Encryption amidst digital forensic and cyber incident response investigations

Introduction

Built-in encryption, in many of its facets, became a standard within the last few years. Thanks to the use of Solid State Drives (SSD) as primary storage for computers, quick flash memory and processors on mobiles, there is no more performance penalty on the use of encrypted storage. We witnessed the transition from encryption, which had to be explicitly enabled (as it noticeably hurt device performance and responsiveness), to 'built-in' encryption as hardware and software performance improved. Today, how many users know that their iPhone or Android has all their data encrypted, even though they did not opt-in for it?

The broad use of encryption presents new, unique challenges for a digital forensic examiner or a corporate incident responder. Modern encryption is reliable and strong; all 'childhood' flaws that previously enabled one to easily brute-force a password, are now fixed. In fact, some encryption can be reliable enough to assure it takes billions of years to guess a reasonably strong password—unless we have quantum computing capabilities. Thus, we have to develop techniques and methodologies to address file-based and whole device encryption, in our investigations.

In this article, we highlight what decryption support an investigator or a responder has available to them within Belkasoft Evidence Center X, the flagship software product for digital forensics and cyber incident investigations by Belkasoft.

Encryption types

There are roughly two types of encryptions: file-based encryption (FBE) and whole disk encryption (WDE), or full disk encryption (FDE). WDE may be volume or partition-based. Full-volume encryption (FVE) is a form of WDE where only a single partition of a file system is encrypted. For WDE, possibly the most famous technology is called BitLocker, which is built-in to the latest versions of Windows.

To provide a little more background, a good example of FBE is any file on an iPhone. Another good example is an encrypted zip file, which is quite common for sharing sensitive or private information.

How to detect file encryption within Belkasoft X

Equipped with Belkasoft X, an investigator can detect both types of encryptions described above, FBE and WDE.

The software comes with a built-in detection of file-based encryption. To enable search functionality for encrypted files, select the 'Search for encrypted files and volumes' on the Encryption page of Advanced analysis options of the 'Add data source' window (shown below):

Figure 1: Belkasoft X Advanced Analysis options—Encryption

Note: Search for encryption is a time-consuming operation, so if you are in rush or encrypted files are not your primary focus, you may want to unselect this option for the first pass of analysis. You can always schedule encryption detection for a later time.

Once the analysis completes, you will find all the files, which Belkasoft X detected as encrypted, under the Encrypted files node of the 'Artifacts' window:

Figure 2: Belkasoft X Artifacts windows—Detected encrypted files

This view will show you the following details:

File name.
Hash values, including message-digest algorithm (MD5) and the Secure Hash Algorithm (both SHA1 and SHA256).
Note: SHA256 is the hash function and mining algorithm of the Bitcoin protocol.
Complexity to decrypt, which can be instant, fast, medium or slow brute-force. While the instant, fast and medium methods are likely to finish in a reasonable time without additional information (such as key dictionaries which are explained below), the 'slow brute-force' decryption algorithm is likely to take billions of years to complete even with modern technology.
Protection features, for example ‘open password’, which means that if a file is password protected, it may only be accessed with the correct password. Additional permission restrictions may also apply (e.g. printing or copying not allowed).
Recovery options, which display various hints to improve your chance of success. Some examples are 'Rainbow table attack', 'Hardware acceleration possible' (meaning that using a GPU farm may help significantly) or 'File patching required'.
File-open password, which is empty unless you run the brute-force function of Belkasoft X.
Other columns include: file system date and times, is deleted, full path etc.

Supported file types

Belkasoft X recognizes hundreds of encrypted file types.

Among them are (click to expand):

