Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume

7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume

1/27

qwfrtyulkpmsehjgod`zxivncaqwfrty

kpmsehjgod`zxivncaqwfrtyulkpmsehj

d`zxivncaqwfrtyulkpmsehjgod`zxivn

caqwfrtyulkpmsehjgod`zxivncaqwfyulkpmsehjgod`zxivncaqwfrtyulkpm

ehjgod`zxivncaqwfrtyulkpmsehjgod`z

vncaqwfrtyulkpmsehjgod`zxivncaq

wfrtyulkpmsehjgod`zxivncaqwfrtyu

pmsehjgod`zxivncaqwfrtyulkpmsehjg

d`zxivncaqwfrtyulkpmsehjgod`zxivn

aqwfrtyulkpmsehjgod`zxivncaqwfrulkpmsehjgod`zxivncaqwfrtyulkpmse

jgod`zxivncaqwfrtyulkpmsehjgod`zx

vncaqwfrtyulkpmsehjgod`zxivncart

ulkpmsehjgod`zxivncaqwfrtyulkpmsejgod`zxivncaqwfrtyulkpmsehjgod`zx

vncaqwfrtyulkpmsehjgod`zxivncaqw

frtyulkpmsehjgod`zxivncaqwfrtyulk

@lvf Hkrfcsli Mcm`ysls

Yfmriglcj hkr M`tfrfe mce Vcm`tfrfe

Fciryptfe Xk`uaf

=/6/>2=5

Ekcm`e Ilcik


2/27

Ugf mla kh tgls pmpfr wms tk fapgmslzf tgmt irlafs mrf kiiurrlcj fvfryemy lc tgf

eljltm` wkrè mce iynfr irlalcm`s mrf mevmcilcj tgflr tkk`s mce trlids amdlcj lt elhhliu`t

hkr tgf hkrfcsli fxmalcfr tk elsikvfr tgf fvlefcif hl`fs. Rfrpftrmtkrs mrf nfikalcj akrf

dckw`fejfmn`f ny uslcj m vmrlfty kh tkk`s mce tfigclqufs tk mvkle eftfitlkc. Lc hmit tgls

ls nfikalcj m jrkwlcj igm``fcjf. Zltglc tgf `mst efimef tgf kvfrm`` iynfr irlaf sifcf

gms rfvkùtlkclzfe sljclhlimct`y, wltg pfrpftrmtkrs efvf`kplcj akrf akefrc tfigclqufs

mce nrkmefr sdl``s lc tfigck`kjy.

Zltg tkemys tfigck`kjy hkrfcsli fxmalcfrs aust m`wmys nf kc tkp kh tgflr jmaf.

Zltg tgmt nflcj smle, eljltm` hkrfcslis fxmalcfr aust dckw tgf `lalts kh tgflr tkk`s mce

tgflr impmnl`ltlfs. Euf tk tgf hmit tgmt ckt m`` tgf tkk`s lc tgflr mrsfcm` wkuè jlvf tgfa

tgf rfsu`ts tgmt tgfy mrf sffdlcj. M eljltm` hkrfcsli fxmalcfr aust m`wmys tglcd kutslef

tgf nkx. M`` lcvfstljmtlkcs mrf ckt tgf smaf, wgmt wkrdfe hkr yku tgf `mst tlaf aljgt

ckt wkrd hkr yku tgls tlaf. Zgmt yku mrf mnkut tk rfme ls nmsfe kc efakcstrmtlkcs

kc`y. Ny ck afmcs ma L ckt sujjfstlcj wgmt tkk`s tk usf mce wgmt ckt tk usf.

