The accurate forensic examination of digital devices and computers has become more important that ever. Recent advancements in desktop operation systems have pushed availability of encryption to all users. Both Mac OS X and Windows 7 have encryption options as features out of the box. Entire hard disks and individual files both can be encrypted by current generations of operating systems. I will explore the creative ways law enforcement agents, forensic experts, and other attackers have discovered to defeat technologies such as BitLocker, and PGP Encryption. I will include overviews of the technologies and then the techniques used such as brute force attacks, algorithms, cracking and also non-mathematic ways to bypass the encryption schemes. I will discuss what files potentially store information that can be used to extract encryption keys. I would also like to cover the acquisition techniques that make conditions most favorable for investigators to defeat the encryption. This essay is a brief overview of the technologies, but is not a complete step-by-step manual on breaking encryption.
File System Encryption
Encrypting individual files first started to appear in mainstream computers with a technology called PGP (Pretty Good Privacy). PGP used open algorithms based around symmetric key encryption. PGP has a session key that is generated to encrypt the plaintext (Network Associates, Inc, 1999). PGP is great for adding some security when transferring files over the web. It should be noted that unless the original file is written over, the data could still be recovered in the disk free space. Typically a program or operating system uses technologies similar to RSA. Individual file encryption can leave information in plaintext, especially the file metadata, folder structure, and file attributes.
On the desktop Windows PC first integrated a technology called the “Encrypting File System” or EFS. EFS saves security certificates on the volume used to encrypt the file.
Private key is made with hashing of password/username or organizations public key. Using an organizations public key is useful incase a user forgets the password as the data could still be covered. Microsoft recommends users and administrators to enable EFS on directories and not individual files to ensure files are not left unencrypted (Microsoft | Technet, 2011). Microsoft mentions in multiple places on their support site that users should backup their certificates manually (Microsoft Support, 2009).
AccessData’s Forensic Toolkit will pull the security certificate from the drive and registry and use this information to decrypt the EFS almost automatically. FTK uses information about the user from the SAM files to accomplish this. Even if the files are deleted or destroyed FTK can build a wordlist and perform a dictionary/brute force attack on the EFS.
In previous versions of Mac OS X, namely the ‘Tiger’ release included a technology called FileVault. FileVault can encrypts blocks and portions of data into a ‘disk image.’ This technology has been known to be cracked by using some utilities available online(a software called ‘crowbar’). At this point these attacks use dictionary attacks with a wordlist built from the disk image. (Starcher)
Full Disk Encryption
Growing concerns around securing data brings on full disk encryption. Full disk encryption became integrated with the operating system on Windows based PCs with the release of Windows Vista and Windows 7. The technology is called BitLocker. BitLocker has some requirements, specifically a special chip called the “Trusted Platform Module” which essentially verifies that the hard disk has not been removed and installed into another machine in attempt to circumvent the security. If the motherboard fails with the TPM this could render the data useless on the drive.
Mac OS X has similar encryption features in its newest operating system revision, Mac OS X ‘Lion’ 10.7. The whole disk can be encrypted versus previous version that just did file system encryption. Within the operating system Apple gives users an option to store the recovery key using their ‘mobileme’ account. (Apple Support, 2011) Apple support says the key is then encrypted with the answers provided. Apple claims that you need to answer security questions with exact answers to recover this, but I question what a court order could do to recover this key.
Attacks on Full Disk Encryption
Cold Boot Attack
A phenomenon called memory remanence (J. Alex Halderman) is when useable data stays stored in RAM even after the power source is removed. A cold boot attack tries to recover the encryption keys from the computer’s memory. This requires physical access to the machine that has the encrypted disk, and it should be running, and hopefully logged in. The forensic examiner (or attacker) needs to cut the power quickly not letting the machine shut down cleanly. If the machine does shut down cleanly it will remove the contents of memory, and in our case the ever-important encryption keys. In fact recovering memory that has the power interrupted has at best 35 seconds to be dumped (unless it is cooled to extreme temperatures. The power consumption of RAM also plays a factor, the lower power consumption the greater the chance of recovery) (Anti-Forensics.com, 2010). The memory then should be rapidly cooled; in some cases using a can of compressed duster gas turned upside down may do the trick. The memory will hold its contents temporarily. Cooling it rapidly will increase this time. The memory must be transferred into a system that is ready to dump the contents of the memory to a hard disk for further examination to recover the keys. The other option is to boot that system right into a portable operating system and have an external drive handy to dump the contents of the RAM. Both options are very risky and typically you only will have one shot at success. It certainly should be practiced in the lab before it is attempted. The memory loses its contents quickly when the power is removed.
Certain IO systems on the computer may have direct memory access. Encryption keys have been recovered using this technique over the Firewire bus (Paul Baccas, 2008). Attackers using direct memory access as a path to encryption keys are less useful when using a machine equipped with the trusted platform module (Down, 2011). The best defense from this attack is again, physical security. Remove Firewire ports on these machines, lock down access for installing these cards and this attack will not be possible.
Virtual Memory Forensics
At this point we know the computer’s memory can be a gold mine when trying to crack encryption keys. In some cases the virtual memory may not be secure or encrypted. Maybe the full drive is not encrypted, maybe it’s on a separate drive, or maybe we have obtained the virtual memory files another way.
When modern operating systems use the entire physical memory it must use a ‘swap’ space. This space on windows based computers is known as the pagefile (pagefile.sys.). Fortunately for those looking to circumvent encryption keys, this space contains valuable information that could include important evidence.
With initiatives throughout the world around conserving energy and going green, Microsoft and other operating system providers have sought out ways to develop new ways to be energy efficient. One of the energy saving features is ‘hibernation mode.’ Hibernation mode essentially takes a snapshot of what is currently loaded in the system’s memory and dumps the contents to a file. This file also can contain a wealth of forensically important information.