1Password for Mac
1Password for Windows (incl. OPVault, Online)
Acrobat 3.0
Acrobat 4.0
Acrobat 5.0
Acrobat 6.0
Acrobat 7.0
Acrobat 8.0
Acrobat 9.0
Acrobat 10.0
Acrobat 11.0
Acrobat Revisions 3-4
Android 4.3-4.4
Apple iTunes Backup / iOS 4.x-9.x
Apple iTunes Backup / iOS 10.x
Symantec ACT! 2.0
Symantec ACT! 3.0
Symantec ACT! 4.0
Symantec ACT! 2000
ACT! by Sage 2005
ACT! by Sage 2006
ACT! by Sage 2007
ACT! by Sage 2008
ACT! by Sage 2009
BestCrypt 6.0
BestCrypt 7.0
BestCrypt 8.0
Bitcoin Wallet: Blockchain.info, Blockchain.com
Bitcoin Wallet: Bitcoin Core
Bitcoin Wallet: Electrum
Dashcoin Wallet: Dash Core
Dashlane
Dell Encryption/Data Protection Recovery file
Dogecoin Wallet
FileMaker Pro 3.x
FileMaker Pro 4.x
FileMaker Pro 5.x
FileMaker Pro 6.x
FileMaker Pro 7.x
FileMaker Pro 8.x
FileMaker Pro 9.x
FileMaker Pro 10.x
FileMaker Pro 11.x
FileMaker Pro 12.x
FileMaker Pro 13.x
FileMaker Pro 14.x
FileMaker Pro 15.x
FileMaker Pro 16.x
FileMaker Pro 17.x
FileMaker Pro 18.x
FileMaker Pro 19.x
Google Chrome Website
ICQ 2000-2003
ICQ 99a
ICQ Lite
iWork 2009
iWork 2013
iWork 2020
KeePass
LastPass
Litecoin Wallet
Lotus 1-2-3 1.1+
Lotus Notes 4.x
Lotus Notes 6.x
Lotus Notes 7.x
Lotus Notes 8.x (RC2, AES encryption)
Lotus Organizer 1.0
Lotus Organizer 2.0
Lotus Organizer 3.0
Lotus Organizer 4.0
Lotus Organizer 5.0
Lotus Organizer 6.0
Lotus Word Pro 96-99
macOS X Keychain
macOS X User / Hash
macOS X 10.8-10.10 User / Hash
Microsoft Edge Website
Mozilla Firefox Website
MS Access 2.0
MS Access 95
MS Access 97
MS Access 2000
MS Access 2002
MS Access 2003
MS Access 2007
MS Access 2010
MS Access 2013
MS Access 2019
MS Access 2.0 System Database
MS Access 97 System Database
MS Access 2000 System Database
MS Access VBA
MS Backup
MS Excel 4.0
MS Excel 5.0
MS Excel 95
MS Excel 97
MS Excel 2000
MS Excel 2002
MS Excel 2003
MS Excel 2007
MS Excel 2010
MS Excel 2013
MS Excel 2016
MS Excel 2019
MS Pocket Excel
MS Excel VBA
MS Internet Explorer Website
MS Internet Explorer Webform
MS Internet Explorer Content Advisor
MS Mail
MS Money 99 or earlier
MS Money 2000-2001
MS Money 2002
MS Money 2003-2004
MS Money 2005-2007
MS OneNote 2003 Section
MS OneNote 2007 Section
MS OneNote 2010 Section
MS OneNote 2013 Section
MS OneNote 2019 Section
MS Outlook 2000/2003/2007/2010/2013/2016/2019 Email Account
MS Outlook 2000/2003/2007/2010/2013/2016/2019 Form Template
MS Outlook 2000/2003/2007/2010/2013/2016/2019 Personal Storage
MS Outlook Express Account
MS Outlook Express Identity
MS PowerPoint 2002
MS PowerPoint 2003
MS PowerPoint 2007
MS PowerPoint 2010
MS PowerPoint 2013
MS PowerPoint 2019
MS PowerPoint VBA
MS Project 95
MS Project 98
MS Project 2000
MS Project 2002
MS Project 2003
MS SQL 2000
MS SQL 2005
MS SQL 2008
MS SQL 2012
MS SQL 2014
MS SQL 2016
MS SQL 2017
MS SQL 2019
MS Word 1.0
MS Word 2.0
MS Word 3.0
MS Word 4.0
MS Word 5.0
MS Word 6.0
MS Word 95
MS Word 97
MS Word 2000
MS Word 2002
MS Word 2003
MS Word 2007
MS Word 2010
MS Word 2013
MS Word 2016
MS Word 2019
MS Word VBA
MYOB earlier than 2004
MYOB 2004
MYOB 2005
MYOB 2006
MYOB 2007
MYOB 2008
MYOB 2009
MYOB 2010
Network Connection
Norton Backup
OpenDocument
Opera Website
Paradox Database
Peachtree 2002-2006
Peachtree 2007
Peachtree 2008
Peachtree 2010
Peachtree 2013
PGP Desktop 9.x-10.x Zip
PGP Desktop 9.x-10.x Private Keyring
PGP Desktop 9.x-10.x Virtual Disk
PGP Desktop 9.x-10.x Self-Decrypting Archive
GnuPG Private Keyring
Quattro Pro 5-6
Quattro Pro 7-8
Quattro Pro 9-12, X3, X4
QuickBooks 3.x-4.x
QuickBooks 5.x
QuickBooks 6.x-8.x
QuickBooks 99
QuickBooks 2000
QuickBooks 2001
QuickBooks 2002
QuickBooks 2003
QuickBooks 2004
QuickBooks 2005
QuickBooks 2006
QuickBooks 2007
QuickBooks 2008
QuickBooks 2009
QuickBooks 2010
QuickBooks 2011
QuickBooks 2012
QuickBooks 2013
QuickBooks 2014
QuickBooks 2015
QuickBooks 2016
QuickBooks 2017
QuickBooks 2018
QuickBooks 2019
QuickBooks 2020
QuickBooks 2021
QuickBooks for Mac 2012
QuickBooks for Mac 2013
QuickBooks for Mac 2014
QuickBooks for Mac 2015
QuickBooks for Mac 2016
QuickBooks Backup
Quicken 95/6.0
Quicken 98
Quicken 99
Quicken 2000
Quicken 2001
Quicken 2002
Quicken 2003
Quicken 2004
Quicken 2005
Quicken 2006
Quicken 2007
Quicken 2008
Quicken 2009
Quicken 2010
Quicken 2011
Quicken 2012
Quicken 2013
Quicken 2014
RAR 2.0 Archive
RAR 2.9-4.x (AES Encryption) Archive
RAR 5.x Archive
Remote Desktop Connection
Safari Website
Schedule+ 1.0
Schedule+ 7.x
Tally.ERP 9
Unix OS User Hash
WordPerfect 5.x
WordPerfect 6.0
WordPerfect 6.1
WordPerfect 7-12, X3, X4
WPA/WPA2
WinZip 8.0 or earlier
Yandex Browser Website
Zip Archive
7-Zip Archive