Nfhkrf L stmrt L wkuè `ldf tk afctlkc tgmt lc tgls efakcstrmtlkc L gmvf tfstfe

sfvfrm` hkrfcsli tkk`s, ikaafrilm` mce kpfc skurif. Ugls efakcstrmtlkc ls nmsfe kc

sfvfrm` hkrfcsli tkk`s ckt nflcj mn`f tk ik``fit m`` tgf fvlefcif mce gkw m pfrpftrmtkr

imc glef tgflr fvlefcif. Ugfrf mrf amcy wmys m pfrpftrmtkr imc glef tgf hl`f/s lcslef tgf

systfa l.f., nlcelcj hl`fs tkjftgfr kr oust slap`y `kidlcj lt wltg zlp/rmr. Ugf qufstlkc ls

wgmt yku wkuè ek lh yku fvfr imaf mirkss tgls sltumtlkc. \ku amy gmvf gfmre tgmt

sfvfrm` hkrfcslis prkjrmas mrf ckw i`mlalcj tgmt tgfy imc eftfit kr hlce fciryptfe elsd

vkùaf mce efirypt tgf pmsswkre kh mc fciryptfe elsd, amlc`y usfe ny fciryptlkcprkjrmas suig ms UrufIrypt, RJR mce Nlt`kidfr.

Nflcj mc lcqulsltlvf alcefe lcelvleum`, L wfct kc`lcf mce sfmrigfe hkr mc kpfc

skurif tkk` tgmt ikuè eftfit mc fciryptfe elsd vkùaf. L hkuce FEE (Fciryptfe Elsd

Eftfitkr), L ekwc`kmefe lt mce L wmctfe tk sff lh tgls wkuè rfm``y elsikvfr ay gleefc

pmrtltlkc lcslef ay h`msgerlvf. Ugf hlrst tglcj L cktlife FEE ls fmsy mce slap`f tk usf. L

tglcd lt ls m jkke tkk` hkr eftfitlcj fciryptfe elsd vkùaf mce nfst kh m``, lt ls hrff.

Uk ay fctguslmsa L lcsfrtfe ay h`msgerlvf tk ay efsdtkp wltg m UrufIrypt

fciryptfe pmrtltlkc, ms skkc ms ay efsdtkp rfikjclzfe ay h`msgerlvf L tgfc fxfiutfeFEE tk sff lh lt wkuè eftfit tgf fciryptfe vkùaf lcslef ay h`msgerlvf. Lc m amttfr kh

sfikces L gmvf tgf rfsu`ts lc hrkct kh af, Yff Hlj. =.


3/27

Hlj. =

Ms yku imc sff lc Hlj. = ms L stmrtfe tgf FEE.fxf lt rfvfm`fe tgmt tgfrf ls mc

fciryptfe vkùaf lc ay h`msgerlvf. Ny `kkdlcj mt tgf lamjf yku imc sff wgfrf FEE

elsikvfrfe tgf fciryptfe vkùaf, lt ls `kimtfe mt Rgyslimèrlvf6 pmrtltlkc = wltg mc

KFA LE? nA

L mce mt tgf nkttka lt smys Fciryptfe vkùafs mce/kr prkifssfs wfrfeftfitfe ny FEE. Rrftty jkke tkk` lh yku msd af, tgf tkk` efhlcltf`y amef lt fmslfr hkr m

eljltm` hkrfcsli fxmalcfr tk elsikvfr fciryptfe vkùafs, usfe ny fciryptlkc prkjrmas

wgfc eklcj m `lvf mcm`ysls.

Hurtgfrakrf, wgmt lh wf mrf efm`lcj wltg skafkcf wgk rfm``y dckws tgfy mrf

eklcj tk mvkle eftfitlkc; Zgmt lh L tf`` yku tgmt L imc amdf UrufIrypt fciryptfe


4/27

vkùaf uceftfitfe hrka FEE; Imc lt nf ekcf; Ls lt pkssln`f; Mnskùtf`y! \ku gmvf tk

ucefrstmce gkw FEE wkrds mce gkw lt `kkds hkr tgf sljcmturf. Mcykcf wgk

ucefrstmces rfvfrsf fcjlcffrlcj lc eljltm` hkrfcslis dckws lt ls ckt tgmt elhhliu`t tk

miglfvf. Lh m pfrpftrmtkr wkuè `ldf tk glef tgf fciryptfe vkùaf, tgfy imc slap`y ikpy

tgf wgk`f fciryptfe sfitkr vkùaf mce glef lt mcywgfrf wgfrf lt wkuè nf gmre tk

hlce. Zgfc tgf pfrpftrmtkr ls rfmey tk akuct lt, tgfy imc fmsl`y jk nmid wgfrf tgfy gle

lt mce rfstkrf lt nmid tk mcy gmreerlvf kr h`msgerlvf. Nfhkrf L fxp`mlc gkw lt imc lt nf

rfstkrfe `ft us `kkd mt hlj. >, tgls ls m smap`f kh m akelhlfe gfmefr amdlcj lt uceftfitfe

tk FEE, RMYYZM^F HK^FCYLI DLU mce F@IKAYKHU HK^FCYLI ELYD

EFI^\RUK^.

