Scanning for Encrypted Files?

[Jarrett M. Drake]

Hi all,

Does Bulk Extractor have a feature that scans for encrypted files? Or is there another native BC tool that will compile a .txt file of encrypted files?

Thanks,

Jarrett

[Kam Woods]

Hi Jarrett,

The bulk_extractor tool will currently detect and try to carve encrypted RAR files, but that's the extent of encrypted file identification. You can find detailed information on scanner capabilities in the BE user manual at http://digitalcorpora.org/downloads/bulk_extractor/BEUsersManual.pdf. Note that bulk_extractor will *also* identify AES keys contained within disk images, which can potentially help you decrypt certain materials.

Regarding the "other native tool" question. As far as I'm aware, there are not any general-purpose "find all encrypted files" tools (and there are not currently any *specifically focused* tools in BitCurator).

Identifying encrypted materials in the general case is actually quite a difficult problem. Imagine you were looking for, say, File Vault 1 or File Vault 2 encrypted user directories on an HFS+ volume. Or just whether there were any encrypted PDFs in a file system. Or trying to identify disk contents encrypted with BitLocker. Or hunting for TrueCrypt volumes present on a disk. Or identifying files encrypted with GnuPG or using the built-in encryption facility in 7-zip.

These various types of encryption use different algorithms, have different associated artifacts that may also reside in a given file system, may or may not be subject to forms of exploitation depending on the version and specific application of the tool, and so on.

If there's a specific type of encrypted file you're interested in targeting, we'd be happy to try and include tools that support its identification in future releases.

Kam

--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To post to this group, send email to bitcurat...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAE4uvZGvqSiQXpf0jgr%3DnVZX9%3DyFtKtNkg5OEJnGikW2vxBoPA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Jarrett M. Drake]

Hi Kam,

Thanks for your detailed response. I don't imagine that my repository currently has a pressing need for identifying encrypted files, but if/when we reach the point where we know of specific algorithms that are facing us, I will be sure to reach about possibly including a new tool in the BitCurator environment.

Until then, I am curious to know if any repositories encounter encrypted files with regularity and, if so, 1) which algorithms have been most prevalent and 2) the tools you've used to identify them.

Best,

Jarrett

To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxCb%2B7P-Q7c79T-i2vexr%2BfmFGP768H_hcN-VnwseuEC%3DA%40mail.gmail.com.