How to detect WDE/FVE encryption with Belkasoft X

Belkasoft X can also detect WDE/FVE. Unlike file-based encryption, which you have to explicitly start, the detection of whole disk encryption happens automatically whenever you add a new data source to the case.

If any of drive partitions are detected as encrypted, you will see the drive depicted with the lock icon to the left, and a prompt to enter decryption data.

Figure 3: Belkasoft X Add a data source—Encrypted volume

Click the 'Enter the password' button to open a window and enter a password, decryption key, recovery file, or unique piece of data, specific to the encryption in use:

Figure 4: Belkasoft X Add a data source—Encrypted volume credentials

If the password or other decryption details are entered correctly, the structure of the partition will be expanded, making the partition available for the further analysis. If you do not know the correct details, you can still analyze other partitions—but not this particular partition.

Supported and Recognized WDE/FVE types

When adding a data the following types of whole disk encryption (WDE) and full volume encryption (FVE) will be recognized automatically by the Belkasoft X software:

APFS
BitLocker
DriveCrypt
FileVault2
LUKS
McAfee Drive Encryption
PGP WDE
Symantec Endpoint Encryption
TrueCrypt
VeraCrypt

The encryption types above may be decrypted by providing the correct decryption information.

Brute-forcing passwords

Belkasoft X comes equipped with a feature to brute-force (meaning 'guess via multiple tries') a password for file-based encryption. To use this feature, you must have a separate 'File Decryption module' customized specifically for Belkasoft X and decrypting a multitude of encrypted devices.

To perform 'Brute-force password' decryption, go to the 'Artifacts' window and navigate to the 'Encrypted files' node. Right-click on the node to decrypt all detected files or individually select single or multiple files in the file list. The pop-up menu will contain the 'Brute-force password' options where you will be prompted to select a brute-force method:

Figure 5: Belkasoft X Brute-force password window

The methods available are:

Use key dictionary from the case
Use external password dictionaries
Iterate over all passwords (which match a specific type of attack)

Using a key dictionary

The first option will configure Belkasoft X decryption to attempt applying all text found in your case inside the text of artifacts previously extracted. Meaning, the decryption algorithm will use all the language from Word and Excel files, chats, pictures metadata, email and so on, and use found text as a password, one by one. This approach significantly improves your chances to identify the password. It is important to note that the more data you have analyzed from a specific user, the higher the chances of a successful brute-force attempt. Most users typically use passwords based upon their experience and language. Unless auto generated, terms like a car model, license plate number, family member names, birth dates or the like, have the best chance to appear in non-password related files and be stored as a plain text.

