At 07:57 13-8-2002 +0200, kontoudisat_private wrote: >Say you image a hard disk and, then, proceed to analyze the copy in >order to produce evidence. If the files on the image are obvious >(like .doc and stuff) then you may be in a good place. But what >happens when you discover a chunk of binary data (a binary >file or something) ? How can you determine the file type and, >furthermore, how do you conclude that this file is encrypted >(if it is) ? > >Are there any tools that can do this analysis and, maybe, try out >a decryption process ? The UNIX command 'file' can often tell you a lot about the file, even if it's a Windows-file. I'm not sure if any equivalent programs exist on the Windows platform. As for determining if a file is encrypted: one of the characteristics of a good encryption algorithm is that the output can not be compressed effectively (since the encrypted data has to be as random as possible). So to find out whether a file is encrypted, try compressing it. If it doesn't get a lot smaller, or even larger, there's a good chance you're dealing with encrypted data. But, again if the algorithm is any good, it will not be possible to easily determine the algorithm used to compress it, let alone try and decrypt it. A lot of encryption algorithms have been broken and if you find out one of those algorithms have been used, it may be easier to decrypt the data. If you know what algorithm was used: do a little research. With DES and such, you're probably out of luck. But of course: all encryption can be broken. It's just a matter of how much time and money you want to spend. I hope this helps, Jeroen Latour ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 03:17:55 PDT