Intro

I am a Digital Forensics student studying at university in the UK. I also do some Cyber Security modules.
I am currently in my 2nd year.
I have mainly started this to post interesting things I have learned and problems I have encountered.
However, I will use it to do write ups about useful things I want to remember such as commands and tools I have used so I don't forget them! (To be honest, I don't expect anyone to read this!)

Friday 3 April 2015

Effects of Encryption on IT Systems and Digital Investigations

I feel that alot of my posts on this blog have been Cyber Security related when theoretically, given the name of my course "Forensic Computing" it should be based around Forensics!
So its my "Easter Resolution" to do more forensics posts. Starting with this one.

The title of this post was the title of the essay i had to write. As i said in the other post, i enjoyed doing this essay. It forced me to really look at encryption and learn the ins and outs. Before doing it, i had a general idea of Symmetric and Asymmetric encryption but not the technical details of it.

The breakdown of my essay was something like this:



  • Introduction
  • Encryption Techniques
    • Symmetric
      • Advantages/Disadvantages
    • Asymmetric
      • Advantages/Disadvantages
  • Impacts on an Operating System / IT System 
  • Impacts on an Investigation
I dont expect anyone to sit there and read my entire 5500 word essay so im going to break down the "effects" parts here briefly as they are the most interesting points and the parts on the encryption techniques can be found all over the internet!

I was surprised by the extreme lack of papers and articles detailing the effects of encryption on investigations and systems. I suppose this was actually good for me because it didnt make it easy and i had to actually use my brain for once!!!
However, I must say that it was quite disconcerting as a student of Forensic Computing to find out there is no real guidance for how to approach a computer with Encryption.....

So, IT Systems first:
  • Performance - This is the big one. You think of near enough any effect of encryption on a system and somehow it will come down to performance. (for obvious reasons - the amount of calculations being performed etc - especially if its on-the-fly encryption)
    • Longer file opening times (not so much an issue these days with faster hardware but still an issue with larger files)
    • Could really effect real-time systems
    • Remote backups slower (big point for big IT systems)
  • Admin Tasks 
    • Having to re-encrypt (okay maybe not an "admin" task but a user task is remembering to re-encrypt if its not a FDE or container based encryption)
    • Patching - Patching can be a pain! Imagine the scenario - you have deployed a patch - you need to reboot the machine, as Windows loves to do this, and finish the installation. But the remote computer has FDE. You have to wait for the remote user to enter their password first. Imagine having to wait for 100+ people to do this?!!!!
    • Data recovery - Everyones hard drive has crashed at some point. Have fun trying to recover the data!!!
    • Indexing and searching - I think this is only a Windows issue but it doesnt like doing this with encryption!
    • Decryption Key - usually stored in the first sector - if thats damaged then alot of the time its a useless lump of metal unless there is a backup
There are a few others but i am concious of fellow students discovering this page prior to submission!!!

Digital Investigations (split into 2 sections Process and Technical):
  • Process
    • Discover level and extent of encryption - Question people!!!
    • Any keylogging enabled? - especially in corporate environments 
    • Discover any passwords - written down on the monitor? Under the keyboard? One may be the one you need!
    • Check if the PC is on - important with FDE as a live image can be made in its decrypted state
    • DOCUMENT with the above point as it will be a live image and you will change stuff (ACPO!!!)
    • Preview live image on site - Dont want to find it has failed when you are back at the lab 200 miles away do you!?
  • Technical
    • Check for file headers matching known encryption container software - Bit locker uses "-FVE-FS-"
    • Check the keychain - Linux/Mac
    • In some situations, computers are encrypted after being used for a period of time so there still may be artefacts from before the computer was encrypted - look for these - usually only container based encryption
    • If using EFS - it creates a plaintext backup in case the encryption procedure goes wrong - run data recover to find this
    • Look in the pagefile!!!! - should be obvious but ill put it anyway
    • Look for text files containing passwords!
    • Watch out for machines using TPM - cant take the drive out to run a cracker in another machine without the original TPM!
    • Covert / Overt forensics issues - swapping out hard drives can be an issue. Taken an image and restored it on another hard drive? Well what about if there are differing amount of sectors? Where will it know the keys are? You have just alerted the user to being spied on!!!
Again, not an exhaustive list but a general idea. 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)