Using an external password dictionary

The second option allows you to attach third-party dictionaries containing some of the most popular passwords. If the password in use resides in a 'password dictionary', the brute-force process should make for an easy day.

Belkasfoft X comes equipped with a useful 10 million password starter dictionary, but you can browse and add any other dictionaries provided they put a single password per line.

Iterate over all passwords

The third and final option should only be used when all other attempts have failed to produce results. This option will attempt all passwords sequentially, e.g. "a, b, c… z," then "aa, ab, ac" and so on. As you can imagine, the number of potential passwords is incredibly huge, especially considering non-Latin characters, numbers, special symbols, hieroglyphs, etc. This means the chance of success using brute-force attempts against a long and reliable password is pretty remote. Hardware acceleration may help and decrease the number of years required for a successful brute-force attempt from billions of years to a mere 100 million.

Belkasoft X does have a limit for the character length of attempted passwords. Passwords up to a length of fourteen characters may be attempted (and for some of the most used patterns—if you leave the 'Specify an attack' field blank).

If you know that the password to a file is longer than fourteen characters, or if you have other prior knowledge as to what the password would likely be, we recommend you customize the brute-force method inside of the standalone Passware Kit Forensic tool included in the File Decryption module . You can then browse and select the customized attack file for use in the brute-force options window within Belkasoft X. This configures the brute-force password attempts according to the attack specified.

Keyword dictionary generation

In the event built-in brute-force using the key dictionary file does not work, you can also generate a key dictionary for use with Passware Kit Forensic (or other similar third-party tools). To do so, open the Dashboard window of Belkasoft X and under 'Actions' select the 'Create key dictionary' item:

Figure 6: Belkasoft X Actions—Create key dictionary item

This creates a simple key dictionary text file containing all the text from the case, one term per line. You can then use this file as your basis for subsequent brute-force or password mutations (some are described below).

One important note, do not forget that you have to analyze your data sources prior to attempting this technique (adding data sources to the case without artifact analysis will not generate a meaningful key dictionary).

Using external password dictionaries

There are many "frequently used password" dictionaries available over the Internet. Some contain a few million of the most used passwords; others may contain as many as one billion passwords. In particular, one such dictionary is provided by Passware on their customer portal. Additionally, Belkasoft X comes equipped by default with a 'small' dictionary to help you gets started consisting of around ten million passwords for your initial brute-force attempts.

If you chose the brute-force decryption option, you may select one or even multiple dictionaries: the default dictionary option is shipped and included with the standard product installation. Other dictionaries may be added as needed. Each time you run the brute-force task, use the checkboxes to select one or multiple dictionaries for decryption:

Figure 7: Belkasoft X Brute-force password—Select dictionaries

Password mutations

One popular trick some suspects may utilize with their passwords is to change a letter to a similar looking number or special character in an attempt to make their password stronger and harder to crack. An example could be 'p4ssw0rd' instead of 'password'. This password trick can be cracked using so-called 'password mutations', supported by modern decryption tools, like Passware's Kit Forensic.

Belkasoft X does not offer this feature built-in, but as with the key dictionary, you can use the same extracted language as a basis for mutations. Terms from such key dictionaries can be used for mutations and can be combined together, and so on. This is not a quick operation because there are many different possible mutations, however it is still significantly quicker than testing all potential passwords.

Conclusion

Built-in encryption is now simply a part of our lives and we will never return to the good old days when encryption was typically disabled and rarely encountered. The widespread use of encryption ushers in a new set of challenges for digital investigators and corporate incident responders, but these challenges must be met head on with new techniques and tools.

To recap, we can roughly divide encryption by file-based (FBE) and whole-disk (WDE, FDE, FVE) methods. Encrypted ZIP-files and BitLocker partitions are a good example of both.

Strong passwords and reliable modern encryption technologies make it almost impossible to decrypt files and disks; however, there is still hope for either a weak password or for capabilities like those found with Belkasoft X and its custom key dictionary generator, which extracts all language used by the suspect in your case, as a base for password brute-forcing.

Belkasoft X supports encrypted file search as well as brute-forcing a password and decryption for both file-based and disk-based encryption (for the former you have to have an optional File Decryption module; for the latter you have to have a WDE module, which comes with Belkasoft X Forensic and Corporate editions). The password or other decryption information must be known to decrypt devices that are secured with WDE. For files, it is possible to run a brute-force attack: either based on the current case language, built-in or external dictionaries of frequent passwords, a sequential brute-force of all available passwords, or a highly customized attack, created with a third-party tool.