Practical Approaches In Recovering Encrypted Evidence

1

Practical approaches in recovering encrypted evidence FSCT 8570 British Columbia Institute of Technology Vancouver, BC

Prepared by:

Arif Zina

Date:

April 11, 2006

2

Table of Content

1.0

Introduction -------------------------------------------------------------------------------- 3

2.0

Crypto – Analysis -------------------------------------------------------------------------- 4 2.1 2.2

3.0

Introduction ------------------------------------------------------------------------- 4 Cryptographic attacks ------------------------------------------------------------4

Non Cryptographic methods ------------------------------------------------------------ 5 3.1 3.2 3.3 3.4 3.5 3.6 3.7

Overcoming weak encryption -------------------------------------------------- 5 Finding unencrypted copies of data ------------------------------------------ 6 Searching computer memory for file contents ----------------------------- 7 Obtaining encrypted passphrases -------------------------------------------- 8 Computer monitoring with hardware and software ----------------------- 10 Passphrase guessing ------------------------------------------------------------ 10 Brute forcing weak encryption ------------------------------------------------- 13

4.0

Future consideration ---------------------------------------------------------------------- 14

5.0

Conclusion ----------------------------------------------------------------------------------- 14

6.0

References ---------------------------------------------------------------------------------- 15

1.0

Introduction

3 As criminals become more aware of the capabilities of forensic examiners to recover digital evidence they are making more use of encryption technology to conceal incriminating data. Organized criminals use readily available encryption software and online child pornographers encrypt their communications and the files they exchange. Terrorist groups are making use of encryption to protect the contents of their computers and their Internet communications. Since criminals generally encrypt the more incriminating communications and stored data, it is often exactly this evidence that investigators seek. Therefore, in addition to an understanding of cryptography, it is critical for forensic examiners to develop practical techniques for dealing with encryption to obtain some, if not all, of this digital evidence. As strong encryption becomes more widely used by criminals, it is infeasible to attack the encryption directly using brute force methods. Instead, practical approaches to recovering encrypted data using readily available tools needs to be employed to locate unencrypted copies of data, obtaining encryption pass phrases, and guessing encryption pass phrases. This paper discusses different methods investigators may apply to find and recover incriminating evidence such as plain text from the hard drive of the criminals and using commercial available tools to obtain and guess pass phrases.

2.0

Crypto – Analysis

4 2.1

Introduction

Crypto-analysis (also spelt as Cryptanalysis) is the opposite of cryptography. Cryptanalysis is the art (and science) of breaking cryptographic protocols: cracking codes, breaking authentication methods, decoding secrets. The most important search for a cryptanalyst would be to find the secret key being used, since that would allow any communication using that key to be decrypted. In the general case the cipher text and algorithm are known – the plaintext and key are not. 2.2

Cryptographic attacks

There are many types of attacks that can be directed at cryptographic algorithms and cipher text. Cryptographic attacks can be broken down into two types, namely, brute force attacks and crypto-analytical attacks. Brute Force Attacks A brute force attack is really a brute force key search directed against some ciphertext. The attacker tries a series of different keys in the hope that one will eventually work. It is akin to a burglar using different keys from a key-chain to open a locked door. There is no way to prevent this kind of attack, since it is trivial to intercept ciphertext. However, when ciphertext is encrypted with a sufficiently long key (128-bits or longer), it would require the attacker to try literally billions and billions of different keys. When an encryption algorithm like DES is used, it is theoretically possible to try every possible key to decrypt a given piece of ciphertext. However, this approach requires significant computing power to run through the vast number (2^56, over 72 quadrillion) of potential decryption keys and can take an inordinate amount of time depending on the strength of the encryption. This approach is therefore, not the best way to crack encryption or to determine the pass phrase. Non cryptographic methods are therefore required, which will get the work done in a reasonable time and using reasonable resources.

Crypto-analytical attacks

5

Crypto-analytical attacks are far more sophisticated than brute force attacks. They proceed on the unfortunate fact that it is possible to carefully and patiently examine an algorithm to give up specific information about its generated ciphertexts in order to determine the key. Such attacks tend to require advanced mathematics and powerful computers. However, well-designed algorithms should be resistant against such attacks.

3.0

Non Cryptographic methods Since at some point the secrecy of most ciphers is dependent on a password or passphrase that ‘unlocks’ or generates the key, an attacker can forgo attacks on the cryptography and instead attempt to determine this password. Brute- Forcing involves trying all possible combinations of characters in the password’s key-space. The larger the key-space and the longer the password, the longer brute forcing will take. For example, a password made up of 6 or more uppercase characters and digits will take far less time to crack than would one made up of 8 upper and lowercase characters, digits and special characters. A Dictionary attack tries passwords from a list or dictionary. This may be a real dictionary but is usually an arbitrary list of associated words (medical terms, for example) and variations on them (number+word, word+number, reversed word, letter ‘oh’ replaced by digit 1, etc.) A number of automated tools exist to both brute force and dictionary attack passwords – tools such as Cain and Abel, John the Ripper, L0phtcrack and Crack5. Dictionaries of various types are also readily downloaded off the Internet. 3.1

Overcoming weak encryption

Computer intruders often use simple encryption to obfuscate network traffic and portions of rootkits they install on compromised systems to conceal their presence. One common form of simple encryption used by intruders is to exclusive OR (XOR) each byte against the value 255 (0xFF), effectively inverting every byte in the file. In one case, examiners found a configuration file that they suspected was a key component of a rootkit but appeared to contain only binary data. Viewing the file using a hexadecimal viewer showed that all of the characters in the file were above decimal value 127. This absence of ASCII characters suggested some form of character

6 substitution. Guessing that XOR was used, the examiners reversed the encryption to reveal the contents of the rootkit configuration file shown here: # perl -e 'while (<>) { print ~$_; }' < uconf.inv [file] find=/usr/lib/boot/find du=/usr/lib/boot/du ls=/usr/lib/boot/ls file_filters=01,lblibps.so,sn.l,prom [ps] ps=/usr/lib/boot/psr ps_filters=ibmd,drone,psniff,psr lsof_filters=ibmd,uconf.inv,psniff,psr,:13000,/dev/pts/01,sn.l,prom,lsof [netstat] netstat=/usr/lib/boot/netstat net_filters=38290,25000,6667,8000,9000 [login] su_pass=owned su_loc=/usr/lib/boot/su ping=/usr/lib/boot/ping passwd=/usr/lib/boot/passwd shell=/bin/sh

Another example would be Back Orifice. It uses XOR to encrypt traffic between the client and server and it is relatively simple to decrypt these packets since the header of the Back Orifice packets always begins with the same string. Early versions of Microsoft and Excel use XOR to encrypt passwords that individual can select to protect their files. These passwords can be easily recovered using tools such as Access Data’s Password Recovery Toolkit and NTI’s Advanced Password Recovery Software. 3.2

Finding Unencrypted Copies of Data

Modern Operating Systems are paged, a process which allows them to provide more virtual memory than there really exists in the system. This is done my saving unused memory pages to disk to allow other programs and data to be loaded. These disk page files may inadvertently contain passwords, keys, plaintext and ciphertext. Accessing this on-disk storage may provide an investigator with information that may assist in breaking the cryptosystem in use. Programs may also create temporary disk files to hold data while calculations are in progress, or from one invocation to the next. These temporary files may also divulge sensitive information, and tend to be more easily accessible, and have

7 more permanence, than pages memory files. Also, for instance, if an EFS encrypted file is printed and the System32\spool\printer folder is not encrypted, spool files will contain unencrypted copies of the encrypted files. Another example is, when PGP is used to encrypt Microsoft Word document. Although the original document were wiped, fragments of the files can be found scattered around the disk in deleted MS word temporary files, some of which could be found by searching for Microsoft Word headers. Although it may not be possible to recover the entire file, but enough incriminating evidence can be accumulated to prove a case. 3.3

Searching computer memory for file contents

The computer’s Random Access Memory (RAM) is another source of finding unencrypted data. For instance, if the contents of an application window (such as Outlook’s e-mail composition window) is encrypted using PGP, a copy of the plaintext is often held in memory by the application. Similarly, when PGP is used to encrypt or decrypt text on Windows 2000, a copy of the plaintext is held in memory by PGPtray for an indefinite period. The memory of this process can be dumped to a file using a program like pmdump and searched for unencrypted data as shown here: D:\>pslist pgptray Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time PGPtray 1332 8 7 150 1264 0:00:00.060 0:00:00.270 2:20:33.466 D:\>pmdump 1332 pgptray.mem D:\>less pgptray.mem …¨o ^@^@^@^@^@^@^@^@„¤^@^V^@^@^@^P^@„¤¨k^V^@`Ç^V^@P Signature Status: good *** Signer: Eoghan Casey <[email protected]> *** Signed: 7/20/2002 8:36:42 PM *** Verified: 7/20/2002 8:41:17 PM *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** Return-Path: Received: from webmailmta.go.com ([204.202.140.199]) by lsh110.siteprotect.com (8.9.3/8.9.3) with ESMTP id SAA04960 for <[email protected]>; Thu, 11 Jul 2002 18:57:48 -0500 Received: from gomailjtp03 ([10.212.0.163]) by mta07.seamail.go.com (Sun Internet Mail Server sims.4.0.2001.07.26.11.50.p9) with ESMTP id <[email protected]> for [email protected]; Thu, 11 Jul 2002 16:43:48 -0700 (PDT) Date: Thu, 11 Jul 2002 16:45:32 -0700 (PDT) From: Harold Jones Subject: Test To: [email protected] Message-ID: <6477825.1026431132801.JavaMail.harold1jones@gomailjtp03> MIME-version: 1.0 X-Mailer: GoMail 3.0.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT

8 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: WBZAgrMiFHAeVlSFpWCqRCEs Testing ___________________________________________________ GO.com Mail Get Your Free, Private E-mail at http://mail.go.com *** END PGP DECRYPTED/VERIFIED MESSAGE *** ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^L^@<8D> …

Forensic examiners may rarely have an opportunity to extract information from RAM before the system is rebooted. Even if such access were available, the examiner would have to operate the computer, altering its state and potentially erasing valuable information. In practicality, memory dumps are most useful when they occur accidentally. Also, as analysis tools evolve, it may be feasible to extract information from RAM during postmortem analysis 3.4

Obtaining encryption passphrases

A passphrase is a longer version of a password, and in theory, a more secure one. Typically composed of multiple words, a passphrase is more secure against standard dictionary attacks, wherein the attacker tries all the words in the dictionary in an attempt to determine your password. The best passphrases are relatively long and complex and contain a combination of upper and lowercase letters, numeric and punctuation characters and therefore difficult to crack . Because of this complexity in cracking passphrases, Investigators when attending a crime scene may want to do basic checks first, such as searching the area surrounding a system for slips of paper that may contain the passphrase. Secondly, the investigator may want to obtain suspects (other) passwords that are used to protect personal data, such as email, PDA. If these passwords are obtainable, should be tried since people often use the same password for multiple purposes. Accidental memory dumps may disclose information relating to encryption. For instance, when PGP crashes on Windows 2000, the Dr. Watson application creates a memory dump (e.g. C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp) that can contain encrypted and plaintext versions of data as well as passphrases as shown here: C:\Documents and Settings\All Users\Documents\DrWatson>strings user.dmp

9 … kernel32.dll RASAPI32 C:\WINNT\tracing C:\Documents and Settings\Administrator\My Documents\PGP\pubring.pkr C:\Documents and Settings\Administrator\My Documents\PGP\secring.skr &! IN PGP MESSAGE----Version: PGP 7.1 qANQR1DBwU4DSL6Q3OHRwOYQB/9pKnnhZGQRFwykWzBO1EWkzW336QOkUaHj 0aVj P1MgxDWQWi3kZpOfGnDg6kbQriWBiIgD/z8p5xGN+WcksytlLJv8OxvTGMepx7u8 h5aVRXZd8YPM+h5ROpbnNw+SiT/w9oCy/ChWeiCHV1swQSzwBHx2Ye+yxO70Moxc ... frAG3nM7kOnChQp4jxhv2J0p7fL1vteI9EGbcimC9QCVBwC1U++mQIqbTyIw5gWK Io11yl8P+wKjcHsLfi2hTE+NIRb+VORWhVoCDHgNKV1nSFNTK0LEnvz84OFyRc1z -----END PGP MESSAGE---- … Since there may be other ways in which encryption applications expose passphrases a more systematic method of searching the disk for possible passphases is desirable. For instance, using the Forensic Toolkit (FTK) from Access Data it is possible to generate a list of keywords found on the disk and import this list into the Password Recovery Toolkit (PRTK) as shown in Figure 1. In this way, if the user purposefully or unintentionally stored their passphrase on disk or an application wrote the passphrase to disk, it will be available in the keyword list. In one case, the PGP passphrase was found on an apparently blank floppy disk.

Figure 1: A PGP passphrase identified by PRTK from a list of keywords harvested from hard drive.

1 If the passphrase cannot be obtained from the computer, an attorney with the assistance of a forensics examiner may be able to persuade a suspect to cooperate. Although refusing to disclose an encryption passphrase does not necessarily imply quilt, it may reflect badly on the suspect in court and can shift the burden of proof onto the defense. Faced with such a risk, offenders can be persuaded to provide this information in exchange of leniency in sentencing or plea bargain. 3.5

Computer monitoring with hardware and software

Passphrases are generally difficult to obtain even when proper searching tools and techniques are employed. As a last resort, the suspect’s machine can be monitored using software or hardware in an effort to obtain the desired passphrase. Commercial software programs like Spector Pro, and free programs such as SubSeven and Back Orifice enable key logging, screen captures, and remote file access, can assist investigators in obtaining encrypted files remotely. Hardware devices like KeyGhost and KeyKatcher have internal memory and record keystrokes when they are connected between the keyboard and CPU. The advantage of hardware key logging devices over software is that they record every keystroke, even those used to protect the BIOS. However, these devices are not designed or Macintosh or Sun systems and do not work on laptops or personal digital assistants since the keyboard is integrated. Also, physical access to the machine is required to install and retrieve hardware devices and they are visible to the alert user. A tamper evident seal can be attached to the device, making it more difficult for an individual to remove the key logger without some visible sign of tampering as noted by KeyKatch. 3.6

Passphrase Guessing

When manual passphrase guessing fails, an automated approach may be used with a list of common passphrases, then a dictionary in the languages of the suspect, and then more sophisticated permutation techniques. For instance, the Password Recovery Toolkit (PRTK) from Access Data can be configured to use various dictionaries and customized suspect profile as shown in figure 2. The PTRK then generates possible

11 passphrases using entries in the dictionary, suspect profile, and various combinations of these strings as shown in figure 3

Figure 2: A biographical profile in PRTK supports international characters.

