Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Anti-Forensics Tools Thwart Police

Posted by CowboyNeal on from the knowing-thine-enemy dept.

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

1 of 528 comments (clear)

  1. Re:Epically bad. by Anonymous Coward · · Score: 5, Informative

    I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

    Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

    One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

    Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

    One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

    The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

    Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.