论文部分内容阅读
ABSTRACT
Encryption is now a widely used method to prevent unauthorized access to personal information. Due to the difficulty in obtaining the decryption key, it also makes digital forensic investigation more complex, which means the digital evidence may not be recovered as easily as before or even unrecoverable. This survey paper will review several kinds of encryption methods in different papers, such as Full Disk Encryption(FDE), Virtual Disk Encryption(VDE),File Encryption and another two-step encryption. Besides, this paper will look into the effects these methods have on digital forensics.
1.Introduction
* FDE
“Full disk encryption is to encrypt the whole hard drive or the entirety of a particular volume.”[1]This can be done using software such as BitLocker or hardware which will encrypt the disk completely. By doing so, a forensic examiner would encounter a full disk encryption interface prior to the machine booting. The investigators cannot get access to any data if they cannot provide the decryption key even though they create a duplicate of the hard drive. If the user’s password is long and random enough, it is impossible to recover any data. The key point here is how to acquire the decryption key. According to Sarah Lowman’s paper, some possible methods are concluded as follows.
One way is to acquire the key from the suspect. Although it is now the law in the UK that any encryption keys must be given to the police, this is not the case in other countries like US. Besides, the punishment for not surrendering the keys may be far less severe than the potential punishment for any crime committed.[2]So if the suspect refuses to give their key or pleads plausible deniability, the investigators will have to try some other methods.
As the author states, keeping the key available is of crucial importance since if the key is lost, all the user’s data goes with it. Therefore, due to the accessibility and convenience issues, it may make it much easier for the forensic investigators to find the key. Other methods of finding the key includes using Password Recovery Toolkit(PRTK) and using the optional password recovery mode on some FDEs. Besides, in corporate environments the system administrator may be able to provide recovery keys(Casey & Stellatos, 2008).
For the forensic examiners, it is also important for them to find out if any disks are using full disk encryption when they seize a computer, as it impacts the way the computer should be dealt with. If the machine is switched on, the investigators should make a live copy of the disk in case the key is never retrieved, otherwise the data may be lost when the machine is powered down.[1][2] * VDE
Virtual disk encryption tool is used to generate virtual disk image by introducing some encryption methods. It has the same feature with FDE that it can be used as anti-forensic tool because forensic investigators cannot get access to the content of disk if they have no idea about the key or passphrase. As a result, it is crucial to collect as much evidence as possible in a live state. However, forensic examiners need to judge whether a system has used VDE tool or not. Within the paper of Sungsu Lim et al., they propose some methods to verify the usage of VDE tools in a system by checking the artifacts generated during Installation ,Runtime, and Deletion procedures. By doing that, investigators can decide what action to perform during live forensics.[3]
* File encryption
File encryption is used to encrypt files within an operating system rather than entire disks(FDE,VDE). With regards to this methods, the key point still lies in how to acquire keys during forensic investigations. Since investigators can gain access to the operation system, then many clues can be utilized to crack the password. However, for FDE, a password is needed to boot the system, which means nothing within the system can be used to collect evidence except doing live forensics. To acquire keys, there are several different methods to do according to the conclusion of Sarah Lowman. For convenience, many users may make their password short and quick to type which can be a break-point for the investigators. And software like Password Recovery Toolkit can be fed in with running strings on the hard drive image to try and crack a password. Sometimes if the key length is not long enough, keys can be brute forced. In addition to these methods, vulnerability can be exploited in a system to get keys.
There are a few disadvantages of making use of this encryption method. Since plaintext have to exist in the system before files are encrypted, fragments of files which are in unencrypted forms can be found in the system. Apart from this, suspects may careless enough to leave unencrypted files related to encrypted ones on the system.[2]
* Two-step Encryption
This is a new anti-forensic tool proposed by Sang Su Lee et al. General idea is to encrypt a secret file twice, with the first time by some standard algorithms like AES and the second time by XOR the content of file with any selected files in the system. Since it is difficult to find exact files which are selected by users to perform the second time encryption, it will be relatively hard for forensic examiners to recover the plaintext. One can use his own offset values or a rule to derive the files to increase the complexity in forensic analysis.[4] 2.Analysis
FDE and VDE methods are both used to encrypt disks. These two methods release the mounted disk when a system is shutdown and are remained as an encrypted state. And it is relatively hard for forensic investigators to obtain the decryption key, so it is much more complex in a digital forensic investigation compared with other two methods. Although several ways are proposed by the paper authors to acquire the keys, it is still not that easy. The accessibility and convenience issues can be avoided by setting a long and random password if one really want to fight against the forensic investigators. Also, the power of law only works in some specific countries and there is no unified standard for this. Some tools like Password Recovery Toolkit(PRTK) mentioned by Sarah may work for the recovery of encryption keys.
