{"id":41,"date":"2011-12-25T08:35:10","date_gmt":"2011-12-25T13:35:10","guid":{"rendered":"http:\/\/149.28.118.115\/?p=41"},"modified":"2011-12-25T08:35:10","modified_gmt":"2011-12-25T13:35:10","slug":"forensic-examination-of-encrypted-systems","status":"publish","type":"post","link":"https:\/\/www.postinger.com\/index.php\/2011\/12\/25\/forensic-examination-of-encrypted-systems\/","title":{"rendered":"Forensic Examination of Encrypted Systems"},"content":{"rendered":"

\u00a0Abstract<\/strong>
\nThe accurate forensic examination of digital devices and computers has become more important that ever. Recent advancements in desktop operation systems have pushed availability of encryption to all users. Both Mac OS X and Windows 7 have encryption options as features out of the box. Entire hard disks and individual files both can be encrypted by current generations of operating systems. I will explore the creative ways law enforcement agents, forensic experts, and other attackers have discovered to defeat technologies such as BitLocker, and PGP Encryption. I will include overviews of the technologies and then the techniques used such as brute force attacks, algorithms, cracking and also non-mathematic ways to bypass the encryption schemes. I will discuss what files potentially store information that can be used to extract encryption keys. \u00a0I would also like to cover the acquisition techniques that make conditions most favorable for investigators to defeat the encryption. \u00a0This essay is a brief overview of the technologies, but is not a complete step-by-step manual on breaking encryption.<\/p>\n

File System Encryption<\/h1>\n

Encrypting individual files first started to appear in mainstream computers with a technology called PGP (Pretty Good Privacy). PGP used open algorithms based around symmetric key encryption. PGP has a session key that is generated to encrypt the plaintext (Network Associates, Inc, 1999). PGP is great for adding some security when transferring files over the web. It should be noted that unless the original file is written over, the data could still be recovered in the disk free space. Typically a program or operating system uses technologies similar to RSA. Individual file encryption can leave information in plaintext, especially the file metadata, folder structure, and file attributes.<\/p>\n

Windows EFS<\/h2>\n

On the desktop Windows PC first integrated a technology called the \u201cEncrypting File System\u201d or EFS. EFS saves security certificates on the volume used to encrypt the file.
\nPrivate key is made with hashing of password\/username or organizations public key. Using an organizations public key is useful incase a user forgets the password as the data could still be covered. Microsoft recommends users and administrators to enable EFS on directories and not individual files to ensure files are not left unencrypted (Microsoft | Technet, 2011). Microsoft mentions in multiple places on their support site that users should backup their certificates manually (Microsoft Support, 2009).
\nAccessData\u2019s Forensic Toolkit will pull the security certificate from the drive and registry and use this information to decrypt the EFS almost automatically.\u00a0 FTK uses information about the user from the SAM files to accomplish this. Even if the files are deleted or destroyed FTK can build a wordlist and perform a dictionary\/brute force attack on the EFS.<\/p>\n

Apple FileVault<\/h2>\n

In previous versions of Mac OS X, namely the \u2018Tiger\u2019 release included a technology called FileVault. FileVault can encrypts blocks and portions of data into a \u2018disk image.\u2019 This technology has been known to be cracked by using some utilities available online(a software called \u2018crowbar\u2019). At this point these attacks use dictionary attacks\u00a0 with a wordlist built from the disk image. (Starcher)<\/p>\n

Full Disk Encryption<\/h1>\n

Growing concerns around securing data brings on full disk encryption.\u00a0 Full disk encryption became integrated with the operating system on Windows based PCs with the release of Windows Vista and Windows 7. The technology is called BitLocker. BitLocker has some requirements, specifically a special chip called the \u201cTrusted Platform Module\u201d which essentially verifies that the hard disk has not been removed and installed into another machine in attempt to circumvent the security. \u00a0If the motherboard fails with the TPM this could render the data useless on the drive.
\nMac OS X has similar encryption features in its newest operating system revision, Mac OS X \u2018Lion\u2019 10.7. The whole disk can be encrypted versus previous version that just did file system encryption. Within the operating system Apple gives users an option to store the recovery key using their \u2018mobileme\u2019 account. (Apple Support, 2011) \u00a0Apple support says the key is then encrypted with the answers provided. Apple claims that you need to answer security questions with exact answers to recover this, but I question what a court order could do to recover this key.<\/p>\n