Hlj. >

Mhtfr akelhylcj tgf UrufIrypt gfmefr wltg gfx feltkr mce rucclcj tgf FEE, wfimc sff tgmt FEE ls ucmn`f tk eftfit tgf fciryptfe vkùaf lc hlj. >. Uk akvf kc, tgf

cfxt tkk` L wl`` usf ls m Rmsswmrf Hkrfcsli Dlt, tk sff lh tgls tkk` imc eftfits tgf

UrufIrypt vkùaf lc ay h`msgerlvf (L?), Yff hlj. 9.


5/27

Hlj. 9

Uk nfjlc L sft tgf Rmsswmrf Hkrfcsli Dlt, igfidlcj tgf simc hkr fciryptfe

ikctmlcfrs mce elsd lamjfs lci`uelcj tgf (L?) wgfrf UrufIrypt elsd rfslefs. L tgfc glt

tgf sfmrig nuttkc mce lc oust m amttfr kh alcutfs, lt jmvf af tgf rfsu`ts. Yff hlj. 5


6/27

Hlj.5

Mjmlc ck glt, tgf Rmsswmrf Hkrfcsli Dlt ele ckt eftfitfe tgf UrufIrypt

fciryptfe vkùaf lc kur h`msgerlvf pmrtltlkc. Ugkujg, tgf Rmsswmrf gms ktgfr kptlkcs.

\ku imc usf afakry mttmid mcm`ysls ny euaplcj tgf ^MA afakry mce irfmtlcj mc

lamjf kh tgf h`msgerlvf uslcj HUD lamjfr. Nfhkrf wf ek m`` tgmt, wf cffe tk kpfc kurUrufIrypt vkùaf mce pkssln`y imigf kur pmsswkres lc kur ^MA afakry, ucigfidfe

tgf cfvfr smvf glstkry. Cktf? lc tgls efakcstrmtlkc wf wl`` nf uslcj ucm`tfrfe

UrufIrypt vkùaf, sff hlj. 6


7/27

Hlj. 6

Ckw tgmt wf ef`lnfrmtf`y imigf tgf pmsswkre, `fmvlcj trmifs lc kur ^MA

afakry mce `fmvlcj tgf nkttka nkx uc-igfidfe lc Cfvfr smvf glstkry. Cfxt L

akuctfe tgf UrufIrypt fciryptfe vk`uaf, sff hlj. 8.


8/27

Hlj. 8

Mhtfr fctfrlcj tgf pmsswkre mce sf`fitfe tgf ikrrfit pmrtltlkc, wf ckw imc miifss

tgf _-erlvf vk`uaf. Yff hlj. :


9/27

Hlj. :

Ms yku imc sff wf ckw gmvf miifss tk tgf UrufIrypt vk`uaf, L fxpfitfe tgf

pmsswkre tk stmy lc tgf ^MA. L wl`` ckw i`ksfs tgf UrufIrypt vk`uaf mce stmrt wltg

afakry euap mce lamjf tgf h`msg erlvf uslcj HUD Lamjfr. L gkpf wf imc impturf tgf

pmsswkre hrka tgfrf. Hlrst, L wl`` ruc EuapLt tk euap wgmt ls lc tgf afakry, sff hlj 7.

Hlj. 7

Hlcm``y, L gmvf m`` tgf hl`fs L cffe. Ugf rmw lamjf ^MA afakry uslcj EuapLt,tgf `kjlim` lamjf hl`f kh tgf h`msgerlvf, tgf pmjfhl`f.sys mce afaeuap.afa uslcj HUD

lamjfr sff hlj.


10/27

Hlj.

Lc hlj. => wf wl`` usf tgf hlrst kptlkc Efirypt kr akuct elsd nyprkvlelcj

afakry lamjf kr fciryptlkc dfys. Cfxt, tlid tgf UrufIrypt (fciryptfe elsd), i`lid

cfxt tgfc i`lid Yf`fit tmn mce igkksf tgf erlvf wgfrf tgf UrufIrypt vk`uaf rfslefs.

