1

Practical approaches in recovering encrypted

evidence

FSCT 8570

British Columbia Institute of Technology

Vancouver, BC

Prepared by: Arif Zina

Date: April 11, 2006

 2

Table of Content

1.0 Introduction -------------------------------------------------------------------------------- 3

2.0 Crypto – Analysis -------------------------------------------------------------------------- 4

2.1 Introduction ------------------------------------------------------------------------- 4

2.2 Cryptographic attacks ------------------------------------------------------------4

3.0 Non Cryptographic methods ------------------------------------------------------------ 5

3.1 Overcoming weak encryption -------------------------------------------------- 5

3.2 Finding unencrypted copies of data ------------------------------------------ 6
3.3 Searching computer memory for file contents ----------------------------- 7
3.4 Obtaining encrypted passphrases -------------------------------------------- 8
3.5 Computer monitoring with hardware and software ----------------------- 10
3.6 Passphrase guessing ------------------------------------------------------------ 10
3.7 Brute forcing weak encryption ------------------------------------------------- 13

4.0 Future consideration ---------------------------------------------------------------------- 14

5.0 Conclusion ----------------------------------------------------------------------------------- 14

6.0 References ---------------------------------------------------------------------------------- 15

1.0 Introduction
 3

As criminals become more aware of the capabilities of forensic examiners to recover digital
evidence they are making more use of encryption technology to conceal incriminating data.
Organized criminals use readily available encryption software and online child pornographers
encrypt their communications and the files they exchange.
Terrorist groups are making use of encryption to protect the contents of their computers and
their Internet communications.
Since criminals generally encrypt the more incriminating communications and stored data, it is
often exactly this evidence that investigators seek. Therefore, in addition to an understanding of
cryptography, it is critical for forensic examiners to develop practical techniques for dealing with
encryption to obtain some, if not all, of this digital evidence.
As strong encryption becomes more widely used by criminals, it is infeasible to attack the
encryption directly using brute force methods. Instead, practical approaches to recovering
encrypted data using readily available tools needs to be employed to locate unencrypted copies
of data, obtaining encryption pass phrases, and guessing encryption pass phrases.
This paper discusses different methods investigators may apply to find and recover
incriminating evidence such as plain text from the hard drive of the criminals and using
commercial available tools to obtain and guess pass phrases.

2.0 Crypto – Analysis

 4

2.1 Introduction
Crypto-analysis (also spelt as Cryptanalysis) is the opposite of cryptography.
Cryptanalysis is the art (and science) of breaking cryptographic protocols: cracking
codes, breaking authentication methods, decoding secrets. The most important
search for a cryptanalyst would be to find the secret key being used, since that
would allow any communication using that key to be decrypted. In the general case the
cipher text and algorithm are known – the plaintext and key are not.

2.2 Cryptographic attacks

There are many types of attacks that can be directed at cryptographic algorithms and
cipher text. Cryptographic attacks can be broken down into two types, namely, brute
force attacks and crypto-analytical attacks.

Brute Force Attacks

A brute force attack is really a brute force key search directed against some ciphertext.
The attacker tries a series of different keys in the hope that one will eventually work. It is
akin to a burglar using different keys from a key-chain to open a locked door. There is no
way to prevent this kind of attack, since it is trivial to intercept ciphertext. However, when
ciphertext is encrypted with a sufficiently long key (128-bits or longer), it would require
the attacker to try literally billions and billions of different keys. When an encryption
algorithm like DES is used, it is theoretically possible to try every possible key to decrypt
a given piece of ciphertext. However, this approach requires significant computing power
to run through the vast number (2^56, over 72 quadrillion) of potential decryption keys
and can take an inordinate amount of time depending on the strength of the encryption.
This approach is therefore, not the best way to crack encryption or to determine the pass
phrase. Non cryptographic methods are therefore required, which will get the work done
in a reasonable time and using reasonable resources.

Crypto-analytical attacks
 5

Crypto-analytical attacks are far more sophisticated than brute force attacks. They
proceed on the unfortunate fact that it is possible to carefully and patiently examine an
algorithm to give up specific information about its generated ciphertexts in order to
determine the key. Such attacks tend to require advanced mathematics and powerful
computers. However, well-designed algorithms should be resistant against such attacks.

3.0 Non Cryptographic methods

Since at some point the secrecy of most ciphers is dependent on a password or

passphrase that ‘unlocks’ or generates the key, an attacker can forgo attacks on
the cryptography and instead attempt to determine this password. Brute- Forcing
involves trying all possible combinations of characters in the password’s key-space. The
larger the key-space and the longer the password, the longer brute forcing will take. For
example, a password made up of 6 or more uppercase characters and digits will take far
less time to crack than would one made up of 8 upper and lowercase characters, digits
and special characters.
A Dictionary attack tries passwords from a list or dictionary. This may be a real dictionary
but is usually an arbitrary list of associated words (medical terms, for example) and
variations on them (number+word, word+number, reversed word, letter ‘oh’ replaced by
digit 1, etc.) A number of automated tools exist to both brute force and dictionary attack
passwords – tools such as Cain and Abel, John the Ripper, L0phtcrack and Crack5.
Dictionaries of various types are also readily downloaded off the Internet.

3.1 Overcoming weak encryption

Computer intruders often use simple encryption to obfuscate network traffic and portions
of rootkits they install on compromised systems to conceal their presence. One common
form of simple encryption used by intruders is to exclusive OR (XOR) each byte against
the value 255 (0xFF), effectively inverting every byte in the file.
In one case, examiners found a configuration file that they suspected was a key
component of a rootkit but appeared to contain only binary data. Viewing the file using a
hexadecimal viewer showed that all of the characters in the file were above decimal
value 127. This absence of ASCII characters suggested some form of character
 6

substitution. Guessing that XOR was used, the examiners reversed the encryption to
reveal the contents of the rootkit configuration file shown here:

# perl -e 'while (<>) { print ~$_; }' < uconf.inv

[file]
find=/usr/lib/boot/find
du=/usr/lib/boot/du
ls=/usr/lib/boot/ls
file_filters=01,lblibps.so,sn.l,prom
[ps]
ps=/usr/lib/boot/psr
ps_filters=ibmd,drone,psniff,psr
lsof_filters=ibmd,uconf.inv,psniff,psr,:13000,/dev/pts/01,sn.l,prom,lsof
[netstat]
netstat=/usr/lib/boot/netstat
net_filters=38290,25000,6667,8000,9000
[login]
su_pass=owned
su_loc=/usr/lib/boot/su
ping=/usr/lib/boot/ping
passwd=/usr/lib/boot/passwd
shell=/bin/sh

Another example would be Back Orifice. It uses XOR to encrypt traffic between the client
and server and it is relatively simple to decrypt these packets since the header of the
Back Orifice packets always begins with the same string.
Early versions of Microsoft and Excel use XOR to encrypt passwords that individual can
select to protect their files. These passwords can be easily recovered using tools such
as Access Data’s Password Recovery Toolkit and NTI’s Advanced Password Recovery
Software.

3.2 Finding Unencrypted Copies of Data

Modern Operating Systems are paged, a process which allows them to provide
more virtual memory than there really exists in the system. This is done my
saving unused memory pages to disk to allow other programs and data to be
loaded. These disk page files may inadvertently contain passwords, keys,
plaintext and ciphertext. Accessing this on-disk storage may provide an investigator
with information that may assist in breaking the cryptosystem in use.
Programs may also create temporary disk files to hold data while calculations are
in progress, or from one invocation to the next. These temporary files may also
divulge sensitive information, and tend to be more easily accessible, and have
 7

more permanence, than pages memory files. Also, for instance, if an EFS encrypted file
is printed and the System32\spool\printer folder is not encrypted, spool files will contain
unencrypted copies of the encrypted files.
Another example is, when PGP is used to encrypt Microsoft Word document. Although
the original document were wiped, fragments of the files can be found scattered around
the disk in deleted MS word temporary files, some of which could be found by searching
for Microsoft Word headers. Although it may not be possible to recover the entire file, but
enough incriminating evidence can be accumulated to prove a case.

