One thing you might try is evaluating the amount of entropy (density/ randomness) in the file, using the utility you can find here: http://www.fourmilab.ch/random/ If the file is very random, it is likely encrypted because ideal algorithms are supposed to lack patterns. (Finding steg is another issue entirely, and out of my current depth on the subject.) Tom Stowell >>> <kontoudisat_private> 08/13/02 12:57AM >>> Hi all, I am not into the forensic business, just like the subject and read a bit on it. I have this issue that I would appreciate your input on. Say you image a hard disk and, then, proceed to analyze the copy in order to produce evidence. If the files on the image are obvious (like .doc and stuff) then you may be in a good place. But what happens when you discover a chunk of binary data (a binary file or something) ? How can you determine the file type and, furthermore, how do you conclude that this file is encrypted (if it is) ? Are there any tools that can do this analysis and, maybe, try out a decryption process ? Regards, Dimitris. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 10:59:43 PDT