Zglig lc tgls imsf kurs ls lc L?P erlvf. Lc sf`fit skurif kh dfys, L usf tgf

afaeuap.afa, mce tgfc i`lid cfxt mce lt sgku`e stmrt sfmriglcj tgf afakry hl`f mce

tgf h`msgerlvf.


13/27

Hlj. =9

Mhtfr `fss tgmc mc gkur, Fìkaskht Hkrfcsli Elsd Efiryptkr hml`fe tk hlce tgf

pmsswkres fvfc tgkujg wf prkvlefe lt wltg m afakry euap mce tgf UrufIrypt

vkùaf. Yk hmr wf gmvf ck glts, wf mrf ucmn`f tk rftrlfvf tgf pmsswkre lc ^MA

afakry mce tgf tkk`s wf usfe hml`fe tk rfikvfr trmifs kh mcy pmsswkre. Zf ele ckt usf

mcy dfys nfimusf wf kc`y wmct tk usf tgf pmsswkre hkr tgf efakcstrmtlkc purpksf

kc`y. Ugf rfm` qufstlkcs mrf, wgy ele wf hml`fe tk rfikvfr tgf pmsswkre mce tgf

fciryptfe elsd vkùaf eurlcj `lvf miqulsltlkc; Zgy ele wf ckt rfikvfr mcy i`fmr tfxt

pmsswkre lc rmw afakry euap; Zgfrf imc wf rfikvfr tgf UrufIrypt vkùaf lh tgfrf

ls ck pmrtltlkc sgkwlcj lc tgf H`msgerlvf kr Gmreerlvf;

Ikchrkctfe wltg tgls dlce kh ermwnmids eurlcj `lvf miqulsltlkc, amdfs lt kc`y

elhhliu`t hkr tgf fxmalcfr, `fmelcj tk gm`tlcj tgf mcm`ysls mce akst lapkrtmct`y

ofkpmrelzlcj tgf lcvfstljmtlkcs. Gkwfvfr, tgls ls ckt m efme fce hkr us4 wf oust gmvf tk

nf m `ltt`f irfmtlvf. Hlrst wf cffe tk dckw wgy kur tkk`s mrf ckt eftfitlcj mcytglcj.Ugkujg, wf dckw tgmt tgfrf ls m gleefc fciryptfe elsd vkùaf lc tgf systfa. Yfikce,

wgy ls lt wf mrf ckt sfflcj mcy pmsswkre imigf lc kur `lvf afakry miqulsltlkc; Zgmt

mrf wf efm`lcj wltg; Ekfs tgf systfa usf sfiurlty tkk`s tgmt efhfmt kur tkk`s; Ls tgfrf

mcytglcj ikchljurfe lc tgf systfa tgmt glcefrs us tk miqulrf tgf fvlefcif; Lh tgfrf ls ck

sljc kh fciryptfe gleefc vkùaf wgfrf ls lt; Ikuè tgf pfrpftrmtkr gmvf mc fciryptfe


14/27

vkùaf nmidup gleefc skafwgfrf lc tgf systfa; Ugfsf mrf tgf tglcjs tgmt wf cffe tk

msd kursf`vfs.

Ckw tgmt wf gmvf m`` tgf qufstlkcs lc kur gmce, wf imc stmrt `kkdlcj hkr m`` tgf

mcswfrs mce hlce kut wgy wf mrf ckt jfttlcj mcy rfsu`ts. Hlrst, wf cffe tk `kkd mt tgf

pmjfhl`f.sys mce glnfrhl`.sys, tk sff lh kur susplilkcs mrf truf. @ft's smy wf ruc tgf

rfjfelt mce sfmrig tgf

GD@APY\YUFAPIurrfctIkctrk`YftPIkctrk`PHl`fYystfaPCthsFciryptRmjlcjHl`f ( = )

mce elsikvfr lt wms fcmn`fe, mce tgfc wf dckw tgf pmjfhl`f.sys ls fciryptfe mce ck

sljc kh glnfrhl`.sys lc tgf systfa afmcs lts turcfe khh kr ef`ftfe.

