Last week, Forensic Innovations Inc announced on its blog that it has a tool that can identify headerless encrypted data, such as TrueCrypt volumes. Yesterday, this story was picked up by Slashdot.
Good ciphers, like AES, output ciphertext that is computationally indistinguishable from random data. An encryption tool that properly implements such a cipher to generate headerless encrypted data will also produce output that is computationally indistinguishable from random data.
For Forensic Innovations Inc’s tool to work, it would have to be able to distinguish between random or pseudo-random data and the output of ciphers like AES. I ran a quick test to see whether it could. It can’t.
I downloaded a trial copy of FI TOOLS for Windows 2.23. I then generated two 10 MB files filled with pseudo-random data. I used a PowerShell script to do this:
$b = New-Object byte[] 1024;
$fs = New-Object System.IO.FileStream "C:\Test\random-1.dat", Create;
$r = New-Object System.Random;
1..10240 | % {
$r.NextBytes($b);
$fs.Write($b, 0, 1024);
}
$fs.Close();
$fs = New-Object System.IO.FileStream "C:\Test\random-2.dat", Create;
$r = New-Object System.Security.Cryptography.RNGCryptoServiceProvider;
1..10240 | % {
$r.GetBytes($b);
$fs.Write($b, 0, 1024);
}
$fs.Close();
The first file, random-1.dat, is filled with pseudo-random data generated by the System.Random class from the Microsoft .NET Framework. This class provides a very weak random stream. It should be distinguishable from a truly random stream.
The second file, random-2.dat, is filled with pseudo-random data generated by the System.Security.Cryptography.RNGCryptoServiceProvider from the Microsoft .NET Framework. This class provides cryptographically strong pseudo-random data that should be computationally indistinguishable from truly random data.
Finally, I created a third file, random-3.dat, which was a 10 MB headerless TrueCrypt volume created using the default settings and using a strong random password.
Here is the result:
As you can see, the tool identified each of the files as headerless encrypted data. Only random-3.dat was actually headerless encrypted data. In other words, the tool cannot distinguish between pseudo-random data and headerless encrypted data.
{ 1 trackback }
{ 4 comments… read them below or add one }
Theory: Headerless encrypted data (using a good cipher) can not be detected as being encrypted data.
Fact: The headerless encrypted file (random-3.dat) was correctly identified as being encrypted by FI TOOLS.
Fact: To date no one has been able to find a data file from a “real world” application (one that typical users might use) that is incorrectly identified as being encrypted by FI TOOLS.
Fact: To date, all independent testers have reported that every TrueCrypt encrypted file has been identified correctly. We are only claiming 90% accuracy, but that is 100% so far.
Fact: People with intent to trick a Computer Forensics tool, are able to create a random data file that can be identified incorrectly.
Fact: I can create a fake data file that tricks detection tools into thinking it is a Windows Bitmap. That doesn’t prove that their tool fails to identify Windows Bitmaps. It only proves that I can practice anti-forensics and interfere with an investigation or audit.
Challenge: Someone find an application, with no anti-forensic purpose, that is used by regular consumers and creates files that get identified as Headerless Encrypted Data by FI TOOLS. Then tell us how to reproduce your test results with that application.
If you can’t find such an application, then FI TOOLS accurately identifies headerless encrypted data in the real world. That would mean that if an investigator found files that created false positives from encrypted data, they can assume that the owner may be trying to hide encrypted data and is using anti-forensic means to do that. Courts don’t like it when people hold back data pertinent to a case.
Rob Zirnstein
President
Forensic Innovations, Inc.
http://www.ForensicInnovations.com
@Rob Zirnstein: I think the confusion about FI TOOLS stems from the imprecision in describing what it is that the tool does. You say that it detects headerless encrypted data. What the tool actually does is flag files containing seemingly random data.
Headerless encrypted data files are only one example of seemingly random data. It may be that they’re the most common example in the real world. If that’s the case, then a tool identifying such data may be a useful starting point for investigation.
However, since the tool cannot distinguish between pseudo-random data and headerless encrypted data, a court cannot rely on its identification of files as headerless encrypted data files. What would happen if a court ordered a person to produce an encryption key to what was, in fact, a large file filled with pseudo-random data, such as a file used to securely wipe free space?
Wiping free space may be an anti-forensic use of such data, but that doesn’t change the fact that a file used for such a purpose contains no useful data itself and no key can be produced for it. That’s an important distinction for a court.
At best, the tool could inform a court that a file contains seemingly random data. The court could then draw inferences about what that means, perhaps with the help of expert witnesses who might testify that it could be headerless encrypted data or that it could be a file used to wipe free space or that it could be something else.
I study forex movements (currency markets). The tick data from forex exchanges is used in live trading by ‘day traders’. Just 4 years worth of data on the USD Vs YEN cross is over 8Gb in size – so it does look like a trucrypt volume. The data is statistically random. People trading stocks and bonds often have similar data. My testing of this tool on my forex data detects it as a truecrypt volume – and it is not.
So Mr Rob Zirnstein, do you care to back up your claim above. I will bet you $10,000 USD that your tool will incorrectly identify my forex data as a trucrypt volume. Care for a real challenge?
I don’t usually respond to random blogs but.. my god Rob, are you actually trying to say that such a “detection” is “proof” that the owner of that computer wants to keep something private (which is a criminal offense)? Do you know what happened to another company that made an equally retarded assumption? It was called EvenBalance, and they made a program called PunkBuster and whenever it found a certain pattern in any files on somebody’s computer they considered it “proof” that they were “cheating”, and soon after people started spamming this pattern everywhere (in their avatars on forums, in text in IRC channels, etc) and thus everyone was flagged as a “cheater”.
The difference is, of course, that the severity of temporarily being unable to play a video game online is nothing in comparison to being convicted as having committed a criminal offense. So PLEASE tell me you were being sarcastic or something!