E N D
Encryption Workshop Session 1 • Oft Repeated Theme: • If it is encrypted, you are probably not going to crack it. Look instead at the “end points” and low-hanging fruit (social engineering or external sources – look for human sloppiness, string search in cached locations, slack space, network traffic, page swap file…) • Database on data hiding locations needed
Identify Key Legal and Technical Issues • We can compel people to turn over something physical, but cannot compel to release information (5th amendment) • What is the admissibility of “same file name, same file size” as evidence – generally, it probably isn’t, but combined with other evidence (browser history, child abuse) can be supportive • See Slide #1
Has there been an increase in use of encryption in the past few years? • Computer intruders: SSH daemon, bluefish on log files • Probably will see it rise as wireless increases – policy tension: CI protection vs forensics • More runtime encryption/decryption being used on malware. • Teso has a program (“burn-eye”) that encrypts binaries, and it can be used with machine fingerprinting (virtual memory, routing table, partitioning, hostname) so it cannot be run on another machine. Think virus detection!!
Steganography and Steganalysis • Has anyone in law enforcement found steganography in use in a case? • No, not in the sense of embedding secrets in a carrier. • But, use of misdirection, renaming, semaphores, data hiding seems to be quite common. • Crooks are dumb – most people use defaults of what they are given – people committing crimes of passion aren’t usually thinking how to cover their tracks • How reliable are most of the stego detection methods? • Difficult problem – lots of image formats, broad spectrum of algorithms – requires many highly specialized steganalysis routines • Don’t know about reliability