When the devices of a suspect are seized as part of an investigation, digital forensic investigators should check for the presence of encryption on such devices.
The majority of full disk encryption products render amendments to the Master Boot Record (MBR) or the Volume Boot Record (VBR) to indicate and execute its code, to permit decryption of the data.
Keep in mind that the techniques discussed in this article may not be practicable for every file and disk encryption scheme because not all of them hold particular properties that we may exploit to identify them.
How To Measure The Randomness Of Files To Detect Encryption
To find out if encryption is deployed by the suspect’s computer, the forensics investigator could proceed to measure the randomness of files and the nearer they are to random, the more confident the investigator that encryption has been employed.
To measure, the investigator could employ the subsequent Python script which calculates the Shannon Entropy of a file:
Note that the nearer the entropy value is to 8.0, the greater the entropy.
Known Signatures As Indicators That Encryption Is Used
In situations, digital forensic examiners will attempt to deploy known signatures to detect if encryption has been used by the suspect.
Digital Forensic Identifiers
The following list comprises popular encryption products and standards that serve as useful identifiers in a digital forensic investigation:
Microsoft BitLocker/Bitlocker To Go
BitLocker is a full volume encryption standard included with the Microsoft Windows operating system beginning with Windows Vista.
This tool deploys AES 128-bit encryption and 256-bit AES encryption to encrypt the drive. A drive that is ultimately encrypted using BitLocker will be different than a regular NTFS drive.
The signature of “-FVE-FS-” may be located at the beginning of Bitlocker encrypted volumes. In other words, a BitLocker encrypted volume will start with that signature.
Hence, the physical level standpoint of the header of the boot sector of a Windows Vista BitLocker protected volume — sector offset 0 of the Volume Boot Record (VBR) — will contain the encryption product identifier “ëR•-FVE-FS-” along with the hex value “EB 52 90 2D 46 56 45 2D 46 53 2D“.
This marks in contrast to being on Windows 7/8, on sector offset 0 of the Volume Boot Record for the BitLocker protected volume, the encryption product identifier “ëX¬|-FVE-FS-” may be located along with the hex value “EB 58 90 2D 46 56 45 2D 46 53 2D“.
Apple FileVault essentially serves as BitLocker’s equivalent on macOS and provides full disk encryption. On sector offset 0 of the container, the encryption product identifier “encrdsa” may be located along with the hex value “65 6E 63 72 63 64 73 61” at the start of FileVault encrypted volumes.
Sophos SafeGuard Enterprise & SafeGuard Easy
Regarding Sophos SafeGuard Enterprise, on sector offset 119 of the Master Boot Record (MBR), the encryption product identifier “SGM400” may be located along with the hex value ” 53 47 4D 34 30 30 3A“.
Regarding Sophos SafeGuard Easy, on sector offset 144 of the Master Boot Record, the encryption product identifier “SGE400” may be located along with the hex value “53 47 45 34 30 30 3A“.
Credant Mobile Guardian
Credant Mobile Guardian is a disk encryption solution that offers tamper-proof encryption by encrypting files and folders, though it does not encrypt the system files. Thus, the Master Boot Record and Volume Boot Record do not appear to be altered.
Forensics software can attempt to search for the CredDB.CEF file to establish if any of the files are encrypted using Credant Mobile Guardian.
TrueCrypt, DiskCryptor, VeraCrypt
We can detect the existence of “Crypt” encryption products by utilizing the subsequent conditions:
- Possesses a high Shannon entropy, or the minimum size of the object is 19KB, despite the fact that by default is minimum 5MB.
- The size of the file or collection of clusters represents a multiple of 512.
- Includes no particular file signature across the whole object.
Bear in mind that because there lacks a particular signature or header, we cannot say for certain that “Crypt” encryption utilities were employed. Nevertheless, we can attempt to determine if such encryption utilities were used with the aforementioned conditions and additional techniques.
Symantec PGP Whole Disk Encryption
Symantec PGP Whole Disk Encryption is deployed to encrypt all the contents on the drive on a block-by-block basis.
On sector offset 3 of the Master Boot Record, the encryption product identifier that may be located is “ëH|PGPGUARD” along with the hex value “EB 48 90 50 47 50 47 55 41 52 44“.
WinMagic SecureDoc Full Disk Encryption
WinMagic SecureDoc Full Disk Encryption is a disk encryption solution that secures data at rest (DAR). On sector offset 246 of the Master Boot Record, the encryption product identifier “WMSD” may be discovered along with the hex value “57 4D 53 44“.
GuardianEdge Encryption Plus, Anywhere, Hard Disk Encryption, & Symantec Endpoint Encryption
On sector offset 6 of the Master Boot Record, the encryption product identifier “PCGM” may be located along with the hex value “50 43 47 4D“.
McAfee SafeBoot & Endpoint Encryption
On sector offset 3 of the Master Boot Record, the encryption product identifier “Safeboot” may be located along with the hex value “53 61 66 65 42 6F 6F 74“.
Check Point Full Disk Encryption
On sector offset 90 of the Volume Boot Record, the encryption product identifier “Protect” may be located along with the hex value “50 72 6F 74 65 63 74“.
Microsoft Encrypting File System
Microsoft Encrypting File System is a feature that offers filesystem-level encryption. Nonetheless, the Master Boot Record and Volume Boot Record do not appear to be altered.
Files that have been encrypted using Encrypted File System will hold a corresponding EFS stream which is perceptible in forensics software. This shall be the name of the file with $EFS appended.
A digital forensic investigator can attempt to run a search (For instance: GREP) to seek for the aforementioned hex values or for the $EFS to assist in establishing which product has been deployed. It is impracticable to establish from these the precise version.
Linux Unified Key Setup (LUKS) & Cryptsetup
The Linux Unified Key Setup (LUKS) refers to a disk encryption specification that may be employed in Cryptsetup on Linux which is a tool utilized to set up disk encryption based on the DMCrypt kernel module. In other words, Cryptsetup is deployed to set up encrypted filesystems utilizing Device Mapper and the dm-crypt target.
LUKS serves as the standard for Linux hard disk encryption. LUKS preserves all required setup information in the partition header, allowing to transfer or migrate data seamlessly.