Encryption Software...
 
Notifications
Clear all

Encryption Software that uses Asian characters for filename?

8 Posts
7 Users
0 Likes
1,145 Views
(@merriora)
Posts: 44
Eminent Member
Topic starter
 

Working on a computer where I am finding deleted files and folders that appear encrypted, but all the filenames use Asian characters.

I found one encryption tool called boxCryptor that does just this with their paid version, but I am not finding any signs that this was actually installed on the computer.

https://support.boxcryptor.com/display/DOCEN/Filename+Encryption

I am digging into the Volume Shadow Copies to see if this was deleted, but does anyone know of any other tools that do this?
Could this be caused by some other factors? (NOTE Suspect is not Asian)

Thanks,

 
Posted : 23/11/2014 2:26 am
(@athulin)
Posts: 1156
Noble Member
 

Working on a computer where I am finding deleted files and folders that appear encrypted, but all the filenames use Asian characters.

Do the characters belong to a single language, are they a mixture of, say, Japanese, Chinese, and Korean, or do you find all kinds of characters – say, even Lydian, Lycian, Carian and even Runic?

Some 'secure delete' software overwrite file names with other characters. Some use fixed characters (like 'Z'), others just write random characters, to ensure the file name is gone. If random characters are used, chances are pretty good that a considerable amount of them would be from the CJK part of Unicode, as that's a fairly large chunk of the Unicode code point space. You'd probably also find non-CJK characters, and even one or two Latin. You might even find unallocated code points.

If there's a language connection, you'd probably find only C(hinese), only J(apanase) or K(orean) characters, but no or very little mixture.

 
Posted : 23/11/2014 2:38 pm
(@merriora)
Posts: 44
Eminent Member
Topic starter
 

Not really sure how to determine which character sets they belong to, but some characters do not display properly as Asian characters, but rather as black squares, 9 ball and other symbols. However, 90% appear to be some sort of Asian character.

Some of the files also end with ".encryptable"

I have also found this with other files on the system that are not encrypted, but still end with the ".encryptable" within the filename.

Thanks,

 
Posted : 24/11/2014 10:04 pm
(@rich2005)
Posts: 535
Honorable Member
 

Are they individual files that end in ".encryptable" or ADSs attached to files?
ADSs called "encryptable" crop up commonly enough on Windows systems (usually attached to thumbnails files) and I believe they're system generated. Can't remember the exact reason/meaning off the top of my head.
Edit - MS reference for the encryptable stream http//msdn.microsoft.com/en-us/library/dn392979.aspx
Gut instinct based on the limited amount you've said is that it'll be something like the entries being incorrectly parsed as Chinese characters rather than some sort of encryption tool.
The majority of the encryption tools I've seen haven't/wouldn't result(ed) in this.

 
Posted : 03/12/2014 8:40 pm
(@kbertens)
Posts: 88
Trusted Member
 

Have you looked at prefetch files. Maybe you can find a strange piece of software over there.

 
Posted : 03/12/2014 11:16 pm
(@gorvq7222)
Posts: 229
Reputable Member
 

Hi,

In my opinion, you need to verify something.
1. Use WinHex or EnCase to view those suspicious encrypted files to make sure if you could see those content. As you said, it seems to be Asian characters, so you will need to change codepage to take a look.
2. If those files encrypted, use some crack software like Elcomsoft or Passware kit to solve it.
3. Volume shadow copy is very good clue, maybe you could find something are not deleted or overwritten that time.

You could use Internet Evidence Finder to deal with VSS.

Rick

 
Posted : 04/12/2014 7:07 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Are they individual files that end in ".encryptable" or ADSs attached to files?
ADSs called "encryptable" crop up commonly enough on Windows systems (usually attached to thumbnails files) and I believe they're system generated. Can't remember the exact reason/meaning off the top of my head.
Edit - MS reference for the encryptable stream http//msdn.microsoft.com/en-us/library/dn392979.aspx
Gut instinct based on the limited amount you've said is that it'll be something like the entries being incorrectly parsed as Chinese characters rather than some sort of encryption tool.
The majority of the encryption tools I've seen haven't/wouldn't result(ed) in this.

I agree with this. If a tool used to "securely" wipe data also scrambles filenames, it is possible that your forensic tool of choice will attempt to interpret it and produce these symbols. Out of interest, do the files have a short name?

 
Posted : 05/12/2014 2:39 pm
(@c-r-s)
Posts: 170
Estimable Member
 

First consideration should be whether the files were created locally. They might have been synced from a phone or back-synced from cloud storage.
If file system metadata indicates the local creation, you will probably find indicators of encryption software in the drivers list.
There are certain design limitations for such a kind of software First, its client most likely supports user mode operation. Second, the plus of encrypted filenames meets the disadvantage of not being able to manually identify and decrypt single files. Therefore, the software has to implement some sort of virtual file system, which allows the user to browse through the files while decrypting their names. There are relatively few vendors of these file system drivers, e.g. EldoS Corporation.

 
Posted : 05/12/2014 4:17 pm
Share: