Encryption and Data Recovery

1
Encryption and Data Recovery

• Originally adapted and expanded from Practical
  Approaches to Recovering Encrypted Digital
  Evidence IJDE 2002 13
  
• By
• Robert Wesley McGrew and Josh Coffey

2
Introduction

• Like any good tool, cryptography flexibly serves
  the needs of those who use it
  
• Anyone Provides privacy, confidentiality,
  authentication, non-repudiation
  
• Investigators Security against tampering,
  confidentiality
  
• Criminals Protecting/Hiding illegal activities

3
U.S. v. Scarfo

• http//www.epic.org/crypto/scarfo.html
• Much of this case is off-topic, but a couple of
  key points
  
• A customized keystroke recorder was used to
  capture key/passphrase information for PGP
  
• More pre-emptive than most computer forensics we
  discuss
  
• Sets a tone for the sort of activities we may
  discuss and resort to, in order to recover
  evidence where encryption is used.

4
Other (criminal) Uses of Cryptography

• Child Pornographers
• One of the primary reasons people cite for
  regulating/restricting the use of crypto
  
• http//news.zdnet.co.uk/business/legal/0,39020651,
  2084388,00.htm
  
• Communications via IRC, files traded via FTP,
  encrypted with BestCrypt
  
• AES, etc, symmetric ciphers
• no word on how keys were exchanged
• http//www.password-crackers.com/crack3.html

5
Other (criminal) Uses of Cryptography

• Terrorism
• Cases http//www.cs.georgetown.edu/7Edenning/cry
  pto/cases.html
  
• RSA and also custom crypto (was easily broken)
• Note that there are cases where attempts at
  decryption failed, however other incriminating
  evidence was found
  
• Plea bargain ?? keys, a useful trade
• Lots of PGP usage

6
The Rest of the Usual Suspects

• Drug dealers
• Hackers
• White collar criminals
• Nearly anyone thats computer literate can
  implement this
  
• If they dont seem bright enough to have done it
  themselves, question the geek they hired to do it
  for them
  

7
How common will encryption be?

• Strong crypto tools are readily available
• Interfaces to such tools are becoming more
  intuitive
  
• More cases hinging on digital evidence encourages
  criminals to become more careful
  
• In the push for security on personal computers,
  encryption is being integrated into the operating
  system
  
• WinFS http//msdn.microsoft.com/Longhorn/underst
  anding/pillars/WinFS/default.aspx
  
• EFS http//www.microsoft.com/windows2000/techinf
  o/planning/security/efssteps.asp

8
Symmetric Cryptography

• Involves a single key, for both encryption and
  decryption
  
• When used by itself, it is mostly used for
  encrypting data to be stored locally.
  
• For data that is to be communicated, there is the
  problem of how to share the key (which we will
  address)
  
• Algorithms involved
• AES
• DES, Triple-DES
• Tools
• BestCrypt
• DriveCrypt
• Many, Many others

9
Asymmetric Cryptography

• A relatively recent (70s) discovery
• Two can communicate securely, over an unsecured
  channel, without having a shared secret to start
  with.
  
• Two keys
• Public key Made known to all, used to encrypt
• Private key Individuals secret, used to
  decrypt
  
• A passphrase protects the private key on the
  users machine
  
• Slower, so usually used to communicate a key
  which can be used for further encrypted
  communications via symmetric
  
• Most common implementation is PGP, GnuPG

10
Why youre in trouble if they did it right

• Well known and used algorithms are very secure,
  mathematically.
  
• Factoring is used as a one-way trapdoor function.
  Its easy to compose a number as a product of
  primes, but hard to decompose it back.
  
• Peer review

11
Why youre in trouble if they did it right

• The implementations of these algorithms in
  commonly used software are often also quite
  secure
  
• The more popular the product, the more likely it
  is that it has been discovered that it leaks data
  in some way, and fixed.
  
• Good passphrases
• Long, memorable, but random enough to make them
  hard to crack
  
• Wastes a lot of your time with brute force attacks

12
Brute Force is Our Last Resort

• If modern cryptographic software is used
  correctly, with secure, long passphrases, we
  might be out of luck.
  
• 21024 1.8 x 10308 possible keys
• Long, memorable passphrases are rarely random,
  but small, easily remembered changes would make
  them hard to guess
  
• Beat it out of them (Not for the usual CS crowd)
• What are some more creative ways of getting a key
  from a suspect?

13
What they hopefully and probably did wrong

• Single word passphrases
• Sloppy procedures with their encryption software
• Home-brew implementations/algorithms
• Trusted the key to someone they shouldnt have
• Left enough unencrypted data on the media to work
  with

14
A few questions

• What types of encryption do you think would be
  easier to break in an investigation?
  
• What kind of arguments can a suspect use to avoid
  assisting you in decrypting evidence?
  
• What factors affect how long it may take an
  investigator to decrypt evidence?
  
• Why might it be difficult to get
  companies/individuals/groups who write
  cryptography software to provide help/information?

15
Attacking Simple Ciphers

• One of the simplest ways of encrypting data is to
  take the XOR of the bits of plaintext against the
  bits of the key
  
• 01010111 XOR 10111011 11101100
• With a repeating key, however, analysis can
  retrieve the key and plaintext
  
• Index of coincidence
• Frequency analysis
• Why is this attack not possible if the lengths of
  plaintext and key are equal?
  

16
and after that, it just gets nasty

• Beyond very trivial algorithms like XOR,
  cryptanalysis and brute force attacks do us less
  and less good
  
• Exhaustive searches of the keyspace take 2(bits
  in key)
  
• 40 bit keys can be brute forced in reasonable
  time
  
• However each additional bit doubles the time
  required to brute force the key
  

17
Factors of Encryption Strength

• http//www.informit.com/guides/content.asp?gsecur
  ityseqNum67
  
• Implementation quality
• Password exposure in WEPs RC4
• Location in time/space of cached keys
• Key length/randomness

18
A Question

• With Windows moving towards a secure-by-default
  configuration in future versions, particularly
  regarding encrypted file systems, what techniques
  will investigators have to use to do the same job
  they do today?
• Alternate techniques
• Alternate sources of data

19
Theory vs. Practice

• Cryptographic algorithms and procedures are very
  secure in theory
  
• Any software engineer will tell you, however,
  that translating requirements, specification, and
  design into a product is non-trivial
  
• In reality, implementation/usage faults reduce
  the security of cryptographic solutions

20
(Mis)management of plaintext/keys

• Example given in the paper
• Unix crypt utility
• If the user simply deletes the plaintext file, it
  can be recovered with the usual techniques
  
• If neither the application or the operating
  system wipes buffers containing plaintext in main
  memory, it may be recovered from volatile memory,
  swap, or RAM slack
• The above also applies to keys

21
Key vulnerabilities

• Dictionary attacks
• Keystroke recording (a la U.S. v. Scarfo)
• Observation (shoulder-surfing)
• Predictability
• What ethical/legal issues would be involved in
  allowing a suspect to use his computer after it
  had been seized (with a copy of the evidence
  drive) in order to log keystrokes/passphrases?

22
Dictionary attacks

• Examples
• John the Ripper
• Access Datas Distributed Network Attack
• Zip password crackers
• http//www.netgate.com.uy/fpapa/
• Dictionary attacks are parallelizable
• Traditional clusters
• Distributed cracking

23
Leaking Data

• PGP, and other tools may leak plaintext or keys
  in a recoverable way
  
• Buffers hold plaintext or keys in memory and may
  be compromised while executing
  
• Depending on whats contained in the write buffer
  for the file-system, portions of plaintext or key
  previously in the buffers may be written out to
  disk as RAM slack at some point.
• Paging to virtual memory may make some of the
  above even easier to exploit, or even leave
  buffers on the disk persistently in case of a
  crash.

24
Unencrypted Copies

• Filesystems where some directories are encrypted
  and some arent
  
• Multiple filesystems of mixed encrypted/plain
  status
  
• In all cases, it is possible that at some point,
  the suspect slipped up, or the normal operation
  of the OS created a copy of an encrypted file in
  an unencrypted location
• Ex EFS printer spool directories

25
Leaks in Application Software

• Most applications leave temporary files, backup
  copies, etc.
  
• Microsoft Office backup, recovery
• vi and emacs files
• While crypto software may be carefully designed
  not to let data be written all over the place,
  most software used to manipulate and view data
  isnt.
• Management of these temporary/backup copies
• Application Rarely if ever wiped properly
• User Very likely that theyre sloppier in
  dealing with these than the actual data
  
• File Signatures will help locate this data

26
U.S. v. Hersh Comparing Characteristics

• Compare file attributes, sizes, etc. with known
  files to determine the likelihood that they
  contain the same data
  
• What are some of the problems with this?

27
Recovery from RAM

• Using pmdump to recover plaintext from PGPtray
• Demonstration

28
Caught in the Act

• If the computer is on at the time of seizure,
  there are some possibilities
  
• Encrypted disks may be unlocked
• Passphrases may be cached/saved
• Encrypted files may be open in programs
• Unencrypted data or keys may be in volatile
  memory
  
• Are the risks of changing the system or
  triggering traps worth attempting to capture the
  above, vs. the standard pull the plug we
  usually discuss?