3.3 Searching computer memory for file contents

The computer’s Random Access Memory (RAM) is another source of finding

unencrypted data. For instance, if the contents of an application window (such as
Outlook’s e-mail composition window) is encrypted using PGP, a copy of the plaintext is
often held in memory by the application. Similarly, when PGP is used to encrypt or
decrypt text on Windows 2000, a copy of the plaintext is held in memory by PGPtray for
an indefinite period. The memory of this process can be dumped to a file using a
program like pmdump and searched for unencrypted data as shown here:

D:\>pslist pgptray
Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time
PGPtray 1332 8 7 150 1264 0:00:00.060 0:00:00.270 2:20:33.466
D:\>pmdump 1332 pgptray.mem
D:\>less pgptray.mem
…¨o
^@^@^@^@^@^@^@^@„¤^@^V^@^@^@^P^@„¤¨k^V^@`Ç^V^@P Signature Status: good
*** Signer: Eoghan Casey <[email protected]>
*** Signed: 7/20/2002 8:36:42 PM
*** Verified: 7/20/2002 8:41:17 PM
*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
Return-Path: <[email protected]>
Received: from webmailmta.go.com ([204.202.140.199])
by lsh110.siteprotect.com (8.9.3/8.9.3) with ESMTP id SAA04960
for <[email protected]>; Thu, 11 Jul 2002 18:57:48 -0500
Received: from gomailjtp03 ([10.212.0.163])
by mta07.seamail.go.com (Sun Internet Mail Server
sims.4.0.2001.07.26.11.50.p9) with ESMTP id
<[email protected]> for
[email protected]; Thu,
11 Jul 2002 16:43:48 -0700 (PDT)
Date: Thu, 11 Jul 2002 16:45:32 -0700 (PDT)
From: Harold Jones <[email protected]>
Subject: Test
To: [email protected]
Message-ID: <6477825.1026431132801.JavaMail.harold1jones@gomailjtp03>
MIME-version: 1.0
X-Mailer: GoMail 3.0.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
 8

X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: WBZAgrMiFHAeVlSFpWCqRCEs
Testing
___________________________________________________
GO.com Mail
Get Your Free, Private E-mail at http://mail.go.com
*** END PGP DECRYPTED/VERIFIED MESSAGE ***
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^L^@<8D>
…

Forensic examiners may rarely have an opportunity to extract information from

RAM before the system is rebooted. Even if such access were available, the examiner
would have to operate the computer, altering its state and potentially erasing valuable
information. In practicality, memory dumps are most useful when they occur accidentally.
Also, as analysis tools evolve, it may be feasible to extract information from RAM during
postmortem analysis

3.4 Obtaining encryption passphrases

A passphrase is a longer version of a password, and in theory, a more secure one.

Typically composed of multiple words, a passphrase is more secure against standard
dictionary attacks, wherein the attacker tries all the words in the dictionary in an attempt
to determine your password. The best passphrases are relatively long and complex and
contain a combination of upper and lowercase letters, numeric and punctuation
characters and therefore difficult to crack .
Because of this complexity in cracking passphrases, Investigators when attending a
crime scene may want to do basic checks first, such as searching the area surrounding
a system for slips of paper that may contain the passphrase. Secondly, the investigator
may want to obtain suspects (other) passwords that are used to protect personal data,
such as email, PDA. If these passwords are obtainable, should be tried since people
often use the same password for multiple purposes.