1

Figure 3: PRTK attempting to guess passphrase of PGP private key All password recovery performed by PRTK are conducted using rules, called levels. These levels start with the simplest attacks and proceed to the more complex. Levels provide the means by which the complexity of the passwords to be tested are gradually increased. The level begin with simple dictionary attacks, migrate through enhanced dictionary attacks, and end with brute-force attacks where every sequence of characters is tried. The simple attacks (depending on the complexity of the encryption algorithm) typically require much less time than the more complex one do. Also, the more passwords tried against the encrypted file, the more likely it is that a password will be found that can open it. These settings directly impact the number of words to be tried as passwords and therefore determine the time that it will take to test all possibilities. Careful selection of these settings can reduce the time to test and recover passwords in a significant way. Improper use of these settings can prevent passwords from ever being found. Individuals may change their passphrases periodically. Therefore, investigators should attempt to access all backup copies of private keys in case some have weaker passphrases than others. When individuals create new PGP keys, the PGP application prompts them to save a copy of the keys to a medium other than the main drive. Therefore, a backup copy of the private key file may be found on a floppy disk or other

1 external media. Also, PGP periodically makes backup copies of key files on the hard disk, any of which could have a weak passphrase. 3.7

Brute forcing weak encryption

Weak encryption, employing key lengths of up to 40 bits can be cracked using software tools such as Access Data’s Distributed Network Attack (DNA) application, which can brute force Adobe Acrobat and Microsoft Word/Excel files that are encrypted with 40 bit encryption, shown in figure 4.

Figure4: Decrypting MS Word files using Distributed Network Attack (DNA) Using DNA, a cluster of approximately 100 of-the-shelf computers and necessary software can attempt every possible 40 bit key in 5 days. As an example of how multiple machines may impact a password recovery job is shown as follows: •

A single machine processing 1 million passwords per hour, will be able to process 24 million passwords in 24 hrs.

•

Ten machines using DNA, and running for 14 hrs each day, can process approximately 140 million passwords in a day.

•

Ten machines using DNA, and running for 24 hrs each day, can process approximately 240 million passwords in a day.

1 By making more machines available, the number of passwords that can be tested increases. It should be noted that DNA is able to make use of each processor in a multiprocessor and/or multi-core processor machine, enhancing the overall performance of password recovery.

4.0

Future Consideration Plaintext is generally wiped out after it is encrypted; therefore, it is desirable to analyze the media using scanning probe or magnetic force microscope to recover unencrypted copies of data. Similarly, it is desirable to be able to perform postmortem analysis on RAM. With necessary equipment data can be retrieved from RAM using debug modes even after power is removed. Developing password finding and guessing tools that can access a wider range of file types and intelligently combine keywords to create complex passphrases, needs to developed, and available at reasonable cost, for smaller organization to implement. Another challenge that tools developers face is tackle strong encryption such as photonbased quantum cryptography, which is impossible to decrypt because the act of monitoring alters the transmission

5.0

Conclusion Breaking encryption will definitely be a challenge for investigators performing forensics examination. A brief introduction of tools and techniques described in this paper is a good starting point towards retrieving plaintext fragments of encrypted documents, which can provide attorneys and investigators with some leverage if the case makes it to the courts. Passphrase cracking, which generally leads to decrypting evidences, also requires careful implementation. With the growing number of sophistication of encryption and data hiding tools, it is difficult for an individual forensics examiner to keep pace. Improvements in tools and increased information sharing amongst examiners can alleviate some of these difficulties.

1 6.0

References

RSA Security Crypto FAQ Cryptanalysis Section, www.rsasecurity.com/rsalabs/faq/2-4.html PGP Attacks, axion.physics.ubc.ca/pgp-attack.html Cryptography Attacks, www.infoanarchy.org/wiki/wiki.pl?Cryptography/Attacks Access Data password recovery with PRTK & DNA Practical approaches to recovering encrypted digital evidence. Eoghan Casey Why Cryptography Is Harder Than It Looks, Bruce Schneier, www.schneier.com/essay-whycrypto.html Key management, key lengths and cryptographic attacks and defense. Simon WeberBrown

1