29
Obtaining passphrases

• Interrogation
• Observation
• Exploiting the reuse of passphrases
• One program may use a passphrase as a key to
  unlock a private key, and do so securely
  
• However if the suspect uses the same passphrase
  to unlock their Palm PDA, it may simplify matters
  down to cracking XOR.
  
• Research published vulnerabilities in OS security
  (chntpw)

30
Mining evidence for passphrases

• Use tools such as Access Datas PRTK (Password
  Recovery ToolKit) to build wordlists from
  unencrypted data for possible passphrases
  
• Legal problems with overly broad searches?
• Complexity involved with multi-word passphrases

31
Why dont you just ask nicely?

• In some situations you may can cut them a deal
• If they say they forgot a recently changed key,
  try to verify when it was changed
  
• Intimidation works
• Implication of guilt
• Why is the knowledge of an encryption key not an
  implication of guilt?
  
• 5th amendment rights

32
Pitfalls of Trying to Obtain Passphrases

• Be aware of wiretap laws when involving keystroke
  recorders or other monitoring software/hardware
  
• Log all guesses
• Passphrases may periodically change
• Possibly a blessing in disguise, if passphrases
  for older data seized is easier to break.

33
Key Verification

• Duress passwords
• One cryptotext expanding into two plaintexts
• Actual Passphrase ?? Encriminating Evidence
• Duress Passphrase ?? Boring Data
• Duress passphrases may also trigger evidence
  destruction
  
• How can we verify what the suspect has told us
  about the passphrase?

34
Dead Mans Switch

• When seizing a computer, care must be taken when
  removing the hard drive
  
• Removing the case may trigger encryption or
  destruction of drives
  
• Long periods of time without suspect interacting
  with computer may trigger encryption/destruction
  
• Requires a special breed of paranoia/expertise
  from the suspect, but it is a possibility
  
• How else could you rig your computer in case of
  seizure?

35
Encrypted Communications

• Emails in transit
• Network traffic
• Wireless
• Cell phones
• Landlines
• Etc etc etc

36
Think like a hacker

• Attempt to recover the data while it is
  plaintext, on either end of a communication
  
• Man in the Middle Attacks
• Arp spoofing

37
The future of recovering encrypted data

• Solutions to the problem of finding encrypted
  data (as opposed to simply random data)
  
• The use of scanning-tunnelling microscopes and
  tools that can read from RAM after power-down
  
• Intelligent generation of passphrases
• In what way is this an arms race?

38
Network Forensics and Encryption

• http//www.networknewz.com/networknewz-10-20021204
  Network-Forensics.html
  
• Encryption may be more prevalent on network
  communications than filesystems
  
• Certain information may be divulged even with
  encryption on networks
  
• Who is communicating with whom?
• For how long?
• Patterns of communication correlated to real
  life events
  
• What would you have to do to hide the above
  information?

39
Conclusions

• The papers
• Encryption is a problem, yet not insurmountable
• There is the possibility of recovering plaintext
  and keys
  
• The difficulty is in the individual investigator
  keeping up with the technology
  
• Mine
• The difficulty is that the quality of
  cryptographic tools will rise
  
• It will become more difficult to perform
  investigations on computer hard drives
  
• More evidence may be gathered from removable
  media, phones, PDAs, etc.
  
• New seizure techniques that more reliably capture
  the state of the system need to be developed.

40
Questions

• Why wouldnt government key escrow work to
  maintain investigators ability to read
  evidence?
  
• How does encryption make things harder for
  smaller (not well funded) forensic
  investigators?
  
• Do you believe that laws will be passed to compel
  suspects into giving up keys?
  
• How many of you actually use encryption
  software?
  
• For what purpose?
• Who here is at least careful about encrypting
  network traffic?
  

41
Mailing List Traffic

• http//www.securityfocus.com/archive/104/308017
• http//www.securityfocus.com/archive/104/245451
• Encryption in a corporate situation
• One entity both protecting and investigating
• http//www.securityfocus.com/archive/104/150865
• More detailed information on different algorithm
  types
  
• Sturgeons Law - http//www.jargon.net/jargonfile/
  s/SturgeonsLaw.html
  
• http//www.securityfocus.com/archive/104/157984
• http//www.securityfocus.com/archive/104/327176
• Flaws in Windows EFS that investigators can
  exploit
  
• http//www.securityfocus.com/archive/104/296272
• More hardware crypto, more mainstream acceptance
  of crypto due to DRM
  
• http//www.securityfocus.com/archive/104/287393
• Detecting crypto