Accidental memory dumps may disclose information relating to encryption. For instance,
when PGP crashes on Windows 2000, the Dr. Watson application creates a memory
dump (e.g. C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp) that
can contain encrypted and plaintext versions of data as well as passphrases as shown
here: C:\Documents and Settings\All Users\Documents\DrWatson>strings user.dmp
 9

…
kernel32.dll
RASAPI32
C:\WINNT\tracing
C:\Documents and Settings\Administrator\My Documents\PGP\pubring.pkr
C:\Documents and Settings\Administrator\My Documents\PGP\secring.skr
&!
IN PGP MESSAGE-----
Version: PGP 7.1
qANQR1DBwU4DSL6Q3OHRwOYQB/9pKnnhZGQRFwykWzBO1EWkzW336QOkUaHj
0aVj
P1MgxDWQWi3kZpOfGnDg6kbQriWBiIgD/z8p5xGN+WcksytlLJv8OxvTGMepx7u8
h5aVRXZd8YPM+h5ROpbnNw+SiT/w9oCy/ChWeiCHV1swQSzwBHx2Ye+yxO70Moxc
...
frAG3nM7kOnChQp4jxhv2J0p7fL1vteI9EGbcimC9QCVBwC1U++mQIqbTyIw5gWK
Io11yl8P+wKjcHsLfi2hTE+NIRb+VORWhVoCDHgNKV1nSFNTK0LEnvz84OFyRc1z
-----END PGP MESSAGE-----
<pgppassphrase!>
…

Since there may be other ways in which encryption applications expose passphrases a
more systematic method of searching the disk for possible passphases is desirable. For
instance, using the Forensic Toolkit (FTK) from Access Data it is possible to generate a
list of keywords found on the disk and import this list into the Password Recovery Toolkit
(PRTK) as shown in Figure 1. In this way, if the user purposefully or unintentionally
stored their passphrase on disk or an application wrote the passphrase to disk, it will be
available in the keyword list. In one case, the PGP passphrase was found on an
apparently blank floppy disk.

Figure 1: A PGP passphrase identified by PRTK from a list of keywords

harvested from hard drive.
 1

If the passphrase cannot be obtained from the computer, an attorney with the assistance
of a forensics examiner may be able to persuade a suspect to cooperate. Although
refusing to disclose an encryption passphrase does not necessarily imply quilt, it may
reflect badly on the suspect in court and can shift the burden of proof onto the defense.
Faced with such a risk, offenders can be persuaded to provide this information in
exchange of leniency in sentencing or plea bargain.

3.5 Computer monitoring with hardware and software

Passphrases are generally difficult to obtain even when proper searching tools and
techniques are employed. As a last resort, the suspect’s machine can be monitored
using software or hardware in an effort to obtain the desired passphrase. Commercial
software programs like Spector Pro, and free programs such as SubSeven and Back
Orifice enable key logging, screen captures, and remote file access, can assist
investigators in obtaining encrypted files remotely.
Hardware devices like KeyGhost and KeyKatcher have internal memory and record
keystrokes when they are connected between the keyboard and CPU.
The advantage of hardware key logging devices over software is that they record every
keystroke, even those used to protect the BIOS. However, these devices are not
designed or Macintosh or Sun systems and do not work on laptops or personal digital
assistants since the keyboard is integrated. Also, physical access to the machine is
required to install and retrieve hardware devices and they are visible to the alert user. A
tamper evident seal can be attached to the device, making it more difficult for an
individual to remove the key logger without some visible sign of tampering as noted by
KeyKatch.

3.6 Passphrase Guessing

When manual passphrase guessing fails, an automated approach may be used with a
list of common passphrases, then a dictionary in the languages of the suspect, and then
more sophisticated permutation techniques. For instance, the Password Recovery
Toolkit (PRTK) from Access Data can be configured to use various dictionaries and
customized suspect profile as shown in figure 2. The PTRK then generates possible
 11

passphrases using entries in the dictionary, suspect profile, and various combinations of
these strings as shown in figure 3

Figure 2: A biographical profile in PRTK supports international characters.

