Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics Tool Finds Headerless Encrypted Files

Posted by timothy on from the sir-there's-an-anomaly-here dept.

gurps_npc writes "Forensics Innovations claims to have for sale a product that detects headerless encrypted files, such as TrueCrypt Dynamic files. It does not decrypt the file, just tells you that it is in fact an encrypted file. It works by detecting hidden patterns that don't exist in a random file. It does not mention steganography, but if their claim is true, it seems that it should be capable of detecting stenographic information as well."

4 of 374 comments (clear)

  1. Re:Don't worry by Kjella · · Score: 5, Insightful

    Since encryption implements a lossless conversion then the data is not random. BECAUSE random data is just that random.

    Encryption in ECB mode leaves a very clear pattern, because identical input blocks leads to identical output blocks. Pretty much every other block chaining mode doesn't though because they mix it the preceding blocks, so i'm guessing an implementation flaw because the cryptographic primitives are pseudorandom, they have no distinguishable non-randomness unless you know the exact key.

    --
    Live today, because you never know what tomorrow brings
  2. Re:Plausible Denial? by Animaether · · Score: 5, Insightful

    "That's cute, sir - now give us the other password"
    - "what other password?"
    "for the hidden truecrypt volume"
    - "what hidden truecrypt volume??"
    "the one that's being referred to by half a dozen applications' most recently used files lists"
    - "oh err.. that's uh.. another drive entirely"
    "very well, then hand us that other drive"
    - "err uhm.. my dog ate it?"

    If you're really, really serious about these things, maybe you could work super-diligently to prevent leaving any clues as to that hidden volume's existence.. odds are something's going to bite you in the behind somewhere though.

  3. Re:Don't worry by Anonymous Coward · · Score: 5, Insightful

    You realize that you aren't saying anything at all, right? Your argument is that since encrypted data is different than random data (an assumption you make without stating), encrypted data will look different than random data.

    In reality, one of the standards for encryption algorithms (and block chaining methods) is that they produce a pseudorandom output. In fact, block ciphers are often called upon to operate as PRNGs when given random input data. The idea is that they will produce a significantly larger amount of pseudorandom output data than the random seed data.

    BTW I do mathematical cryptanalysis at a university...

  4. Re:Don't worry by Stray7Xi · · Score: 5, Insightful

    BECAUSE random data is just that random.

    Any kind of analysis that answers the question of whether a piece of data is random or deterministic can't do so with certainty. You can't prove a string of a million 1's wasn't randomly generated. Every piece of random data long enough will have substrings that appear to be a pattern.

    Give a voice recognition program a low enough certainty threshold and it'll pick out words from below the noise floor. But the lower you go, it'll make more and more mistakes and eventually it'll pick out words from plain white noise.