Recently I've finished 2 three day on-demand trainings. First one was for forensic bridges and write-blockers and the other one was for elcomsoft password recovery bundle. Second was was challenging because there is no official training fro product we decided to modify our anti forensics and encryption materials to create suitable training bundle. From forensic point of view most challenging task is to keep forensically correct environment while data is going from one tool to another and back into final report.
I was trying to avoid heavy math as possible from this training, since it does not belongs there it is about tools and forensics not about cryptography. You must have understanding what cryptography is, how it works and how it is used in anti forensics and most important hos to handle it in forensically sound way. One often overlooked issue is reliability and forensic acceptability of all used tools in processing of evidence. Good practice is to have prof of correctness for each tool in chain but also to have prof for each step in data transfer among tools.
As example I've used windows virtual machines with bitlocker, truecrypt volumes as investigation targets. We used various tools and scenarios to create memory dumps and tested if we can retrieve keys from dumps. All that was done in safe forensic framework of proven tool like EnCase and its VFS and PDE features. Trough such features it is possible to extract keys from memory dumps or hibernation files and use and use elcomsoft tool to access and dump protected volume. That extracted data is than reacquired into original case in forensic framework tool. More or less same approach works for all of the password extrcators/breakers in elcomsoft bundle.
I was trying to avoid heavy math as possible from this training, since it does not belongs there it is about tools and forensics not about cryptography. You must have understanding what cryptography is, how it works and how it is used in anti forensics and most important hos to handle it in forensically sound way. One often overlooked issue is reliability and forensic acceptability of all used tools in processing of evidence. Good practice is to have prof of correctness for each tool in chain but also to have prof for each step in data transfer among tools.
As example I've used windows virtual machines with bitlocker, truecrypt volumes as investigation targets. We used various tools and scenarios to create memory dumps and tested if we can retrieve keys from dumps. All that was done in safe forensic framework of proven tool like EnCase and its VFS and PDE features. Trough such features it is possible to extract keys from memory dumps or hibernation files and use and use elcomsoft tool to access and dump protected volume. That extracted data is than reacquired into original case in forensic framework tool. More or less same approach works for all of the password extrcators/breakers in elcomsoft bundle.
Practicals and hands on :
Zip peculiarities
Mils unbreakable
encryption
Encryption based on
dedicated external device
Password vault tool
Password recovery for truecrypt volume
Password recovery for truecrypt volume
Windows logon
password
Office documents
Bitlocker password
removal in elcomsoft
Live forensic access to encrypted data
Live – encase
forensic
Ftk imager – memory capture
Memory capture – words extraction
Topics discussed:
Encryption and Antiforensics
Antiforensics or counter forensics
Antiforensics methods
Hiding Data - Encryption
The Caesar Cipher
Example: rot13
Some common types of encryption
Steganography
Data destruction
Antiforensics impact
Encryption and Digital Forensics
Background
Sources
Terminology
Encryption algorithms
Encryption keys
Password/Passphrase Implementation
Key space
Breaking passwords
zip – removing encryption or changing password
Truecrypt – removing enrcyption or changing the password
Identifying encrypted data
Encryption software
Encrypted files
Approaching decryption
Human factor
Human factor - language
Decryption methodology
Dictionary Attack
Dictionary-based attack tools
Brute force attack
Brute Force Attacks tools
Key-based attack
Password Reset
Rainbow tables
Encryption and digital evidence
Accessing Encrypted Evidence
Encrypted Evidence is real
Decryption in digital forensic investigation: Perception vs.
Reality
Types of Encrypted Evidence
Types of Encryption
Where are passwords
How to attack password-protected artifacts
Workflow is repetitive
Additional word sources
Encryption tools
What is there in the wild ?
Example: Passware Kit Forensic
Example: FTK PRTK/DNA
Example: Elcomsoft bundle
Forensic tool approach
Practical Decryption Tool
Dedicated Decryption Tool
Decryption as part of the general purpose forensic tool
No comments:
Post a Comment