Penetrating encrypted evidence • Writer ： Hank Wolfe • University of Otago, Computer Security, Forensics, Information Science Department, New Zealand • Presentation : Digital Investigation, 2004 • Reporter ： Sparker Introduction • Every investigator will encounter suspect hard drives and other media that has been encrypted. • The accused will be asked to provide the keys necessary for decryption of data files or entire hard drives. • The final decision, however, rests with the accused. There are some technical methods to obtain the relevant keys • Social engineering. • Surveillance. Social engineering • A divorce settlement case. • The ethics of the profession. • Once the integrity is compromised, it is impossible to regain the confidence and trust held before.. Social engineering (cont.) • Before attempting to use the decrypt software tools. • Every has something that is important to them, we use this technique to guess passwords. • It does not always work but it is always worth a try. Social engineering (cont.) • Often-simple methods can be very effective. • It is human nature to create keys and passwords that are easily remembered. • As forensic investigators, it is part of our job to find out all that we can about the accused and his/her background. Surveillance • A criminal case involving child pornography. • A series of tools like D.I.R.T. or STARR or KeyKatch or KeyGhost or the Password Recovery Toolkit and others. • They are installed on the target machine by various means (a virus, a Trojan, … and so on). • These tools can intercept ans record keystrokes among other things and transmit this information in encrypted form back to forensic computers. Surveillance (contd.) • The advantage of these tools is that they are flexible and can capture, based on the way they have been configured, many different kinds of information-including but not limited to keystrokes. • Electromagnetic transition emanate from all electric devices. With the right equipment, it is possibleto receive those emanations and convert them back into their source form. • The emanations can be acquired from a reasonable distance covertly and converted back into the key codes. Surveillance (contd.) • The contents of a computer display unit can also be captured, interpreted and viewed by someone other than the operator at a distance (Van Eck, or TEMPEST, or HIJACK, or NONSTOP). • Using this surveillance technique requires six equipments consists of, antenna, receiver, amplifier, sync generator, a multi-sync monitor, snd recorder. . Conclusion • We all need to share our successful techniques and learn from each other and accept that we do not have all of the answers. • The techniques described have been and will continue to be successful and should be regarded as just another set of tools for the standard forensic tool kit..