Morning.
Just a quick one. Whats the best / easiest way to check for [any] kind of encryption on a disk.
Its not got full disk encryption, but I want to check for the likes of encrypted volumes, partition etc. I can check for .TC, but there are probably other types out there I am not aware of.
Any enscripts out there I could grab from Guidance?
Thanks
Are you LE or private?
Guidance have Encrypted Data Finder EnScript (Simon Key) on their support portal. I think it makes an assessment of the file's entropy.
I think you will find that encrypted files can have any type of name and extension
I seem to remember from a lecture that True Crypt files are always complete clusters in length. If my memory is correct, then you want to look at file length in Hex. An encrypted volume will be a large file which makes seraching easier.
Entropy is the only real clue but watch out for false positives, many compressed files have areas of high entropy, ie appear truely random
I'm LE mate. I will take a look for that script and see.
thanks.
Also I have thought about checking for file size, its not a issue to do it, but its a 1TB drive, so would like to leave something run over it while I crack on with other stuff as it might take a while!
thanks, i think I will check out that script and see what it does.
Update
Found it, thanks. I will try that script.
I also found these while I was there
TrueCrypt File Locator (V2.2).EnPack
Entropy Analysis (V1).EnPack
May be worth a look, defo no harm having them in my EnCase either.
Thanks again guys! )
I'm LE mate. I will take a look for that script and see.
thanks.
I'll PM you about an LE only tool.
Its not got full disk encryption, but I want to check for the likes of encrypted volumes, partition etc. I can check for .TC, but there are probably other types out there I am not aware of.
If it's just encrypted volumes or containers that you're interested in, one of the most effective means I've found on Windows systems is to look in the MountedDevices Registry key in the System hive.
The reasoning for this is that if the user is running Windows and wants to access data in the encrypted volume/container, they have to mount it in some fashion so that it can be accessed via Windows Explorer. During testing and analysis, I've found that mounting/accessing PGP and TrueCrypt encrypted volumes leaves indicators in the MountedDevices key.
HTH
Hi,
I have a hash set of quite a lot of different encryption programs' exe files. As a basic heads-up I hash all the exe files on the computer and do a comparison. This takes about 2 mins and helps me identify the scope of the work I might be doing.
Steve
Steve,
Let's say you find a system with TrueCrypt or PGP on it…does that mean that encrypted volumes or containers are in use? What's the next step in your analysis?
Thanks.
Hi,
Encryption is still pretty rare. I tend to find it isn't present in most cases. If I run the hash set and I get nothing then it's just a quick way of indicating there probably isn't any. My answer was more a suggestion for 'ruling it out' when you aren't expecting it to be there.
Certainly other intell about the suspect and the case type will help decide if you think there will be encryption present.
As you look at how knowledgeable your suspect is based on what changes have been made to configuration files, what programs they tend to use etc, you get the impression whether this is a person likely to use encryption. I always seek to answer two questions when I examine a computer; how IT literate is my suspect and how much does he/she trust computers.
Of course if you get some hits from the hash set then you already know some programs are installed and which versions.
Just a few thoughts anyway.
Steve