Advancing Digital Forensics investigations with the utilization of Cryptographic Inventories

Cryptography’s dual use presents a significant challenge in the realm of technology. On the one hand, it offers a positive application by safeguarding our secrets. This is achieved, for example, through the encryption of sensitive information and ensuring access is limited to authorized individuals only. On the other hand, the same cryptographic methods can be exploited by cybercriminals. They use these techniques to obscure their actions, effectively concealing evidence of their illegal activities [1], [2], [3]. This post recommends the inclusion of cryptography inventories in digital forensics toolkits.

Understanding the term “Cryptography Inventory”

For effective data encryption, a system must possess essential cryptographic assets, primarily cryptographic keys, digital certificates, passwords, and hashes. These keys are typically stored in files or other keystores. They are used by cryptographic algorithms to either encode or decode specific data. Data concealment is also achievable through the utilization of passwords. Forensic investigators usually encounter hashes, scrambled variations of passwords, which are more resistant to cracking.

A Cryptography Inventory (CI) serves as a comprehensive catalog of all such cryptographic assets. In general, a CI functions as a mapping of all the cryptography employed within a system. Drawing upon user configurations and industry best practices [4], the CI establishes a benchmark to assess the adequacy of cryptography, determining whether it is sufficiently robust or susceptible to compromise. The inventory lays the groundwork for precise analysis as well as for recommendations in relation to the strength of the cryptography used.

Cryptography Inventory and Digital Forensics

Compiling a CI proves instrumental in advancing Digital Forensics investigations. The various ways in which a Cryptography Inventory contributes to the investigative process are as follows: 

  • Understanding the Security Landscape: By delving into the cryptographic measures employed by suspects, the CI enables investigators to discern how data was safeguarded and identifies potential vulnerabilities in the security assumptions.
  • Analyzing Cryptographic Failures: Cryptographic weaknesses, such as suboptimal encryption algorithms or inadequate key management, are prevalent contributors to encryption bypassing. Ranked second in the OWASP Top 10 [5], cryptographic failures are more pervasive than commonly perceived. The CI excels in pinpointing these vulnerabilities, providing valuable targets to exploit during investigations. 
  • Identifying Encrypted Sources: In the course of an investigation, the ability to swiftly identify encrypted data sources and discern the encryption methods employed is crucial. The CI expedites this process by directing investigators to encrypted sources, streamlining access and analysis procedures.
  • Recovering Keys: Comprehensive details on key management practices, encompassing the storage locations and generation methods of cryptographic keys, are integral components of the CI. This information proves indispensable in the decryption of secured data encountered during forensic investigations.
  • Gaining Access: In instances where unauthorized access or data exfiltration is suspected, the CI becomes a valuable tool in assessing whether encryption barriers were compromised. It aids in determining the potential methods used by attackers to bypass or breach encryption, shedding light on the pathways through which encrypted data might have been accessed. 

Although the idea of embracing the Cryptography Inventory as a means to Digital Forensics Investigation enhancement sounds promising, it is crucial to consider the ethical boundaries. Investigators are expected to always have appropriate legal authority, like a search warrant, to recover and use cryptography artifacts from a target’s computer. Ethical considerations also include respecting the privacy and rights of individuals and ensuring that the investigation does not overreach its legal mandate.

Scenario of a CI-driven Investigation

To illustrate the above with a practical scenario, consider the following example: Assume a criminal’s computer has been lawfully confiscated, revealing a suspiciously encrypted partition protected by a password stored within the system. How can an investigator uncover the password to unlock this secured partition? The solution lies in the implementation of a CI, addressing this inquiry through the several alternative mechanisms: 

  • Numerous users habitually store passwords in various locations, ranging from browsers and password managers to simple text files. Depending on the strength of the storage method, a CI tool may extract these stored passwords, often leveraging the tendency of users to reuse passwords. Subsequently, the investigator can methodically test the uncovered passwords to unlock the encrypted partition.
  • Passwords may also be stored in system files in the form of hashes. Prominent among these system files are “/etc/shadow” on Linux and the SAM file on Windows. The CI excels in extracting these hashes, and potentially unveiling the original passwords by trying alternative cracking techniques.
  • The CI may implement functionality to encompass Memory and Disk analysis. Passwords may linger in system memory or non-allocated disk space, eluding conventional extraction methods. Through the incorporation of tools such as Volatility, the CI may uncover candidate remnants, contributing to a comprehensive exploration of potential password and key sources.

Conclusion

CYBERSPACE will develop a tool to discover and analyze several cryptographic assets used in a system. The use of tools like cryptography inventories makes a significant stride in the battle in cyberspace. As criminal acts become more and more sophisticated, the development of robust and advanced tools is a pressing need. By staying ahead of encryption misuse, investigators have better chances while confronting cybercriminals.

Authors: Konstantinos Pachnis, Harry Manifavas, Foundation for Research and Technology – Hellas (FORTH)

[1] Europol, First Report of the Observatory Function on Encryption, 06/12/2021, https://www.europol.europa.eu/publications-events/publications/first-report-of-observatory-function-encryption

[2] Europol, Second Report of the Observatory Function on Encryption, 06/12/2021, https://www.europol.europa.eu/publications-events/publications/second-report-of-observatory-function-encryption

[3] Europol, Third Report of the Observatory Function on Encryption, 06/12/2021, https://www.europol.europa.eu/publications-events/publications/third-report-of-observatory-function-encryption

[4] NIST, NIST FIPS 186-5 Digital Signature Standard (DSS), 03/02/2023, https://csrc.nist.gov/publications/detail/fips/186/5/final

[5] OWASP Top 10, https://owasp.org/www-project-top-ten/

(Image sourced from Canvas.com)