These two snapshots of the memory can contain a plethora of important information about the system. Passwords, encryption keys, files that were opened temporarily, messages, e-mails, can usually be found in memory. More computers are implementing encryption and other password protection such as bit locker that is impossible to examine without the encryption keys.
The virtual memory file (pagefil.sys) is typically contained as a hidden file in the root C:. This is the main virtual memory file that sits on the hard drive. It’s important to note that the pagefile location can be moved and modified to increase system performance or to hide the file. One of the most common practices on Windows XP machines was to manually manage the pagefile.sys’ physical size; administrators did this as it was thought it would improve speed (Nichol, 2006).
Pagefile properties can be modified through the registry. A savvy user can setup the pagefile to be cleaned (cleared) when the system is shutdown, but this only happens when the system is shut down cleanly (Iqbal, 2009). In fact, administrators can force this cleaning of the pagefile via a group policy (Microsoft, 2011). If the plug is pulled for a power interruption the pagefile still should be intact. The pagefile stores 4KB chunks of data. It cannot be typically opened or manipulated by the user while the computer is running. There is some software that can read and edit the file at the disk level so it’s not entirely impossible, just unlikely at this time.
Laptops are becoming more and more popular, so proper examination of portable units is important. In most laptops, when the ‘lid’ is shut it will go into hibernation mode, instantly creating a forensically important file, hiberfil.sys.
Back to the green energy initiatives with computers: conserving power is important so hibernation mode was implemented. Hiberfil.sys contains the dumped memory contents, typically compressed at about 75%. Hibernation mode is configurable by the user, but in many organizations is a group policy enforced as a cost savings (Energystar.gov). Hiberfil is forensically interesting because it does not appear to be automatically cleaned. The memory dump has been known to contain Internet history, chat sessions, e-mail and even our encryption passwords in plaintext. Hibernation mode has a few technical limitations from Microsoft that should be considered. Windows XP, Vista, and Server 2003, 2008 couldn’t hibernate with greater than 4GB of memory (Microsoft Knowledge Base, 2008).
Forensic Toolkit (FTK) and Encase offer limited support to examine memory dumps. Using FTK or Encase, the files can be read in hex and text view. The examiner should be able to pull out certain strings using a plain-text search, possibly even passwords or keys. There are a few tools forensically important in attention to favorite forensic suites that will be needed for memory examination. A tool called MoonSols Windows Memory Toolkit (formerly called SandMan) can be used to dump, reassemble the compressed hiberfil.sys file (Kear, 2011). Many of the tools run on Linux based machines, so it should be noted that both Windows and Linux machines are needed to properly examine memory.
Finding one of these files useable may be an important lifeline for recovering encryption keys. Keep in mind these files can be manipulated or destroyed all together.
Breaking encryption involves a lot of patients, trial and error, and knowledge. There is no one sure way of recovering the encryption key that will work on every machine. Before trying any of these attacks, first practice on a test system. Many of the attacks describe only allow for one opportunity to recover the data.
Of course if you come across a machine using weak passwords, social engineering or key loggers cracking the encryption would be much easier than the above. It certainly helps to secure the physical access to the machine to prevent cracking the encryption schemes. Limit access to what interface an attacker (or examiner) has, and then you have an advantage. The encryption algorithms are very solid. Finding flaws in system design, human error or just catching a lucky break aids in the retrieval of the secret data.
Anti-Forensics.com. (2010, Feb). Windows Hibernation and hiberfil.sys. Retrieved from Anti-Forensics: http://www.anti-forensics.com/the-risks-of-windows-hibernation-the-hiberfil-sys-and-web-browsing
Apple Support. (2011, September). OS X Lion: About FileVault 2 . Retrieved from Apple | Support: http://support.apple.com/kb/HT4790
Energystar.gov. (n.d.). EZ GPO Installation Instructions & FAQs . Retrieved from Energy Star: http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo_faq
Down, P. (2011, March 11). 1394, DMA, and BitLocker. Retrieved from http://paulrobichaux.wordpress.com/2011/03/11/1394_dma_and_bitlocker/
Iqbal, H. (2009). Forensic Analysis of Physical Memory and Page File. Gjøvik University College.
J. Alex Halderman, S. D. Lest We Remember: Cold-Boot Attacks on Encryption Key. Communications of the ACM , 52 (5), 91-98.
Kear, S. (2011, Feb). Sam Kear Dot Com. Retrieved from Forensic Memory Dump Analysis Using Moonsols : http://samkear.com/forensics/forensic-memory-dump-analysis-using-moonsols
Network Associates, Inc. (1999). How PGP works. Retrieved from Introduction to Cryptography: http://www.pgpi.org/doc/pgpintro/
Nichol, A. (2006, Feb). Virtual Memory in Windows XP. Retrieved from http://www.aumha.org/win5/a/xpvm.php
Microsoft Knowledge Base. (2008, Apr). Microsoft Support. Retrieved from http://support.microsoft.com/kb/888575
Microsoft | Technet. (2011). 5-Minute Security Advisor – Using the Encrypting File System . Retrieved from http://technet.microsoft.com/en-us/library/cc722659.aspx
Microsoft. (2011). How EFS Works . Retrieved from Windows 2000 Server: http://technet.microsoft.com/en-us/library/cc962103.aspx
Microsoft Support. (2009, January 15). Best practices for the Encrypting File System. Retrieved from Microsoft Support: http://support.microsoft.com/kb/223316
Paul Baccas, K. F. (2008). OS X Exploits and Defense By P. Burlington, MA: Syngress.
Starcher, G. (n.d.). Software. Retrieved from Thoughts, tricks and tirades on technology today: https://www.georgestarcher.com/?page_id=256