 1

Figure 3: PRTK attempting to guess passphrase of PGP private key

All password recovery performed by PRTK are conducted using rules, called levels.
These levels start with the simplest attacks and proceed to the more complex. Levels
provide the means by which the complexity of the passwords to be tested are gradually
increased. The level begin with simple dictionary attacks, migrate through enhanced
dictionary attacks, and end with brute-force attacks where every sequence of characters
is tried. The simple attacks (depending on the complexity of the encryption algorithm)
typically require much less time than the more complex one do. Also, the more
passwords tried against the encrypted file, the more likely it is that a password will be
found that can open it. These settings directly impact the number of words to be tried as
passwords and therefore determine the time that it will take to test all possibilities.
Careful selection of these settings can reduce the time to test and recover passwords in
a significant way. Improper use of these settings can prevent passwords from ever being
found.

Individuals may change their passphrases periodically. Therefore, investigators should

attempt to access all backup copies of private keys in case some have weaker
passphrases than others. When individuals create new PGP keys, the PGP application
prompts them to save a copy of the keys to a medium other than the main drive.
Therefore, a backup copy of the private key file may be found on a floppy disk or other
 1

external media. Also, PGP periodically makes backup copies of key files on the hard
disk, any of which could have a weak passphrase.

3.7 Brute forcing weak encryption

Weak encryption, employing key lengths of up to 40 bits can be cracked using software
tools such as Access Data’s Distributed Network Attack (DNA) application, which can
brute force Adobe Acrobat and Microsoft Word/Excel files that are encrypted with 40 bit
encryption, shown in figure 4.

Figure4: Decrypting MS Word files using Distributed Network Attack (DNA)

Using DNA, a cluster of approximately 100 of-the-shelf computers and necessary

software can attempt every possible 40 bit key in 5 days.
As an example of how multiple machines may impact a password recovery job is shown
as follows:
• A single machine processing 1 million passwords per hour, will be able to process 24
million passwords in 24 hrs.
• Ten machines using DNA, and running for 14 hrs each day, can process
approximately 140 million passwords in a day.
• Ten machines using DNA, and running for 24 hrs each day, can process
approximately 240 million passwords in a day.
 1

By making more machines available, the number of passwords that can be tested
increases. It should be noted that DNA is able to make use of each processor in a multi-
processor and/or multi-core processor machine, enhancing the overall performance of
password recovery.

4.0 Future Consideration

Plaintext is generally wiped out after it is encrypted; therefore, it is desirable to analyze

the media using scanning probe or magnetic force microscope to recover unencrypted
copies of data. Similarly, it is desirable to be able to perform postmortem analysis on
RAM. With necessary equipment data can be retrieved from RAM using debug modes
even after power is removed.

Developing password finding and guessing tools that can access a wider range of file
types and intelligently combine keywords to create complex passphrases, needs to
developed, and available at reasonable cost, for smaller organization to implement.

Another challenge that tools developers face is tackle strong encryption such as photon-
based quantum cryptography, which is impossible to decrypt because the act of
monitoring alters the transmission

5.0 Conclusion

Breaking encryption will definitely be a challenge for investigators performing forensics

examination. A brief introduction of tools and techniques described in this paper is a
good starting point towards retrieving plaintext fragments of encrypted documents, which
can provide attorneys and investigators with some leverage if the case makes it to the
courts. Passphrase cracking, which generally leads to decrypting evidences, also
requires careful implementation. With the growing number of sophistication of encryption
and data hiding tools, it is difficult for an individual forensics examiner to keep pace.
Improvements in tools and increased information sharing amongst examiners can
alleviate some of these difficulties.
 1

6.0 References

RSA Security Crypto FAQ Cryptanalysis Section,

www.rsasecurity.com/rsalabs/faq/2-4.html

PGP Attacks, axion.physics.ubc.ca/pgp-attack.html

Cryptography Attacks, www.infoanarchy.org/wiki/wiki.pl?Cryptography/Attacks

Access Data password recovery with PRTK & DNA

Practical approaches to recovering encrypted digital evidence. Eoghan Casey

Why Cryptography Is Harder Than It Looks, Bruce Schneier,

www.schneier.com/essay-whycrypto.html

Key management, key lengths and cryptographic attacks and defense. Simon Weber-
Brown
1