Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics Tool Finds Headerless Encrypted Files

Posted by timothy on from the sir-there's-an-anomaly-here dept.

gurps_npc writes "Forensics Innovations claims to have for sale a product that detects headerless encrypted files, such as TrueCrypt Dynamic files. It does not decrypt the file, just tells you that it is in fact an encrypted file. It works by detecting hidden patterns that don't exist in a random file. It does not mention steganography, but if their claim is true, it seems that it should be capable of detecting stenographic information as well."

7 of 374 comments (clear)

  1. Don't worry by sakdoctor · · Score: 4, Insightful

    The company has "innovations" in it's name, so their product probably won't work.
    If it did work against true crypt, which is a yard stick of well implemented encryption, I'm sure they'll come up with a counter measure by the next minor release.

    Also: In before XKCD strip.

    1. Re:Don't worry by Kjella · · Score: 5, Insightful

      Since encryption implements a lossless conversion then the data is not random. BECAUSE random data is just that random.

      Encryption in ECB mode leaves a very clear pattern, because identical input blocks leads to identical output blocks. Pretty much every other block chaining mode doesn't though because they mix it the preceding blocks, so i'm guessing an implementation flaw because the cryptographic primitives are pseudorandom, they have no distinguishable non-randomness unless you know the exact key.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Don't worry by Anonymous Coward · · Score: 5, Insightful

      You realize that you aren't saying anything at all, right? Your argument is that since encrypted data is different than random data (an assumption you make without stating), encrypted data will look different than random data.

      In reality, one of the standards for encryption algorithms (and block chaining methods) is that they produce a pseudorandom output. In fact, block ciphers are often called upon to operate as PRNGs when given random input data. The idea is that they will produce a significantly larger amount of pseudorandom output data than the random seed data.

      BTW I do mathematical cryptanalysis at a university...

    3. Re:Don't worry by Stray7Xi · · Score: 5, Insightful

      BECAUSE random data is just that random.

      Any kind of analysis that answers the question of whether a piece of data is random or deterministic can't do so with certainty. You can't prove a string of a million 1's wasn't randomly generated. Every piece of random data long enough will have substrings that appear to be a pattern.

      Give a voice recognition program a low enough certainty threshold and it'll pick out words from below the noise floor. But the lower you go, it'll make more and more mistakes and eventually it'll pick out words from plain white noise.

    4. Re:Don't worry by MoxFulder · · Score: 4, Insightful

      I wish I had mod-points for you.

      Finally we hear from someone who knows WTF he/she is talking about.

      Just to expand a bit: encryption algorithms (except for one-time-pad) don't produce truly random output. But all good, modern ones seek to produce output that's as indistinguishable as possible from truly random output, as a necessary but not sufficient component of their security. There are a variety of techniques to produce pseudorandom data based on a variety of sophisticated mathematics.

      It seems like the height of hubris to claim that one software program can reliably detect all these different kinds of extreme slight deviation from perfect randomness.

      A more plausible approach (as others have pointed out), is to look for files that do appear to be totally random. Such files are likely to be either (a) the output of a random number generator, or (b) encrypted. All files that have some useful content in their present form have some structure or non-randomness.

      --
      My bicyles
  2. Re:Plausible Denial? by Animaether · · Score: 5, Insightful

    "That's cute, sir - now give us the other password"
    - "what other password?"
    "for the hidden truecrypt volume"
    - "what hidden truecrypt volume??"
    "the one that's being referred to by half a dozen applications' most recently used files lists"
    - "oh err.. that's uh.. another drive entirely"
    "very well, then hand us that other drive"
    - "err uhm.. my dog ate it?"

    If you're really, really serious about these things, maybe you could work super-diligently to prevent leaving any clues as to that hidden volume's existence.. odds are something's going to bite you in the behind somewhere though.

  3. Re:Patterns? by Jah-Wren+Ryel · · Score: 4, Insightful

    Dear mods, that's meant to be facetious. Some of you seem to be a little trigger-happy so you won't understand why I shouldn't have to explain that.

    Make your joke and take the moderations like a man.
    If you are going to explain that it is a joke, you might as well not bother in the first place since explaining takes away all the fun.

    --
    When information is power, privacy is freedom.