to decrypt evidence? • Why might it be difficult to get companies/individuals/groups who write cryptography software to provide help/information?

  15. Attacking Simple Ciphers • One of the simplest ways of encrypting data is to take the XOR of the bits of plaintext against the bits of the key • 01010111 XOR 10111011 = 11101100 • With a repeating key, however, analysis can retrieve the key and plaintext • Index of coincidence • Frequency analysis • Why is this attack not possible if the lengths of plaintext and key are equal?

  16. …and after that, it just gets nasty • Beyond very trivial algorithms like XOR, cryptanalysis and brute force attacks do us less and less good • Exhaustive searches of the keyspace take 2^(bits in key) • 40 bit keys can be brute forced in reasonable time • However each additional bit doubles the time required to brute force the key

  17. Factors of Encryption Strength http://www.informit.com/guides/content.asp?g=security&seqNum=67 • Implementation quality • Password exposure in WEP’s RC4 • Location in time/space of cached keys • Key length/randomness

  18. A Question • With Windows moving towards a secure-by-default configuration in future versions, particularly regarding encrypted file systems, what techniques will investigators have to use to do the same job they do today? • Alternate techniques • Alternate sources of data

  19. Theory vs. Practice • Cryptographic algorithms and procedures are very secure in theory • Any software engineer will tell you, however, that translating requirements, specification, and design into a product is non-trivial • In reality, implementation/usage faults reduce the security of cryptographic solutions

  20. (Mis)management of plaintext/keys • Example given in the paper • Unix crypt utility • If the user simply deletes the plaintext file, it can be recovered with the usual techniques • If neither the application or the operating system wipes buffers containing plaintext in main memory, it may be recovered from volatile memory, swap, or RAM slack • The above also applies to keys

  21. Key vulnerabilities • Dictionary attacks • Keystroke recording (a la U.S. v. Scarfo) • Observation (shoulder-surfing) • Predictability • What ethical/legal issues would be involved in allowing a suspect to use his computer after it had been seized (with a copy of the evidence drive) in order to log keystrokes/passphrases?

  22. Dictionary attacks • Examples: • John the Ripper • Access Data’s Distributed Network Attack • Zip password crackers • http://www.netgate.com.uy/~fpapa/ • Dictionary attacks are parallelizable • Traditional clusters • Distributed cracking

  23. Leaking Data • PGP, and other tools may “leak” plaintext or keys in a recoverable way • Buffers hold plaintext or keys in memory and may be compromised while executing • Depending on what’s contained in the write buffer for the file-system, portions of plaintext or key previously in the buffers may be written out to disk as RAM slack at some point. • Paging to virtual memory may make some of the above even easier to exploit, or even leave buffers on the disk persistently in case of a crash.

  24. Unencrypted Copies • Filesystems where some directories are encrypted and some aren’t • Multiple filesystems of mixed encrypted/plain status • In all cases, it is possible that at some point, the suspect slipped up, or the normal operation of the OS created a copy of an encrypted file in an unencrypted location • Ex: EFS & printer spool directories

  25. Leaks in Application Software • Most applications leave temporary files, backup copies, etc. • Microsoft Office : backup, recovery • vi and emacs : ~ files • While crypto software may be carefully designed not to let data be written all over the place, most software used to manipulate and view data isn’t. • Management of these temporary/backup copies • Application : Rarely if ever wiped properly • User : Very likely that they’re sloppier in dealing with these than the actual data • File Signatures will help locate this data

  26. U.S. v. Hersh : Comparing Characteristics • Compare file attributes, sizes, etc. with known files to determine the likelihood that they contain the same data • What are some of the problems with this?

  27. Recovery from RAM • Using pmdump to recover plaintext from PGPtray • Demonstration

  28. Caught in the Act • If the computer is on at the time of seizure, there are some possibilities • Encrypted disks may be unlocked • Passphrases may be cached/saved • Encrypted files may be open in programs • Unencrypted data or keys may be in volatile memory • Are the risks of changing the system or triggering traps worth attempting to capture the above, vs. the standard “pull the plug” we usually discuss?

