xcomiii
asked on
pgp encase forensic
Hi I just wonder about if PGP is really so secure that it claims to be. When I read the product information for Encase (http://www.digitalintelligence.com/software/guidancesoftware/encase/) it says that "EnCase can analyze and acquire mounted encrypted volumes, such as PGP and DriveCrypt...."
According to this document:
http://www.google.com/url?sa=t&source=web&ct=res&cd=19&ved=0CDUQFjAIOAo&url=http%3A%2F%2Fdownload.pgp.com%2Fpdfs%2Fdatasheets%2FPGP_WDE_DS.pdf&rct=j&q=pgp+forensic+encase&ei=sLfYS6DVGZSWOM7hhYgH&usg=AFQjCNGkKvmPfyTFMgSpfb7i82uK8N3qXw&sig2=VWAj9MN2iTX4xQDN8zpGUA
It claims that it supports Encase for forensic "Support for Guidance® Software EnCase".
I wonder what that really means. As I have read, PGP has so strong encryption that its not possible to decrypt a WDE disk in a reasonable time. Same goes for Virtual encrypted disks. So how is that possible?
According to this document:
http://www.google.com/url?sa=t&source=web&ct=res&cd=19&ved=0CDUQFjAIOAo&url=http%3A%2F%2Fdownload.pgp.com%2Fpdfs%2Fdatasheets%2FPGP_WDE_DS.pdf&rct=j&q=pgp+forensic+encase&ei=sLfYS6DVGZSWOM7hhYgH&usg=AFQjCNGkKvmPfyTFMgSpfb7i82uK8N3qXw&sig2=VWAj9MN2iTX4xQDN8zpGUA
It claims that it supports Encase for forensic "Support for Guidance® Software EnCase".
I wonder what that really means. As I have read, PGP has so strong encryption that its not possible to decrypt a WDE disk in a reasonable time. Same goes for Virtual encrypted disks. So how is that possible?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with aleghart. if keys are loaded upon user login, user protected files by the various security software will have it transparently decrypted on the fly for user convenience. Hence any imaging tool can just grab the artifacts as needed or meaning live forensic.
Also with ref to the link:
http://books.google.com/books?id=V_XPRmaOH60C&pg=PA456&lpg=PA456&dq=manual+EnCase%C2%AE+Decryption+Suite&source=bl&ots=1QiPx66Hf4&sig=3f5BTX5XP3tWJFvO-fXG6Wln_yk&hl=en&ei=AO3bS-_OBtGzrAeUo7TVBw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CAYQ6AEwAA#v=onepage&q=manual%20EnCase%C2%AE%20Decryption%20Suite&f=false
It mentioned that if it is not autologin, Encase can search for the password (that will release the encryption keys - typically symmetric ones), they will be commonly cached in known forensic repository in OS. Similarly it may apply to other security software especially if they support "wallet" (of password) that is supposed (or configured) to cache locally in the host. Apply for user certificate based authentication (for cached cert in local cert store).
But I believe if 2 factor authentication is used, it would not be straightforward for Encase. Need the user's smartcard etc. But as mentioned if it is "transparent mode", live forensic would be easier.
They did mentioned about brute force cracking using dictionary attack and for asymmetric type, it is not realistic and they are not targeting in that aspects (no need to also). But if weak crypto algo (DES) or short keys (56 bits) are used in symmetric encryption, it is already known that it can be cracked easily using rainbow table or/and also with CUDA hardware cracking system.
Also with ref to the link:
http://books.google.com/books?id=V_XPRmaOH60C&pg=PA456&lpg=PA456&dq=manual+EnCase%C2%AE+Decryption+Suite&source=bl&ots=1QiPx66Hf4&sig=3f5BTX5XP3tWJFvO-fXG6Wln_yk&hl=en&ei=AO3bS-_OBtGzrAeUo7TVBw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CAYQ6AEwAA#v=onepage&q=manual%20EnCase%C2%AE%20Decryption%20Suite&f=false
It mentioned that if it is not autologin, Encase can search for the password (that will release the encryption keys - typically symmetric ones), they will be commonly cached in known forensic repository in OS. Similarly it may apply to other security software especially if they support "wallet" (of password) that is supposed (or configured) to cache locally in the host. Apply for user certificate based authentication (for cached cert in local cert store).
But I believe if 2 factor authentication is used, it would not be straightforward for Encase. Need the user's smartcard etc. But as mentioned if it is "transparent mode", live forensic would be easier.
They did mentioned about brute force cracking using dictionary attack and for asymmetric type, it is not realistic and they are not targeting in that aspects (no need to also). But if weak crypto algo (DES) or short keys (56 bits) are used in symmetric encryption, it is already known that it can be cracked easily using rainbow table or/and also with CUDA hardware cracking system.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good point dlethe. The practical aspect of keeping secrets is not "forever". It's to delay access to critical information until it is tactically irrelevant. It would be foolish to think that _any_ encryption method that is generated by a machine cannot be hacked. If there is enough need and enough resources, it will be done eventually.
When a data source is known to be comprimised, and possibly going to be cracked, it's important to know what is stored therein. Make it irrelevant before the "bad guys" can crack it and make use of it.
That's where the old fashioned idea of rotating or constantly changing passwords comes from. In the real world, with general users, this is impractical. But, more easily accomplished with two-factor authentication techniques that utilize a rotation of one-time passwords. I have on on my keychain as a matter of fact. $20 insurance.
When a data source is known to be comprimised, and possibly going to be cracked, it's important to know what is stored therein. Make it irrelevant before the "bad guys" can crack it and make use of it.
That's where the old fashioned idea of rotating or constantly changing passwords comes from. In the real world, with general users, this is impractical. But, more easily accomplished with two-factor authentication techniques that utilize a rotation of one-time passwords. I have on on my keychain as a matter of fact. $20 insurance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
However, I just seem to dont understand the whole picture.
On this link: http://www.guidancesoftware.com/computer-forensics-software-decryption.htm , Encase advertises itself to be able to decrypt WDE disks, and maybe they can but I have in my memory that the key used for WDE is 2048-bit, wouldn't that take centuries to decrypt?