Category Archives: School

Forensic Examination of Encrypted Systems


The accurate forensic examination of digital devices and computers has become more important that ever. Recent advancements in desktop operation systems have pushed availability of encryption to all users. Both Mac OS X and Windows 7 have encryption options as features out of the box. Entire hard disks and individual files both can be encrypted by current generations of operating systems. I will explore the creative ways law enforcement agents, forensic experts, and other attackers have discovered to defeat technologies such as BitLocker, and PGP Encryption. I will include overviews of the technologies and then the techniques used such as brute force attacks, algorithms, cracking and also non-mathematic ways to bypass the encryption schemes. I will discuss what files potentially store information that can be used to extract encryption keys.  I would also like to cover the acquisition techniques that make conditions most favorable for investigators to defeat the encryption.  This essay is a brief overview of the technologies, but is not a complete step-by-step manual on breaking encryption.

File System Encryption

Encrypting individual files first started to appear in mainstream computers with a technology called PGP (Pretty Good Privacy). PGP used open algorithms based around symmetric key encryption. PGP has a session key that is generated to encrypt the plaintext (Network Associates, Inc, 1999). PGP is great for adding some security when transferring files over the web. It should be noted that unless the original file is written over, the data could still be recovered in the disk free space. Typically a program or operating system uses technologies similar to RSA. Individual file encryption can leave information in plaintext, especially the file metadata, folder structure, and file attributes.

Windows EFS

On the desktop Windows PC first integrated a technology called the “Encrypting File System” or EFS. EFS saves security certificates on the volume used to encrypt the file.

Private key is made with hashing of password/username or organizations public key. Using an organizations public key is useful incase a user forgets the password as the data could still be covered. Microsoft recommends users and administrators to enable EFS on directories and not individual files to ensure files are not left unencrypted (Microsoft | Technet, 2011). Microsoft mentions in multiple places on their support site that users should backup their certificates manually (Microsoft Support, 2009).

AccessData’s Forensic Toolkit will pull the security certificate from the drive and registry and use this information to decrypt the EFS almost automatically.  FTK uses information about the user from the SAM files to accomplish this. Even if the files are deleted or destroyed FTK can build a wordlist and perform a dictionary/brute force attack on the EFS.

Apple FileVault

In previous versions of Mac OS X, namely the ‘Tiger’ release included a technology called FileVault. FileVault can encrypts blocks and portions of data into a ‘disk image.’ This technology has been known to be cracked by using some utilities available online(a software called ‘crowbar’). At this point these attacks use dictionary attacks  with a wordlist built from the disk image. (Starcher)

Full Disk Encryption

Growing concerns around securing data brings on full disk encryption.  Full disk encryption became integrated with the operating system on Windows based PCs with the release of Windows Vista and Windows 7. The technology is called BitLocker. BitLocker has some requirements, specifically a special chip called the “Trusted Platform Module” which essentially verifies that the hard disk has not been removed and installed into another machine in attempt to circumvent the security.  If the motherboard fails with the TPM this could render the data useless on the drive.

Mac OS X has similar encryption features in its newest operating system revision, Mac OS X ‘Lion’ 10.7. The whole disk can be encrypted versus previous version that just did file system encryption. Within the operating system Apple gives users an option to store the recovery key using their ‘mobileme’ account. (Apple Support, 2011)  Apple support says the key is then encrypted with the answers provided. Apple claims that you need to answer security questions with exact answers to recover this, but I question what a court order could do to recover this key.

Attacks on Full Disk Encryption

Cold Boot Attack

A phenomenon called memory remanence (J. Alex Halderman) is when useable data stays stored in RAM even after the power source is removed. A cold boot attack tries to recover the encryption keys from the computer’s memory.  This requires physical access to the machine that has the encrypted disk, and it should be running, and hopefully logged in.  The forensic examiner (or attacker) needs to cut the power quickly not letting the machine shut down cleanly. If the machine does shut down cleanly it will remove the contents of memory, and in our case the ever-important encryption keys.  In fact recovering memory that has the power interrupted has at best 35 seconds to be dumped (unless it is cooled to extreme temperatures. The power consumption of RAM also plays a factor, the lower power consumption the greater the chance of recovery) (, 2010).  The memory then should be rapidly cooled; in some cases using a can of compressed duster gas turned upside down may do the trick. The memory will hold its contents temporarily. Cooling it rapidly will increase this time.  The memory must be transferred into a system that is ready to dump the contents of the memory to a hard disk for further examination to recover the keys. The other option is to boot that system right into a portable operating system and have an external drive handy to dump the contents of the RAM.  Both options are very risky and typically you only will have one shot at success. It certainly should be practiced in the lab before it is attempted. The memory loses its contents quickly when the power is removed.

DMA Attacks

Certain IO systems on the computer may have direct memory access. Encryption keys have been recovered using this technique over the Firewire bus (Paul Baccas, 2008). Attackers using direct memory access as a path to encryption keys are less useful when using a machine equipped with the trusted platform module (Down, 2011). The best defense from this attack is again, physical security. Remove Firewire ports on these machines, lock down access for installing these cards and this attack will not be possible.