Since the investigation is difficult to progress if the computer is shutdown with the data encrypted, investigators may need to perform live forensics and collect as many evidences as possible. When the system is on, many ways are provided to trace the use of a FED or VDE tool according to Sangjin Lee’s paper. However, the verifying process here may still bring some changes to the system which will impact the digital evidence, especially the volatile data. Although we can document the changes as suggested, it is still a difficult process to track all the changes so as to affect the credibility. Nevertheless, it is the only feasible solution to obtain evidences due to the complexity of FED and VDE methods, what investigators can do is just to change the data as little as possible.
As for file encryption, it is not integrated to the operating system, thus many traces will be left outside the encrypted files. Therefore, it causes relatively smaller trouble for the investigators. And thus it would not be the main future direction of research in this field .The new anti-forensic tool proposed by Sang Su Lee and his partners can also be classified to the category of file encryption. Although the authors argue that the second round of the encryption has a high complexity by virtue of the irregularity in selecting files and offset values, traces can still be found to help recover the plaintext since we have access to the memory and the whole system. It might be a hint for the investigators to cope with this ‘new’ tool.
For digital forensics, the most efficient way to acquire the key is to obtain it from the suspect. Some governments have already created new laws to compel people to give up their keys or provide unencrypted data. It is really helpful for the forensic investigations. However, due to the disunity of laws, criminals still have ways to escape punishment or comply a less severe punishment in some countries. It would be an important issue for the government to amend the laws to adjust to this new kind of crime.
3.Conclusion
All kinds of mentioned encryption methods have certain impacts on digital forensics. However, due to the feature integrating encryption into the operating system, FDE and VDE tools can cause more trouble for forensic examiners. And thus more efforts should be put into detection of these software and strategies how to discover keys or obtain plaintext.
4.References
[1].Casey, E., Stellatos, G. J., “The Impact of Full Disk Encryption on Digital Forensics”, ACM, Newyork, 2008.
Encryption is now a widely used method to prevent unauthorized access to personal information. Due to the difficulty in obtaining the decryption key, it also makes digital forensic investigation more complex, which means the digital evidence may not be recovered as easily as before or even unrecoverable. This survey paper will review several kinds of encryption methods in different papers, such as Full Disk Encryption(FDE), Virtual Disk Encryption(VDE),File Encryption and another two-step encryption. Besides, this paper will look into the effects these methods have on digital forensics.
1.Introduction
* FDE
“Full disk encryption is to encrypt the whole hard drive or the entirety of a particular volume.”[1]This can be done using software such as BitLocker or hardware which will encrypt the disk completely. By doing so, a forensic examiner would encounter a full disk encryption interface prior to the machine booting. The investigators cannot get access to any data if they cannot provide the decryption key even though they create a duplicate of the hard drive. If the user’s password is long and random enough, it is impossible to recover any data. The key point here is how to acquire the decryption key. According to Sarah Lowman’s paper, some possible methods are concluded as follows.
One way is to acquire the key from the suspect. Although it is now the law in the UK that any encryption keys must be given to the police, this is not the case in other countries like US. Besides, the punishment for not surrendering the keys may be far less severe than the potential punishment for any crime committed.[2]So if the suspect refuses to give their key or pleads plausible deniability, the investigators will have to try some other methods.
As the author states, keeping the key available is of crucial importance since if the key is lost, all the user’s data goes with it. Therefore, due to the accessibility and convenience issues, it may make it much easier for the forensic investigators to find the key. Other methods of finding the key includes using Password Recovery Toolkit(PRTK) and using the optional password recovery mode on some FDEs. Besides, in corporate environments the system administrator may be able to provide recovery keys(Casey & Stellatos, 2008).
For the forensic examiners, it is also important for them to find out if any disks are using full disk encryption when they seize a computer, as it impacts the way the computer should be dealt with. If the machine is switched on, the investigators should make a live copy of the disk in case the key is never retrieved, otherwise the data may be lost when the machine is powered down.[1][2] * VDE
Virtual disk encryption tool is used to generate virtual disk image by introducing some encryption methods. It has the same feature with FDE that it can be used as anti-forensic tool because forensic investigators cannot get access to the content of disk if they have no idea about the key or passphrase. As a result, it is crucial to collect as much evidence as possible in a live state. However, forensic examiners need to judge whether a system has used VDE tool or not. Within the paper of Sungsu Lim et al., they propose some methods to verify the usage of VDE tools in a system by checking the artifacts generated during Installation ,Runtime, and Deletion procedures. By doing that, investigators can decide what action to perform during live forensics.[3]
* File encryption
File encryption is used to encrypt files within an operating system rather than entire disks(FDE,VDE). With regards to this methods, the key point still lies in how to acquire keys during forensic investigations. Since investigators can gain access to the operation system, then many clues can be utilized to crack the password. However, for FDE, a password is needed to boot the system, which means nothing within the system can be used to collect evidence except doing live forensics. To acquire keys, there are several different methods to do according to the conclusion of Sarah Lowman. For convenience, many users may make their password short and quick to type which can be a break-point for the investigators. And software like Password Recovery Toolkit can be fed in with running strings on the hard drive image to try and crack a password. Sometimes if the key length is not long enough, keys can be brute forced. In addition to these methods, vulnerability can be exploited in a system to get keys.
There are a few disadvantages of making use of this encryption method. Since plaintext have to exist in the system before files are encrypted, fragments of files which are in unencrypted forms can be found in the system. Apart from this, suspects may careless enough to leave unencrypted files related to encrypted ones on the system.[2]
* Two-step Encryption
This is a new anti-forensic tool proposed by Sang Su Lee et al. General idea is to encrypt a secret file twice, with the first time by some standard algorithms like AES and the second time by XOR the content of file with any selected files in the system. Since it is difficult to find exact files which are selected by users to perform the second time encryption, it will be relatively hard for forensic examiners to recover the plaintext. One can use his own offset values or a rule to derive the files to increase the complexity in forensic analysis.[4] 2.Analysis
FDE and VDE methods are both used to encrypt disks. These two methods release the mounted disk when a system is shutdown and are remained as an encrypted state. And it is relatively hard for forensic investigators to obtain the decryption key, so it is much more complex in a digital forensic investigation compared with other two methods. Although several ways are proposed by the paper authors to acquire the keys, it is still not that easy. The accessibility and convenience issues can be avoided by setting a long and random password if one really want to fight against the forensic investigators. Also, the power of law only works in some specific countries and there is no unified standard for this. Some tools like Password Recovery Toolkit(PRTK) mentioned by Sarah may work for the recovery of encryption keys.
Since the investigation is difficult to progress if the computer is shutdown with the data encrypted, investigators may need to perform live forensics and collect as many evidences as possible. When the system is on, many ways are provided to trace the use of a FED or VDE tool according to Sangjin Lee’s paper. However, the verifying process here may still bring some changes to the system which will impact the digital evidence, especially the volatile data. Although we can document the changes as suggested, it is still a difficult process to track all the changes so as to affect the credibility. Nevertheless, it is the only feasible solution to obtain evidences due to the complexity of FED and VDE methods, what investigators can do is just to change the data as little as possible.
As for file encryption, it is not integrated to the operating system, thus many traces will be left outside the encrypted files. Therefore, it causes relatively smaller trouble for the investigators. And thus it would not be the main future direction of research in this field .The new anti-forensic tool proposed by Sang Su Lee and his partners can also be classified to the category of file encryption. Although the authors argue that the second round of the encryption has a high complexity by virtue of the irregularity in selecting files and offset values, traces can still be found to help recover the plaintext since we have access to the memory and the whole system. It might be a hint for the investigators to cope with this ‘new’ tool.
For digital forensics, the most efficient way to acquire the key is to obtain it from the suspect. Some governments have already created new laws to compel people to give up their keys or provide unencrypted data. It is really helpful for the forensic investigations. However, due to the disunity of laws, criminals still have ways to escape punishment or comply a less severe punishment in some countries. It would be an important issue for the government to amend the laws to adjust to this new kind of crime.
3.Conclusion
All kinds of mentioned encryption methods have certain impacts on digital forensics. However, due to the feature integrating encryption into the operating system, FDE and VDE tools can cause more trouble for forensic examiners. And thus more efforts should be put into detection of these software and strategies how to discover keys or obtain plaintext.
4.References
[1].Casey, E., Stellatos, G. J., “The Impact of Full Disk Encryption on Digital Forensics”, ACM, Newyork, 2008.