  29. Obtaining passphrases • Interrogation • Observation • Exploiting the reuse of passphrases • One program may use a passphrase as a key to unlock a private key, and do so securely • However if the suspect uses the same passphrase to unlock their Palm PDA, it may simplify matters down to cracking XOR. • Research published vulnerabilities in OS security (chntpw)

  30. Mining evidence for passphrases • Use tools such as Access Data’s PRTK (Password Recovery ToolKit) to build wordlists from unencrypted data for possible passphrases • Legal problems with overly broad searches? • Complexity involved with multi-word passphrases

  31. Why don’t you just ask nicely? • In some situations you may can cut them a deal • If they say they “forgot” a recently changed key, try to verify when it was changed • Intimidation works • Implication of guilt • Why is the knowledge of an encryption key not an implication of guilt? • 5th amendment rights

  32. Pitfalls of Trying to Obtain Passphrases • Be aware of wiretap laws when involving keystroke recorders or other monitoring software/hardware • Log all “guesses” • Passphrases may periodically change • Possibly a blessing in disguise, if passphrases for older data seized is easier to break.

  33. Key Verification • Duress passwords • One cryptotext expanding into two plaintexts • Actual Passphrase  Encriminating Evidence • Duress Passphrase  “Boring” Data • Duress passphrases may also trigger evidence destruction • How can we verify what the suspect has told us about the passphrase?

  34. Dead Man’s Switch • When seizing a computer, care must be taken when removing the hard drive • Removing the case may trigger encryption or destruction of drives • Long periods of time without suspect interacting with computer may trigger encryption/destruction • Requires a special breed of paranoia/expertise from the suspect, but it is a possibility • How else could you “rig” your computer in case of seizure?

  35. Encrypted Communications • Emails in transit • Network traffic • Wireless • Cell phones • Landlines • Etc etc etc

  36. Think like a hacker • Attempt to recover the data while it is plaintext, on either end of a communication • Man in the Middle Attacks • Arp spoofing

  37. The future of recovering encrypted data • Solutions to the problem of finding encrypted data (as opposed to simply random data) • The use of scanning-tunnelling microscopes and tools that can read from RAM after power-down • Intelligent generation of passphrases • In what way is this an arms race?

  38. Network Forensics and Encryption http://www.networknewz.com/networknewz-10-20021204Network-Forensics.html • Encryption may be more prevalent on network communications than filesystems • Certain information may be divulged even with encryption on networks: • Who is communicating with whom? • For how long? • Patterns of communication correlated to “real life” events • What would you have to do to hide the above information?

  39. Conclusions • The paper’s • Encryption is a problem, yet not insurmountable • There is the possibility of recovering plaintext and keys • The difficulty is in the individual investigator keeping up with the technology • Mine • The difficulty is that the quality of cryptographic tools will rise • It will become more difficult to perform investigations on computer hard drives • More evidence may be gathered from removable media, phones, PDAs, etc. • New seizure techniques that more reliably capture the state of the system need to be developed.

  40. Questions • Why wouldn’t government key escrow work to maintain investigators’ ability to read evidence? • How does encryption make things harder for smaller (not well funded) forensic investigators? • Do you believe that laws will be passed to compel suspects into giving up keys? • How many of you actually use encryption software? • For what purpose? • Who here is at least careful about encrypting network traffic?

  41. Mailing List Traffic • http://www.securityfocus.com/archive/104/308017 • http://www.securityfocus.com/archive/104/245451 • Encryption in a corporate situation • One entity both protecting and investigating • http://www.securityfocus.com/archive/104/150865 • More detailed information on different algorithm types • Sturgeon’s Law - http://www.jargon.net/jargonfile/s/SturgeonsLaw.html • http://www.securityfocus.com/archive/104/157984 • http://www.securityfocus.com/archive/104/327176 • Flaws in Windows’ EFS that investigators can exploit • http://www.securityfocus.com/archive/104/296272 • More hardware crypto, more mainstream acceptance of crypto due to DRM • http://www.securityfocus.com/archive/104/287393 • Detecting crypto

More Related