Virtual Memory Forensics

At this point we know the computer’s memory can be a gold mine when trying to crack encryption keys.  In some cases the virtual memory may not be secure or encrypted. Maybe the full drive is not encrypted, maybe it’s on a separate drive, or maybe we have obtained the virtual memory files another way.

When modern operating systems use the entire physical memory it must use a ‘swap’ space. This space on windows based computers is known as the pagefile (pagefile.sys.). Fortunately for those looking to circumvent encryption keys, this space contains valuable information that could include important evidence.

With initiatives throughout the world around conserving energy and going green, Microsoft and other operating system providers have sought out ways to develop new ways to be energy efficient. One of the energy saving features is ‘hibernation mode.’ Hibernation mode essentially takes a snapshot of what is currently loaded in the system’s memory and dumps the contents to a file.  This file also can contain a wealth of forensically important information.

These two snapshots of the memory can contain a plethora of important information about the system. Passwords, encryption keys, files that were opened temporarily, messages, e-mails, can usually be found in memory. More computers are implementing encryption and other password protection such as bit locker that is impossible to examine without the encryption keys.



The virtual memory file (pagefil.sys) is typically contained as a hidden file in the root C:. This is the main virtual memory file that sits on the hard drive. It’s important to note that the pagefile location can be moved and modified to increase system performance or to hide the file. One of the most common practices on Windows XP machines was to manually manage the pagefile.sys’ physical size; administrators did this as it was thought it would improve speed (Nichol, 2006).

Pagefile properties can be modified through the registry. A savvy user can setup the pagefile to be cleaned (cleared) when the system is shutdown, but this only happens when the system is shut down cleanly (Iqbal, 2009). In fact, administrators can force this cleaning of the pagefile via a group policy (Microsoft, 2011).  If the plug is pulled for a power interruption the pagefile still should be intact. The pagefile stores 4KB chunks of data. It cannot be typically opened or manipulated by the user while the computer is running.  There is some software that can read and edit the file at the disk level so it’s not entirely impossible, just unlikely at this time.


Laptops are becoming more and more popular, so proper examination of portable units is important. In most laptops, when the ‘lid’ is shut it will go into hibernation mode, instantly creating a forensically important file, hiberfil.sys.

Back to the green energy initiatives with computers: conserving power is important so hibernation mode was implemented. Hiberfil.sys contains the dumped memory contents, typically compressed at about 75%. Hibernation mode is configurable by the user, but in many organizations is a group policy enforced as a cost savings ( Hiberfil is forensically interesting because it does not appear to be automatically cleaned.  The memory dump has been known to contain Internet history, chat sessions, e-mail and even our encryption passwords in plaintext. Hibernation mode has a few technical limitations from Microsoft that should be considered. Windows XP, Vista, and Server 2003, 2008 couldn’t hibernate with greater than 4GB of memory (Microsoft Knowledge Base, 2008).

Forensic Toolkit (FTK) and Encase offer limited support to examine memory dumps. Using FTK or Encase, the files can be read in hex and text view. The examiner should be able to pull out certain strings using a plain-text search, possibly even passwords or keys. There are a few tools forensically important in attention to favorite forensic suites that will be needed for memory examination. A tool called MoonSols Windows Memory Toolkit (formerly called SandMan) can be used to dump, reassemble the compressed hiberfil.sys file (Kear, 2011). Many of the tools run on Linux based machines, so it should be noted that both Windows and Linux machines are needed to properly examine memory.

Finding one of these files useable may be an important lifeline for recovering encryption keys. Keep in mind these files can be manipulated or destroyed all together.


Breaking encryption involves a lot of patients, trial and error, and knowledge. There is no one sure way of recovering the encryption key that will work on every machine.  Before trying any of these attacks, first practice on a test system. Many of the attacks describe only allow for one opportunity to recover the data.

Of course if you come across a machine using weak passwords, social engineering or key loggers cracking the encryption would be much easier than the above.  It certainly helps to secure the physical access to the machine to prevent cracking the encryption schemes. Limit access to what interface an attacker (or examiner) has, and then you have an advantage.  The encryption algorithms are very solid. Finding flaws in system design, human error or just catching a lucky break aids in the retrieval of the secret data.

References (2010, Feb). Windows Hibernation and hiberfil.sys. Retrieved from Anti-Forensics:
Apple Support. (2011, September). OS X Lion: About FileVault 2 . Retrieved from Apple | Support: (n.d.). EZ GPO Installation Instructions & FAQs . Retrieved from Energy Star:
Down, P. (2011, March 11). 1394, DMA, and BitLocker. Retrieved from
Iqbal, H. (2009). Forensic Analysis of Physical Memory and Page File. Gjøvik University College.
J. Alex Halderman, S. D. Lest We Remember: Cold-Boot Attacks on Encryption Key. Communications of the ACM , 52 (5), 91-98.
Kear, S. (2011, Feb). Sam Kear Dot Com. Retrieved from Forensic Memory Dump Analysis Using Moonsols :
Network Associates, Inc. (1999). How PGP works. Retrieved from Introduction to Cryptography:
Nichol, A. (2006, Feb). Virtual Memory in Windows XP. Retrieved from
Microsoft Knowledge Base. (2008, Apr). Microsoft Support. Retrieved from
Microsoft | Technet. (2011). 5-Minute Security Advisor – Using the Encrypting File System . Retrieved from
Microsoft. (2011). How EFS Works . Retrieved from Windows 2000 Server:
Microsoft Support. (2009, January 15). Best practices for the Encrypting File System. Retrieved from Microsoft Support:
Paul Baccas, K. F. (2008). OS X Exploits and Defense By P. Burlington, MA: Syngress.
Starcher, G. (n.d.). Software. Retrieved from Thoughts, tricks and tirades on technology today:


Digital Crime | Botnets


Botnets have a very large potential of becoming the largest impacting Internet attack. A form of distributed computing botnets are a network of many systems on the web that can be used maliciously.  A botnet is a small application that sits unsuspected on victim’s computers that can actively collect information from the machine or wait dormant until it is issued a command to act. While one infected system does not pose such a large threat, the botnet gets its strength in numbers. A large quantity of computers, sometimes numbering in the millions provides very valuable computing power and bandwidth to their attackers, or bot herders. By botnets being spread over a large geographic area it can be very difficult, or even impossible to pinpoint the origin and shut them down.

First appearing in the late 1990s, Internet Relay Chat(IRC) bots became the first form of the botnet. They were developed in underground chat rooms by very skilled coders. Hackers of botnets target IP ranges with systems that are known to be vulnerable with have little monitoring or security. Educational institutions tend to be very large targets due to bandwidth, always being on and high storage capabilities.

Bots are usually “herded” or run on hidden IRC channels.

How Botnets Spread

Botnets usually spread via E-Mail. Unsolicited e-mail is sent from either an unknown party, or someone that you could regularly receive trusted messages who’s system is infected. Systems are usually compromised by an attachment or directing users to click a link. The links appear as pop up ads and fake windows suggesting the user download a program to repair an issue that may not even be there, such as fake utilities.

Internally there is a struggle between the bot herders. Bot herders are known to “hijack” each other’s botnets. Most botnet control applications are unencrypted and use similar protocols that the bot herders are familiar with. Botnets are criminally traded and are for sale in the underground spammer/hacker community. Rates in 2004 ranged from $.04 to $.10 per compromised system. It’s suspected that the going rate for a “good” botnet has increased since.

Functions of Botnets

Botnets contain functionality that allows for file transfer and installation to the victim’s systems. Used for installing spyware, adware, viruses, or expanding or modifying the attack. Botnets are generally controlled from secret IRC channels or some of the newer bots are controlled using web-based interfaces, which is literally a website the bot herder can logon to and select exactly what the botnet is to do.

Crimes Using Botnets

Distributed Denial of Service Attacks

(DoS) – Attacks that make Internet resources inaccessible from normal use.

Example: 2002 attack on DNS root severs, 7 of the 13 severs failed in response to the attacks. Two severs failed completely from the load. This attack made the Internet inaccessible for some users.

Denial of Service Extortion

The bot master will run a “sample attack” to show the victim what the botnet is capable of. This attack generally understood to be much smaller than what the botnet is capable of, but only the bot master will know what the actual botnet can do. The attack is followed up with some sort of communication demanding money.

Flooding attacks

Infected machines will send bogus requests to a server or website which will cause routers or Internet connectivity to fail. This will stop normal legitimate Internet traffic overwhelming by routers or server.

Click Fraud

Infected systems exploit pay per click advertising. The bot herder will instruct the systems to make fake requests as if they are clicking advertisements on specified websites. The advertisers are legitimate but the website owners will see profits as they are paid per each click of banner advertisements.


Bots can send out massive amounts of spam, sometimes spreading the bot. Others are used to spread the e-mail of the spammer that paid to use the “network.” The spam can be filled with viruses or other malicious software, or simply with unsolicited advertisements.



Money, following the exchange of funds will lead investigators back to the kingpins behind the botnets.

Operation Bot Roast

Operation Bot Roast was an FBI investigation of botnets. The operating identified 1 million victims June 2007. Operation Bot Roast came to be known as a good first step, but security professionals compared it to nabbing the street drug dealers instead of the kingpin distributer.

John Schiefer

In March 2009 professional security consultant John Schiefer became the first defendant in the US to be charged with wiretapping using botnets. Schiefer infected over 250,000 computers and used the compromised machines for data mining of bank account and credit card numbers. Schiefer was sentenced to 4 years in prison.

Notable Botnets


3.6 Million Computers. – Steals sensitive data such as username and passwords, account and credit card numbers through key-loggers.


2.9 Million Computers- Fake messages on social networking sites that really installs malware.


Keeping your system up to date, and running notable anti-virus/anti-spyware software is the best protection from falling victim to a botnet. Understanding how botnets spread and work will help you reduce your risk. Not clicking links or opening e-mails that seem suspicious will help prevent your machines from failing victim. The FBI’s OnGuard Online even recommends you completely disconnect your PC from the Internet when not in use as a preventable measure.