Attacks on Full Disk Encryption<\/h1>\n

Cold Boot Attack<\/h2>\n

A phenomenon called memory remanence (J. Alex Halderman) is when useable data stays stored in RAM even after the power source is removed. A cold boot attack tries to recover the encryption keys from the computer\u2019s memory.\u00a0 This requires physical access to the machine that has the encrypted disk, and it should be running, and hopefully logged in.\u00a0 The forensic examiner (or attacker) needs to cut the power quickly not letting the machine shut down cleanly. If the machine does shut down cleanly it will remove the contents of memory, and in our case the ever-important encryption keys. \u00a0In fact recovering memory that has the power interrupted has at best 35 seconds to be dumped (unless it is cooled to extreme temperatures. The power consumption of RAM also plays a factor, the lower power consumption the greater the chance of recovery) (Anti-Forensics.com, 2010).\u00a0 The memory then should be rapidly cooled; in some cases using a can of compressed duster gas turned upside down may do the trick. The memory will hold its contents temporarily. Cooling it rapidly will increase this time. \u00a0The memory must be transferred into a system that is ready to dump the contents of the memory to a hard disk for further examination to recover the keys. The other option is to boot that system right into a portable operating system and have an external drive handy to dump the contents of the RAM.\u00a0 Both options are very risky and typically you only will have one shot at success. It certainly should be practiced in the lab before it is attempted. The memory loses its contents quickly when the power is removed.<\/p>\n

DMA Attacks<\/h2>\n

Certain IO systems on the computer may have direct memory access. Encryption keys have been recovered using this technique over the Firewire bus\u00a0(Paul Baccas, 2008). Attackers using direct memory access as a path to encryption keys are less useful when using a machine equipped with the trusted platform module (Down, 2011). The best defense from this attack is again, physical security. Remove Firewire ports on these machines, lock down access for installing these cards and this attack will not be possible.<\/p>\n

Virtual Memory Forensics<\/h1>\n

At this point we know the computer\u2019s memory can be a gold mine when trying to crack encryption keys. \u00a0In some cases the virtual memory may not be secure or encrypted. Maybe the full drive is not encrypted, maybe it\u2019s on a separate drive, or maybe we have obtained the virtual memory files another way.
\nWhen modern operating systems use the entire physical memory it must use a \u2018swap\u2019 space. This space on windows based computers is known as the pagefile (pagefile.sys.). Fortunately for those looking to circumvent encryption keys, this space contains valuable information that could include important evidence.
\nWith initiatives throughout the world around conserving energy and going green, Microsoft and other operating system providers have sought out ways to develop new ways to be energy efficient. One of the energy saving features is \u2018hibernation mode.\u2019 Hibernation mode essentially takes a snapshot of what is currently loaded in the system\u2019s memory and dumps the contents to a file.\u00a0 This file also can contain a wealth of forensically important information.
\nThese two snapshots of the memory can contain a plethora of important information about the system. Passwords, encryption keys, files that were opened temporarily, messages, e-mails, can usually be found in memory. More computers are implementing encryption and other password protection such as bit locker that is impossible to examine without the encryption keys.<\/p>\n

Pagefile.sys<\/h2>\n

 
\nThe virtual memory file (pagefil.sys) is typically contained as a hidden file in the root C:. This is the main virtual memory file that sits on the hard drive. It\u2019s important to note that the pagefile location can be moved and modified to increase system performance or to hide the file. One of the most common practices on Windows XP machines was to manually manage the pagefile.sys\u2019 physical size; administrators did this as it was thought it would improve speed (Nichol, 2006).
\nPagefile properties can be modified through the registry. A savvy user can setup the pagefile to be cleaned (cleared) when the system is shutdown, but this only happens when the system is shut down cleanly (Iqbal, 2009). In fact, administrators can force this cleaning of the pagefile via a group policy (Microsoft, 2011).\u00a0 If the plug is pulled for a power interruption the pagefile still should be intact. The pagefile stores 4KB chunks of data. It cannot be typically opened or manipulated by the user while the computer is running.\u00a0 There is some software that can read and edit the file at the disk level so it\u2019s not entirely impossible, just unlikely at this time.<\/p>\n

Hiberfil.sys<\/h2>\n

Laptops are becoming more and more popular, so proper examination of portable units is important. In most laptops, when the \u2018lid\u2019 is shut it will go into hibernation mode, instantly creating a forensically important file, hiberfil.sys.
\nBack to the green energy initiatives with computers: conserving power is important so hibernation mode was implemented. Hiberfil.sys contains the dumped memory contents, typically compressed at about 75%. Hibernation mode is configurable by the user, but in many organizations is a group policy enforced as a cost savings\u00a0(Energystar.gov). Hiberfil is forensically interesting because it does not appear to be automatically cleaned.\u00a0 The memory dump has been known to contain Internet history, chat sessions, e-mail and even our encryption passwords in plaintext. Hibernation mode has a few technical limitations from Microsoft that should be considered. Windows XP, Vista, and Server 2003, 2008 couldn\u2019t hibernate with greater than 4GB of memory\u00a0(Microsoft Knowledge Base, 2008).
\nForensic Toolkit (FTK) and Encase offer limited support to examine memory dumps. Using FTK or Encase, the files can be read in hex and text view. The examiner should be able to pull out certain strings using a plain-text search, possibly even passwords or keys. There are a few tools forensically important in attention to favorite forensic suites that will be needed for memory examination. A tool called MoonSols Windows Memory Toolkit (formerly called SandMan) can be used to dump, reassemble the compressed hiberfil.sys file (Kear, 2011). Many of the tools run on Linux based machines, so it should be noted that both Windows and Linux machines are needed to properly examine memory.
\nFinding one of these files useable may be an important lifeline for recovering encryption keys. Keep in mind these files can be manipulated or destroyed all together.<\/p>\n

Conclusion<\/h1>\n

Breaking encryption involves a lot of patients, trial and error, and knowledge. There is no one sure way of recovering the encryption key that will work on every machine. \u00a0Before trying any of these attacks, first practice on a test system. Many of the attacks describe only allow for one opportunity to recover the data.
\nOf course if you come across a machine using weak passwords, social engineering or key loggers cracking the encryption would be much easier than the above. \u00a0It certainly helps to secure the physical access to the machine to prevent cracking the encryption schemes. Limit access to what interface an attacker (or examiner) has, and then you have an advantage.\u00a0 The encryption algorithms are very solid. Finding flaws in system design, human error or just catching a lucky break aids in the retrieval of the secret data.<\/p>\n

References<\/h1>\n

Anti-Forensics.com. (2010, Feb). Windows Hibernation and hiberfil.sys<\/em>. Retrieved from Anti-Forensics: http:\/\/www.anti-forensics.com\/the-risks-of-windows-hibernation-the-hiberfil-sys-and-web-browsing
\nApple Support. (2011, September). OS X Lion: About FileVault 2 <\/em>. Retrieved from Apple | Support: http:\/\/support.apple.com\/kb\/HT4790
\nEnergystar.gov. (n.d.). EZ GPO Installation Instructions & FAQs <\/em>. Retrieved from Energy Star: http:\/\/www.energystar.gov\/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo_faq
\nDown, P. (2011, March 11). 1394, DMA, and BitLocker<\/em>. Retrieved from http:\/\/paulrobichaux.wordpress.com\/2011\/03\/11\/1394_dma_and_bitlocker\/
\nIqbal, H. (2009). Forensic Analysis of Physical Memory and Page File.<\/em> Gj\u00f8vik University College.
\nJ. Alex Halderman, S. D. Lest We Remember: Cold-Boot Attacks on Encryption Key. Communications of the ACM<\/em> , 52<\/em> (5), 91-98.
\nKear, S. (2011, Feb). Sam Kear Dot Com<\/em>. Retrieved from Forensic Memory Dump Analysis Using Moonsols : http:\/\/samkear.com\/forensics\/forensic-memory-dump-analysis-using-moonsols
\nNetwork Associates, Inc. (1999). How PGP works<\/em>. Retrieved from Introduction to Cryptography: http:\/\/www.pgpi.org\/doc\/pgpintro\/
\nNichol, A. (2006, Feb). Virtual Memory in Windows XP<\/em>. Retrieved from http:\/\/www.aumha.org\/win5\/a\/xpvm.php
\nMicrosoft Knowledge Base. (2008, Apr). Microsoft Support<\/em>. Retrieved from http:\/\/support.microsoft.com\/kb\/888575
\nMicrosoft | Technet. (2011). 5-Minute Security Advisor – Using the Encrypting File System <\/em>. Retrieved from http:\/\/technet.microsoft.com\/en-us\/library\/cc722659.aspx
\nMicrosoft. (2011). How EFS Works <\/em>. Retrieved from Windows 2000 Server: http:\/\/technet.microsoft.com\/en-us\/library\/cc962103.aspx
\nMicrosoft Support. (2009, January 15). Best practices for the Encrypting File System<\/em>. Retrieved from Microsoft Support: http:\/\/support.microsoft.com\/kb\/223316
\nPaul Baccas, K. F. (2008). OS X Exploits and Defense By P.<\/em> Burlington, MA: Syngress.
\nStarcher, G. (n.d.). Software<\/em>. Retrieved from Thoughts, tricks and tirades on technology today: https:\/\/www.georgestarcher.com\/?page_id=256
\n <\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0Abstract The accurate forensic examination of digital devices and computers has become more important that ever. Recent advancements in desktop operation systems have pushed availability of encryption to all users. Both Mac OS X and Windows 7 have encryption options as features out of the box. Entire hard disks and individual files both can be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[5],"tags":[],"class_list":["post-41","post","type-post","status-publish","format-standard","hentry","category-school"],"_links":{"self":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts\/41","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/comments?post=41"}],"version-history":[{"count":0,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/media?parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/categories?post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/tags?post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}