DOCSLIB.ORG

Detecting the Use of Truecrypt

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt Detecting the use of TrueCrypt Clues that point a digital forensics investigator towards evidence of TrueCrypt data encryption software use by Andrew Davies, MSc (RHUL) and Allan Tomlinson, ISG, Royal Holloway THINKSTOCK Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt Forensic investigations: Detecting evidence of the use of TrueCrypt Criminals are increasingly using data encryption software to cover their tracks. Even detecting the use of encryption software can be a challenge for a digital forensics investigator. This article looks at the evidential material that can be found when TrueCrypt data encryption software has been used by Andrew Davies and Allan Tomlinson Forensic investigators conducting examinations need to be as sure as they can be that they have all the information they need to present a fair and unbiased report. If information is encrypted, redacted or not detected, the integrity of the study is compromised. Criminals are increasingly using data encryption software to ensure data confidentiality. It can be challenging just to detect whether encryption software has been used. When use of data encryption software is suspected, digital forensic investigators will typically try to gain access to the suspect’s computer while it is still powered on. Access to a powered-on computer can enable the Figure 1: TrueCrypt encrypted file container investigator to access memory resident material from random access memory (RAM), perhaps yielding the password used to encrypt or decrypt the data. It can also allow access to the data in an unencrypted form, or at least confirm that data encryption software is in use. So what happens if the suspect computer is found in a powered-off state? This article shows that, even in this case, there is still plenty of evidence that can be extracted to confirm whether or not data encryption software has been used. TrueCrypt is an example of popular data encryption software and about 30 million copies have been downloaded to date. Its popularity can be attributed to it being open source, freely available and its support on a number of major operating systems. TrueCrypt can create a “volume” to store encrypted data as a single file within the disk file system, as shown in Figure 1. As shown in Figure 2, TrueCrypt can also encrypt whole regions of a hard disk, including areas that contain the operating system start-up files. The encrypted data areas shown in figures 1 and 2 represent TrueCrypt’s normal mode of data encryption, the standard volume. In addition to the standard volume, which is often referred to as the outer volume, TrueCrypt also possesses a feature that allows users to hide the presence of an encrypted volume – the hidden volume. Worryingly for a forensic investigator, the hidden volume provides users with plausible reasons why such encrypted data could not exist. When the data is encrypted, it is difficult for investigators to view with normal forensics tools because it does not have an obvious structure and so may go undetected. However, even though the encrypted data might not initially be detected, TrueCrypt does leave a trail of evidence that could be examined. This supporting evidence could then be used in conjunction with the relevant laws to seek Figure 2: TrueCrypt partition and device access to the encrypted material in an unencrypted form. encryption -2- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt The evidence trail The amount of When TrueCrypt is used on a Microsoft Windows operating system, evidence evidence that can be that it has been used can be found in a number of locations. The amount of evidence that can be recovered depends on which volume mode, standard or recovered depends hidden, has been used to encrypt the data. Some examples of where evidence can be found that points to TrueCrypt’s use are: on which volume mode has been used n The Microsoft Windows Registry. n The Microsoft Windows IconCache.db file. to encrypt the data n The hard disk’s master boot record (MBR). Windows Registry evidence The Windows Registry is a hierarchical database represented by a number of files within the file system. It contains configuration information and settings for Windows and associated applications. It is commonly analysed as part of a host computer investigative process. The information within the Registry is categorised into sections containing root keys. Each key can contain sub-keys and various attribute data types, such as binary or string values. The UserAssist sub-key of the Windows Explorer application contains details of applications that have previously been executed on the running Windows system. An example of the UserAssist key’s location within the Registry is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{GUID}\Count The data attributes of this sub-key, which can be viewed at the given location by running RegEdit, are encoded with a Caesar cipher whose shift or rotation is 13 places. This application of the cipher is commonly called rotate-13 or ROT-13 for short. Using ROT-13, the word “TrueCrypt” is encoded as the text “GehrPelcg” and this is the search term that can be used to locate the data key within the Registry. If the data is found, it is often stored with the full directory path that references the location of the TrueCrypt application executable within the file system. The full path data is again encoded with ROT-13. A pre- Windows 7 example of this is: HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Zl Qbphzragf\GehrPelcg7.1n\GehrPelcg.rkr Conversion of this from ROT-13 results in the following: UEME_RUNPATH:C:\Documents and Settings\Administrator\My Documents\TrueCrypt7.1a\TrueCrypt.exe This confirms the TrueCrypt application (TrueCrypt.exe) has existed on the hard disk volume C: and says where it was located at the time of being executed. Although not immediately obvious, the number of times the application has been executed can also be determined from the contents of the attribute’s value data, also found in the same UserAssist sub-key. An example of the contents are the hexadecimal values “02 00 00 00 09 00 00 00 C0 B4 CC 12 97 99 CE 01”. The fifth hexadecimal value “09” represents the number of times the application has been executed. The application execution count starts from “05”. Therefore, in this instance, the application has been started four times. Software applications exist that can determine the execution count automatically; one example is UserAssist. -3- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt One of the clearest indications of TrueCrypt use can be found in the Registry key “HKEY_LOCAL_MACHINE\system\MountedDevices”. This Registry entry What cannot be tracks the disk volumes that have been used within Windows. The values stored determined from this in the attribute called “data” at this location are the hexadecimal numbers of the corresponding ASCII character code. Conversion of the hexadecimal numbers information is what to the corresponding ASCII characters results in the text “TrueCryptVolume” followed by a letter that represents the drive volume letter assigned to the type of TrueCrypt mounted TrueCrypt container at the time of use. volume was used An example would be “TrueCryptVolumeT”, which means the TrueCrypt volume was mounted for use and, at the time, was assigned the drive volume letter “T”. So the data stored in this key confirms a TrueCrypt volume has been used on the host. What cannot be determined from this information is what type of TrueCrypt volume was used, whether a standard volume or a hidden one. Many Windows applications retain a list of recently accessed file names to allow users to return quickly to files they were working on. This information may also be stored in the Registry. Some of the applications include the full path location to precisely identify the file in the file system, including the name assigned to a disk volume. If the disk volume is inappropriately named, for example a TrueCrypt hidden volume has been labelled “secretstuff”, and this volume cannot be located, then this could add weight to the investigator’s assessment that data encryption has been used. IconCache.db As part of the Windows graphical user interface (GUI), applications are displayed in the GUI as icons or images that represent the file’s content or use. Windows caches icons on a per-user basis in a file called IconCache.db. When applications are executed, the icons, together with the owning application reference, are stored within this file. The contents can be viewed with a basic file editor capable of displaying binary files. So, if TrueCrypt has been used by a Windows user, a reference to TrueCrypt’s file location and name is cached in the IconCache.db file. Unlike ASCII, the reference within this file uses a 16-bit character set. Consequently, most editors will display the text with another character between each letter, commonly Figure 3: Analysis of IconCache.db -4- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt using a blank space or period. This can be seen in Figure 3. Therefore, when searching for the string “TrueCrypt” with your forensic software, you need to ensure that the correct character set is used. Using normal forensic file carving techniques, bitmap data representing an icon can also be extracted from IconCache.db. If TrueCrypt has been used, its icons will be cached. An example is also shown in Figure 3. Figure 4: The TrueCrypt boot loader screen Finding a match between TrueCrypt’s application icons and the cached icons contained within IconCache.db would provide additional supporting evidence for the forensic investigator.
Recommended publications
  • Course 5 Lesson 2

    Course 5 Lesson 2

    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C5L3S1 With the advent of the Internet, social networking, and open communication, a vast amount of information is readily available on the Internet for anyone to access. Despite this trend, computer users need to ensure private or personal communications remain confidential and are viewed only by the intended party. Private information such as a social security numbers, school transcripts, medical histories, tax records, banking, and legal documents should be secure when transmitted online or stored locally. One way to keep data confidential is to encrypt it. Militaries,U the governments, industries, and any organization having a desire to maintain privacy have used encryption techniques to secure information. Encryption helps to boost confidence in the security of online commerce and is necessary for secure transactions. In this lesson, you will review encryption and examine several tools used to encrypt data. You will also learn to encrypt and decrypt data. Anyone who desires to administer computer networks and work with private data must have some familiarity with basic encryption protocols and techniques. C5L3S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson.
  • Operating System Boot from Fully Encrypted Device

    Operating System Boot from Fully Encrypted Device

    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
  • Crypto Wars of the 1990S

    Crypto Wars of the 1990S

    Danielle Kehl, Andi Wilson, and Kevin Bankston DOOMED TO REPEAT HISTORY? LESSONS FROM THE CRYPTO WARS OF THE 1990S CYBERSECURITY June 2015 | INITIATIVE © 2015 NEW AMERICA This report carries a Creative Commons license, which permits non-commercial re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or in- clude our content in derivative works, under the following conditions: ATTRIBUTION. NONCOMMERCIAL. SHARE ALIKE. You must clearly attribute the work You may not use this work for If you alter, transform, or build to New America, and provide a link commercial purposes without upon this work, you may distribute back to www.newamerica.org. explicit prior permission from the resulting work only under a New America. license identical to this one. For the full legal code of this Creative Commons license, please visit creativecommons.org. If you have any questions about citing or reusing New America content, please contact us. AUTHORS Danielle Kehl, Senior Policy Analyst, Open Technology Institute Andi Wilson, Program Associate, Open Technology Institute Kevin Bankston, Director, Open Technology Institute ABOUT THE OPEN TECHNOLOGY INSTITUTE ACKNOWLEDGEMENTS The Open Technology Institute at New America is committed to freedom The authors would like to thank and social justice in the digital age. To achieve these goals, it intervenes Hal Abelson, Steven Bellovin, Jerry in traditional policy debates, builds technology, and deploys tools with Berman, Matt Blaze, Alan David- communities. OTI brings together a unique mix of technologists, policy son, Joseph Hall, Lance Hoffman, experts, lawyers, community organizers, and urban planners to examine the Seth Schoen, and Danny Weitzner impacts of technology and policy on people, commerce, and communities.
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
  • Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities

    Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities

    University of Central Florida STARS HIM 1990-2015 2013 Brave New World Reloaded: Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities Mark Berrios-Ayala University of Central Florida Part of the Legal Studies Commons Find similar works at: https://stars.library.ucf.edu/honorstheses1990-2015 University of Central Florida Libraries http://library.ucf.edu This Open Access is brought to you for free and open access by STARS. It has been accepted for inclusion in HIM 1990-2015 by an authorized administrator of STARS. For more information, please contact [email protected]. Recommended Citation Berrios-Ayala, Mark, "Brave New World Reloaded: Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities" (2013). HIM 1990-2015. 1519. https://stars.library.ucf.edu/honorstheses1990-2015/1519 BRAVE NEW WORLD RELOADED: ADVOCATING FOR BASIC CONSTITUTIONAL SEARCH PROTECTIONS TO APPLY TO CELL PHONES FROM EAVESDROPPING AND TRACKING BY THE GOVERNMENT AND CORPORATE ENTITIES by MARK KENNETH BERRIOS-AYALA A thesis submitted in partial fulfillment of the requirements for the Honors in the Major Program in Legal Studies in the College of Health and Public Affairs and in The Burnett Honors College at the University of Central Florida Orlando, Florida Fall Term 2013 Thesis Chair: Dr. Abby Milon ABSTRACT Imagine a world where someone’s personal information is constantly compromised, where federal government entities AKA Big Brother always knows what anyone is Googling, who an individual is texting, and their emoticons on Twitter.
  • Zenworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019

    Zenworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019

    ZENworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019 This document provides troubleshooting guidelines for common problems related to ZENworks Full Disk Encryption. If, after completing the troubleshooting steps, the problem is not resolved, you should contact Technical Support (https://www.novell.com/support/) for additional help. 1 Windows PE Emergency Recovery Disk (ERD) is not working Make sure you have installed the correct WAIK architecture (32-bit vs 64-bit) (Windows 7 only) If you manually created the ERD, use the PowerShell script provided in the Cool Solutions “Windows Powershell script to create a Windows PE emergency recovery disk for ZENworks Full Disk Encryption” article. Try creating the ERD using the ADK for Windows instead of Windows AIK. See “Creating a Windows PE Emergency Recovery Disk” in the ZENworks Full Disk Encryption Emergency Recovery Reference. Try burning the ERD to a DVD rather than a CD. 2 Issues with PBA login or boot sequence After pre-boot authentication occurs, the BIOS or UEFI settings must be correctly set for Windows. With unusual DMI hardware configurations, the standard ZENworks PBA boot method and Linux kernel configuration used to provide the BIOS settings, might not work, resulting in hardware that does not function correctly or is not recognized by Windows. Beginning in ZENworks 2017 Update 2, the Full Disk Encryption Agent includes DMI menu options to repair the boot sequence for issues relating to these DMI configurations. This menu is accessible by using the Ctrl + G keyboard command at a brief point when Full Disk Encryption is shown during a device restart.
  • How to Install and Use True Crypt

    How to Install and Use True Crypt

    How to Install and Use True Crypt A download can be found for windows, Mac, or Linux on https://truecrypt.ch/downloads/ As of 9/22/14 the latest windows version is 7.1A. Table of Contents Installation on Windows .............................................................................................................................. 2 Encrypt an entire USB or portable hard drive ............................................................................................. 5 Create new container on USB or portable hard drive............................................................................... 12 How to Mount/Dismount a TrueCrypt container ..................................................................................... 18 Installation on Windows 1. Download the latest version of TrueCrypt and run the exe. 2. Accept the license agreement. 3. Next you have the option to install or extract this installation of TrueCrypt. If you will be accessing TrueCrypt containers very often then it would be best to install it. 4. Next select the installation location, preferences, and click install. 5. TrueCrypt will now install and after installation you can find the program in the program files directory or on the start menu. 6. Run the TrueCrypt program to bring up the main screen. Encrypt an entire USB or portable hard drive 1. Insert a USB or portable hard drive in the computer with TrueCrypt installed. 2. Run TrueCrypt, and select “Create Volume”. 3. Select the option to “Encrypt a non-system partition/drive”. 4. Next, you may select a Standard volume or a hidden volume. If you are unsure, leave the default “Standard TrueCrypt volume” selected and click next. 5. Click the “Select Device” button and select the drive that is the USB or portable hard drive. Then click Next. 6. Next, you can choose to format the entire drive and encrypt it (faster), or if there is data on the USB drive you can also use the option to “Encrypt partition in place”.
  • Disk Encryption with 100Gbe Crypto Accelerator

    Disk Encryption with 100Gbe Crypto Accelerator

    Disk Encryption with 100GbE Crypto Accelerator Chelsio T6 vs. Intel AES-NI vs. Software Enabled Encryption Executive Summary Chelsio Crypto Accelerator is a co-processor designed specifically to perform computationally intensive cryptographic operations more efficiently than general-purpose CPUs. Servers with system load, comprising of cryptographic operations, see great performance improvement by offloading crypto operations on to the Chelsio Unified Wire adapter. Chelsio’s solution uses the standard crypto API framework provided by the operating system and enables the offloading of crypto operations to the adapter. This paper showcases the disk encryption acceleration capabilities of Chelsio T6 adapters by comparing its performance with Intel AES-NI and software encryption. Chelsio solution excels with 100Gbps Crypto rate performance for both encryption and decryption with less than 50% CPU usage. Chelsio’s T6 encryption solution assures complete data protection to datacenters, while providing substantial savings on CPU and memory. Chelsio Disk Encryption Offload The Terminator 6 (T6) ASIC from Chelsio Communications, Inc. is a sixth generation, high performance 1/10/25/40/50/100Gbps unified wire engine which offers crypto offload capability for AES and SHA variants. Chelsio’s disk encryption solution is a special case of data at rest protection where the storage media is a sector-addressable device. Chelsio offloads the AES-XTS mode, which is designed for encrypting data stored on hard disks where there is no additional space for an integrity field. AES-XTS builds on the security of AES by protecting the storage device from many dictionary and copy/paste attacks. Chelsio crypto driver registers with the kernel crypto framework with high priority and ensures that any disk encryption request is offloaded and processed by T6 adapter.
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami

    Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami

    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
  • The Growing Impact of Full Disk Encryption on Digital Forensics

    The Growing Impact of Full Disk Encryption on Digital Forensics

    digital investigation 8 (2011) 129e134 Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/diin The growing impact of full disk encryption on digital forensics Eoghan Casey a,*, Geoff Fellows b, Matthew Geiger c, Gerasimos Stellatos d a cmdLabs, 1101 E. 33rd Street, Suite C301, Baltimore, MD 21218, United States b LG Training Partnership, United Kingdom c CERT, United States d CACI International, United States article info abstract Article history: The increasing use of full disk encryption (FDE) can significantly hamper digital investi- Received 16 March 2011 gations, potentially preventing access to all digital evidence in a case. The practice of Received in revised form shutting down an evidential computer is not an acceptable technique when dealing with 17 September 2011 FDE or even volume encryption because it may result in all data on the device being Accepted 24 September 2011 rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption Keywords: prior to pulling the plug. In addition, to give digital investigators the best chance of Digital forensics obtaining decrypted data in the field, prosecutors need to prepare search warrants with Full disk encryption FDE in mind. This paper describes how FDE has hampered past investigations, and how Hard drive encryption circumventing FDE has benefited certain cases. This paper goes on to provide guidance for Volatile data gathering items at the crime scene that may be useful for accessing encrypted data, and for Memory forensics performing on-scene forensic acquisitions of live computer systems.
  • Pgpfone Pretty Good Privacy Phone Owner’S Manual Version 1.0 Beta 7 -- 8 July 1996

    Pgpfone Pretty Good Privacy Phone Owner’S Manual Version 1.0 Beta 7 -- 8 July 1996

    Phil’s Pretty Good Software Presents... PGPfone Pretty Good Privacy Phone Owner’s Manual Version 1.0 beta 7 -- 8 July 1996 Philip R. Zimmermann PGPfone Owner’s Manual PGPfone Owner’s Manual is written by Philip R. Zimmermann, and is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Pretty Good Privacy™, PGP®, Pretty Good Privacy Phone™, and PGPfone™ are all trademarks of Pretty Good Privacy Inc. Export of this software may be restricted by the U.S. government. PGPfone software is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Phil’s Pretty Good engineering team: PGPfone for the Apple Macintosh and Windows written mainly by Will Price. Phil Zimmermann: Overall application design, cryptographic and key management protocols, call setup negotiation, and, of course, the manual. Will Price: Overall application design. He persuaded the rest of the team to abandon the original DOS command-line approach and designed a multithreaded event-driven GUI architecture. Also greatly improved call setup protocols. Chris Hall: Did early work on call setup protocols and cryptographic and key management protocols, and did the first port to Windows. Colin Plumb: Cryptographic and key management protocols, call setup negotiation, and the fast multiprecision integer math package. Jeff Sorensen: Speech compression. Will Kinney: Optimization of GSM speech compression code. Kelly MacInnis: Early debugging of the Win95 version. Patrick Juola: Computational linguistic research for biometric word list. -2- PGPfone Owner’s
  • The Future of Digital Forensics

    The Future of Digital Forensics

    Royal Holloway Information Security Thesis Series | The future of digital forensics The future of digital forensics Investigators have three avenues of attack to use when tackling the complexities of full disk encryption by Nia Catlin, MSc in information security (Royal Holloway) and Lorenzo Cavallaro, ISG, Royal Holloway THINKSTOCK Royal Holloway Information Security Thesis Series | The future of digital forensics The future of digital forensics in the era of full disk encryption Full disk encryption presents a theoretically insurmountable challenge for digital forensics, but authorities still have three avenues of attack for attempting to analyse protected devices. Anti-forensic countermeasures pose a developing challenge, however by Nia Catlin and Lorenzo Cavallaro In the past, forensics relied on artifacts left behind on a suspect’s computer, an intimate knowledge of all the nooks and crannies in which incriminating evidence may be hidden, the tendency of criminals to fail even to attempt to assume they will not be caught, and the failure of criminals to cover their tracks. Unfortunately for digital forensic investigators, their work constitutes a physical security breach, and the use of full disk encryption can be as effective at preventing them carrying out that work as it is at preventing a laptop thief from stealing passwords. The severe consequences of the exposure of corporate and customer data have led to the development of user-friendly and very secure full disk encryption. Moreover, the fear of device theft has led to its widening adoption. Most of the encryption algorithms – when used correctly – are considered unbroken for practical purposes, so authorities trying to analyse such a protected device are left with three avenues of attack: key search, live forensic acquisition and forced key disclosure.