Step 1: Create a Case and Process Images
While a variety of forensic tools, such as Magnet/Internet Evidence Finder (IEF), exist, here you will focus on encryption and decryption by using Access Data’s Forensic Toolkit (FTK) and Password Recovery Toolkit (PRTK) to attempt to decrypt a number of different types of encrypted files. A variety of approaches can be used to attempt decryption, including brute force and the use of word lists.
You saw that law enforcement tried to work with each image individually so you decided to put both images in one case in hopes that the combined information contained on each image may prove more fruitful than working on each image individually. Using the lab instructions in the box below, go to the virtual lab and create one case that adds both the Washer and Mantooth images.
Step 2: Evaluate the Challenges Presented by Cloud Computing
Cloud computing, a service that offers data storage and services to businesses and individuals, presents significant challenges to the field of digital forensics. As an option for convenient offsite storage of large volumes of data, popular cloud platforms offer services that can be attractive to organizations, including infrastructure-as-a-service, software-as-a-service, and platform-as-a-service. These additional services allow organizations to expand productivity without adding costly services in house, while storing additional organizational data on the provider’s servers. As opposed to virtualized environments that offer additional resources at a fraction of the traditional cost, cloud systems are offsite, remote repositories.
The National Institute of Standards and Technology (NIST) provides numerous guidelines on the cloud. NIST defines the cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST 2011b, p. 2). Providers offer services in different cloud infrastructures, including private, public, community, and hybrid (NIST, 2011a).
Cloud challenges in the field of digital forensics include ownership data/control of evidence and data location. The digital forensics steps of acquisition and preservation are both impacted by cloud storage, since data may be housed in multiple states and countries (so, governed by multiple jurisdictions), and at this point there is no way to guarantee all of the data is retrieved, even when the provider agrees to access. Further, many users interact with cloud services using mobile devices, which adds the complexity of proliferation of endpoints, as communication channels can involve multiple towers and hops.
The advantages cloud computing offers to organizations and the handling of big data are the same reasons cloud crime has escalated. Cyber criminals can use cloud services to conduct malicious activities and then easily leave one service to join another, erasing their digital footprint as the vacated space is quickly written over by the provider. Cybersecurity has a complicated interdependency with cloud, according to the NIST roadmap, which “presents certain unique security challenges resulting from the cloud’s very high degree of outsourcing, dependence on networks, sharing (multi-tenancy) and scale” (NIST, 2014).
The popularity of cloud computing, paired with its unique challenges, makes this technology an important issue for digital forensics. Legal challenges of the cloud involve privacy and jurisdiction, spanning the globe while inviting misuse. Adding to the challenges is a pervasive lack of proven tools for investigators and law enforcement to handle cloud storage. One promising option is forensics-as-a-service (FaaS), whereby cloud providers would offer the forensic steps of data acquisition and preservation as a service for purchase. FaaS still needs to address encryption, as much of the information housed is protected before upload.
As part of the final deliverable for this project, you will write an analysis of how cloud computing challenges—including uses of encryption—are an issue for the field of digital forensics. You will also identify trends in combating these challenges.
Step 3: Identify Encrypted Files and Artifacts
Normally it is a good practice to attempt to locate encrypted files and artifacts for forensic evidence prior to conducting a decryption attack, so that you can plan for the best approach. An analogy can be found in the world of sports: If you know the tendencies, strengths and weaknesses, and general appearance of your opponent, it is much easier to prepare for a successful competition. Similarly, you could try dictionary attacks, but if you have a sense as to the encryption technologies used and how encryption may have been employed in a digital forensic situation, you can prepare a more focused and refined decryption approach.
Step 4: Create a Word List and Prepare to Carry Out the Decryption Attack
When approaching offline password cracking, remember that it is not uncommon for someone to write down a password for logging into a computer or website. Another fairly common practice is for individuals to document in some way the passwords used when encrypting a file or storage device. People may create a file that contains passwords, then store it on the computer or perhaps e-mail it to themselves for later retrieval. Another decryption approach is to use various dictionaries, various languages, and subject areas. The subject areas may be relevant to the area of interest in the case. For example, a case involving drugs may include slang terms or regional expressions specific to the drug culture.