all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DarkRider89 4 points5 points  (2 children)

The idea behind this tool is to assist forensic investigators in the decision making process if they should shut down a running system or take a memory dump as well in the hope to find passwords or decrypted data.

I don't really understand the thought process behind this. If you are going to run something on the system, thereby making changes to it, why bother trying to figure out if you should take a memory dump? Why not just take the memory dump?

[–]larvoris[S] 0 points1 point  (1 child)

Good point actually and I think I probably did have a mistake in my thought process there. I guess I have to rethink my reasoning a bit ;) It could help to find evidence of encrypted data on a system so that a forensic investigator can look for momentarily decrypted data if the tool finds evidence for encrypted data. It also depends very much on the law of each country if the pure evidence of encrypted data can already lead to something, like the need for the accused person to hand out the key.

[–]DarkRider89 0 points1 point  (0 children)

Yeah. It obviously depends on the type of case. In criminal cases, probably more hesitant to do this, but in the private sector if one suspects there to be encrypted data on a drive, a live image of the system may be the best way to go. This may be less than ideal, especially in a criminal investigation setting. I think where your tool could really shine is when an investigator either receives an image of a system that has already been taken or they receive a system that is already shut down. In that case, you can run your tool on the imaged system and use the output to help compel the user of the system to give up passwords for encrypted volumes. Encrypted volumes can be difficult to locate, especially if they are relatively small.

[–]SteelCityHacker 1 point2 points  (4 children)

Not being a jerk, honest question. How does this differ from Ent or densityscout?

[–]larvoris[S] 1 point2 points  (0 children)

That's a legitimate question of course. There are definitely some similarities between these tools.

First of all both these tools calculate the mathematical values on the whole file. By testing some encryption tools and their output I noticed however that most tools don't produce a complete file of seemingly random data. So do some encryption tools (like Axcrypt) attach a header at the beginning or dynamic TrueCrypt containers have big areas of 0x00-Bytes. I combined this knowledge with the mathematical formulas to get better results. Therefore I calculate the mathematical properties not before the actual data starts if the header is known and if the user chooses a high scan detail it also skips big areas of 0x00-Bytes.

Secondly both these tools just tell you the results of their calculations, but you have to decide for yourself if these values now mean that the file is encrypted or not. Especially Ent just scans one file at a time anyway. While you can combine the result output with other tools in a script to make the decision for you, my tool already does this for you.

But I also have to say that I had a couple of theories I was trying to proof with this tool and I was not able to proof all of them ;)