Yfikce, wf cffe tk dckw wgmt sfiurlty prkjrmas mrf lcstm``fe kc tgf systfa.

@ft's prfsuaf tgmt wf gmvf elsikvfrfe tgmt tgf systfa gms m DfyYirman`fr lcstm``fe.

Zf cffe tk dckw gkw tgf DfyYirman`fr ls prktfitlcj tgf systfa. Ny jklcj tk tgf

DfyYirman`fr wfnsltf wf imc hlce kut tgf hfmturfs kh tgls prkjrma. Miikrelcj tk tgflrwfnsltf DfyYirman`fr nfjlcs fciryptlcj ykur dfystrkdfs lc rfm` tlaf mt tgf dfynkmre

erlvfr `fvf`. Nfimusf DfyYirman`fr ls `kimtfe lc tgf dfrcf`, effp lc tgf kpfrmtlcj

systfa, nypmsslcj DfyYirman`fr's fciryptlkc ls elhhliu`t. Ckw wf dckw wgy kur tkk`s

mrf lcfhhfitlvf tk hlce tgf imigf pmsswkre lc rmw afakry euap kr pmjfhl`f.sys euf tk

DfyYirman`fr ls rfp`milcj tgf i`fmr tfxt wltg rmceka dfys mce CthsFciryptRmjlcjHl`f

ls fcmn`fe, tgmt ls kur ermwnmids.

Lc tgf nfjlcclcj L efakcstrmtfe kc gkw tk nypmss tgf FEE kc eftfitlcj

fciryptfe elsd vkùaf. Lc skaf imsfs, skaf usfrs wkuè ckt dffp tgf fciryptfe elsdvkùaf lc tgf gmreerlvf pmrtltlkc kr lc m h`msgerlvf, pmrtliu`mr`y lh tgfy mrf glelcj mc

lapkrtmct emtm tgmt ikuè jft tgfa lc trkun`f. Akst `ldf`y tgf pfrpftrmtkr wkuè try tk

irfmtf m elvfrslkc mce try tk kutsamrt tgf eljltm` hkrfcsli fxmalcfr ny oklclcj tgf

fciryptfe vkùaf wltg mcktgfr hl`f kr rfcmalcj tgf fxtfcslkc hl`f wltg skaf rmceka

fxtfcslkc. Ylcif wf ikuè ckt hlce wgmt wf wfrf `kkdlcj hkr, wf wl`` usf m elhhfrfct

rkutf tk sfmrig hkr mc fciryptfe elsd vkùaf mce amynf wf imc `kimtf tgf nmidup

fciryptfe vkùaf mce pfrgmps ikpy tgf hl`f vkùaf hkr `mtfr fxmalcmtlkc.

Uk sfmrig m`` tgf hl`fs lc tgf systfa L wl`` usf hl`f sfmrig mssualcj wf ekct dckw

wgfrf tgf hl`f/s mrf. Uk stmrt wf wl`` sfmrig hkr lamjfs mce muelk hl`fs sff hlj. =5.


15/27

Hlj. =5

Ugf tlaf tk hlclsg tgf sfmriglcj efpfces kc gkw amcy fxtfcslkc hl`fs yku mrf

sfmriglcj hkr mt tgf smaf tlaf mce gkw amcy lamjfs mrf lc tgf systfa. Gkwfvfr, L ektglcd lt sgku`e jlvf yku m jkke spffe, slcif lt tkkd af `fss tlaf tgmc wgmt L fxpfitfe.

Mhtfr m ikup`f kh alcutfs kur sfmrig ls ekcf, wf ckw gmvf m`` tgf lamjfs lc hrkct kh us

mce tgf cfxt tglcj tk ek ls skrt fmig hl`f mce `kkd hkr m ikcspliukus hl`f tgmt aljgt jlvf

us m i`uf.


16/27

Hlj. =6

Mhtfr tgkrkujg`y sfmriglcj tgf lamjfs, L hkuce skaftglcj vfry ucusum` lc kcf kh

tgf lamjf cmafe plf igmrt.opj, wltg AE6 gmsg m5=>=7nf99ffnh=n9n5nn68i5f5ee5m

Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume

Documents

Transcript of Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume