Final Project
docx
keyboard_arrow_up
School
SUNY Buffalo State College *
*We aren’t endorsed by this school
Course
COMPUTER F
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
15
Uploaded by DeanField4049
Assignment Title: Final Project The impact of full encryption of modern operating systems on digital forensics.
by
Clifford Attaglo
clifford.attaglo@mymail.champlain.edu
By submitting this assignment, I acknowledge that I have read and agree to abide by the
Champlain College Academic Honesty Policy. I declare that all work within this assignment is
my own or appropriately attributed. I accept that failure to follow the academic honesty policy
may result in a failure grade, or expulsion from Champlain College.
Date Due: _03/01/2024_
Date Submitted: _02/26/2024_
Week 4
Introduction
Encryption has been a major problem in the field of digital forensics. This is due to the introduction of strong encryption into modern day operating systems such as BitLocker Full Disk
by Microsoft and File Vault by Apple. Encryption in Windows operating systems prevents forensic examiners and investigators from collecting and recovering digital information from computers under criminal or civil dispute. This hampers the smooth running of digital investigation when forensic examiners encounter devices with full disk encryption. Without the suspect providing the encryption key to forensic examiners, it becomes very difficult to make heads way in the case. Users, and organizations cannot be blamed for this because data protection has become a necessity. Data security involves the consideration of potential confidentiality, integrity, and availability threat to data services, using functions such as identification, authentication, authorization, and audit (Balogun & Zhu, 2023). One important aspect of enforcing data security is encryption which is part of cryptography. According to Peter Loshin (2022) encryption is the method by which information is converted into secret code that dies the information true meaning. The science of encrypting and decrypting information is called cryptography. Cryptography is a way of providing a secret communication between two or
more parties. Digital forensics has become a dynamic field as crime has taken on a new dimension with the introduction of computers. Nowadays, more crime is being committed with computers and the storage devices of these computers holds a lot more evidence than we can think of. Digital evidence is information stored or transmitted in binary form that may be relied on in court. This information can be found on computer hard disks, mobile phones, USB drives, smart watches Page 1 of 15
and so on as these devices permeate our way of life in this modern world. Digital evidence is normally associated with electronic crime such as child pornography, credit card fraud, etc. Let’s
use financial institutions such as banks, money laundering, digital frauds, terrorist financing cannot be excluded from the examples, digital forensics is required in this institution due to the numerous cyber-attacks and incident response. Therefore, digital forensics is essential to incident
response and compliance auditing. Investigators must investigate and report their documented findings to see if the incident has legal proof or background. As side that, regulators such as HIPAA require security and privacy controls within organizations and in case of any breaches, digital investigators can use their findings to prove to the regulatory bodies that all requirements were therefore met. Besides these, forensic investigations can lead to the discovery of vulnerabilities within the organization. For example, viruses and malware which are unrelated to the breach but harmful to the systems within the organization can crop up, thereby leveraging forensic report to improve their security (
Mohanakrishnan, 2022). There are several challenges which include the inconsistency of the legal system from one country to another. The are some countries with strong exception about seizure of electronic storage devices just for the simple reason of invading the privacy of others. There are no laws that enforce the suspects in these investigations to assist investigators by voluntarily giving the password or cryptography keys to investigators to access the storage drives or computers amicable. A typical example is the case involving Daniel Dantas, whose strong encryption password has foiled attempts by the Brazilian Police and the FBI to access the encrypted evidence on the hard drive (Balogun & Zhu, 2023). Also, investigators are beginning to see an increased use of “BitLocker” whole disk encryption which can be attributed to that fact that users
are now becoming conscious of protecting their data from unauthorized access or the providers Page 2 of 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
are encrypting the devices by default. For example, with the core edition of Windows 8.1, Windows RT and Windows 10, Microsoft began automatically encrypting the system boot volume without user’s consent (Carrol, 2019). Also, the file vault provided in Mac provides users a safe and secure location to store their data (Reddy, 2019, pp. 106-107)
. This file vault can only be accessed by the person with the encryption key or by bypassing the encryption key or obtaining the password legally. Further, with the advancement of technology, encryption keeps going very strongly. These modern encryption algorithms are becoming very strong to crack even with experienced investigators. Because encryption is used to scramble data so that it can only be ready by someone with the decryption key, criminals use it to hide evidence making it difficult to track them. The development of technological advancement is lacking behind for tools to decrypt encrypted data. This is therefore something that hampers investigation at the speed at which encryption development is at a fast pace. With all these challenges there are positive strives towards encrypted data. There are tools that digital forensics professionals can take advantage of, to decrypt encrypted data such as Cain and Abel cracking tool. This tool is a password recovery tool for Microsoft Operating Systems. According to Mohamed, (2018) It allows recovery of various kinds of passwords by sniffing the network, cracking encrypted data using Dictionary, Brute-Force and Cryptanalysis attacks, recording VOIP conversation, decoding scrambled passwords, recovering wireless network keys,
revealing password boxes, uncovering cached passwords, and analyzing routing protocols. There
are a lot of such tools that investigators can make use of. There is also a need for digital investigators to increase their game by trying to obtain the decryption key. This is normally possible only if the key is stored on the suspect’s computer. If for instance investigators cannot crack or decrypt the data, it would be better to shift their attention to other evidence that is not Page 3 of 15
encrypted and would be incriminating enough to win a conviction. Another way for investigators
to over the challenge is the traditional search for the encryption key. There is always possibility that the key to decrypt the data can be found written on a piece of paper or on a notepad stored in
a USB drive somewhere at the scene of the crime. Advanced memory-based procedures are also used to overcome encryption. Encryption key is stored in the memory at the beginning it was supplied. This remained in memory and used to decrypt data until the system is powered off. There are two types of collecting evidence digitally. This is by static acquisition and live acquisition. Of course, let’s compare these two and see which best suite full disk encryption. Let’s look at these types critically and see which would be best suited for full disk encryption. Static acquisition is the process of acquiring data whereby the computer is shut down and then the disk image is acquired. Here when the plugs are pulled off, data is stored on the hard disk of the system. This can include documents, records, photographs, or any other non-living evidence. A typical example of this can be analyzing surveillance footage, collecting fingerprints from a crime scene, and obtaining financial records. Live acquisition is the process of acquiring or capturing the content of the disk while the computer is running. If the plug is pulled off in live acquisition the data begins to dissipate from the hard drive thereby data is lost completely, losing
crucial and critical evidence. This can include conversations, observations, or activities happening in the moment. Examples of live acquisition include monitoring online conversations in real time or observing criminal activities and even conducting interviews with suspects. Timing can also be a crucial factor when comparing these two types of acquisition. Therefore, with static acquisition timing is not all that important as it can occur at any time after the evidence is discovered or becomes available. It does not depend on real time monitoring and no immediate action is necessary. With it opposite, timing is of essence. Live acquisitions require Page 4 of 15
immediate action and real monitoring to capture the evidence as it progresses or happens. Any delay will result in dissipation, loss, or alteration of the evidence. There’s a notion that live acquisition intrudes into people privacy and may therefore raise legal issues in court hence most would prefer to use static acquisition as it involves little potential for legal consequences since the evidence is static. With these two types of acquisition discussed above, there are four methods of collecting data which are disk-to-image, disk-to-disk, disk-to-disk or disk-to-data file
and sparse copy of a folder or file. All these methods help investigators to collect evidence that can lead to successful prosecution. Examples of some digital investigations that led to successful prosecution include the “BTK Killer”. This is a case in which the “BTK Killer” also known as Dennis Rader tortured and killed ten people. He provokes the police by sending cryptic messages
during his killings. During one of his killings in 2005, Dennis Rader sent the Police a Microsoft Word document on a floppy disk which digital forensic professionals were able to trace the metadata of the disk to the suspect thereby helping unveiled the identity of the suspect. The suspect was later found guilty and sentenced to imprisonment. The high-profile case involving Casey Anthony who initially informed Police that his 2-year-old daughter had been kidnapped by her nanny and later changed the story to she got drowned in a family pool. Later forensic investigators were able to gather evidence from his computer browser history to support their case. In this evidence the browser history revealed that Anthony searches for “chloroform” and other suspicious terms which made the Police believe that Anthony used chloroform to render her 2-year-old daughter unconscious and suffocating her with duct tape. The conviction of Former IMF Chief in 2011 is another case that relied heavily on digital forensics. In this case, Dominique Strauss-Kahn the head of the International Monetary Fund was accused of having assaulted a hotel housekeeper in New York City. Investigators were able to pull down Strauss-
Page 5 of 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Kahn’s text messages and emails from the day of the alleged sexual assault. This provided a timeline of the sexual assault and corroborated the housekeeper’s account of the events. Among the text messages that Strause-Kahn sent to his wife stating that he did something stupid which prosecutors argued was an admission of his guilt (Garry, 2024)
. So, we can see how digital forensics have helped in solving crimes which would be hanging on the neck of the Police without answers to what happened. The impact of full disk encryption (FDE) on evidence acquisition can never be overlooked both the negative and the positives for forensic investigators. When investigators encounter encrypted disk, a lot of time and resource are put into the investigation to decrypt the disk to get the evidence needed to support the case under investigations. In essence decrypting FDE is time consuming and resource dependent. This depends on how strong the encryption is, and the algorithm used. The fact that this is time consuming and resource dependent, FDE ensures data integrity. This ensures that even if an unauthorized person gets hold of the disk, the data becomes
meaningless, and the authorized person would not be able to have a view of the data thereby providing the integrity and security of the data. Though strong encryption provides security for data, it also becomes a challenge for investigators who need to access the data for a legitimate course of action. FDE prevents investigators from accessing the data and without the encryption key there’s no way for them to get the evidence needed evidence to support the prosecution. Despite all the challenges, there are forensic tools that work well against FDE and there are bad ones too. But the effectiveness of digital forensic tools against full disk encryption may depend on several factors. These includes the strength of the encryption used, the availability of the encryption key and the capabilities of the forensic tools. For forensic tools to be effect against FDE, knowing the encryption algorithm used is crucial. Most forensic tools are good in detecting
Page 6 of 15
and identifying popular encryption algorithms normally used in FDE. Algorithms such as Advance Encryption Standard (AES), BitLocker, TrueCrypt, VeraCrypt, File Vault, Two-fish, AES-Two-fish, SHA-256 etc. are some of the most common encryption technologies that forensic tools can easily detect and identify. Forensic tools specialize in memory forensics can be
effective in retrieving encryption keys from volatile memory normally called RAM when the system is running. This is useful when the encryption keys are stored in memory. Advanced memory-based techniques used to overcome and recover data. Forensic experts used these techniques to take advantage of vulnerabilities in the encryption algorithm or the system as we all know software or system created by human would have some sort of vulnerability. Recovering and analyzing data from encrypted disks is challenging because of the security measures employed by encryption technology. Meanwhile, there are other alternatives that forensic professionals can employ to recover and interpret data from suspects encrypted disk or system. One of such methods is by capturing and analyzing the contents of volatile memory (RAM). This is normally done in real-time, that is the suspect needs to be caught at the time he or she is using the system to extract the encryption keys that might be stored in memory of the system. Another alternative is by analyzing the memory dump files obtained from the target system to look for encryption keys. Optionally, the image of the system can be obtained and analyzed the system artifacts such as the registry entries, log files or application data to obtain the cryptographic keys, passphrase and other information related to encryption. There are numerous options for this and the last to talk about is the side-channel attack. According to Gavin Wright and Alexander S. Gillis, a side-channel attack is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware rather than targeting the program or its Page 7 of 15
code directly. When this attack is used, the aim is to exfiltrate sensitive information not excluding cryptographic keys. This information gives forensics experts to be able to recover data
and analyze it for evidential purposes. There is a need to balance the need for encryption. This is really a complicated issue to address as it involves consideration of security, individual liberties, societal values, and law enforcement.
There is also an argument by government agencies and law enforcement that strong encryption can incapacitate them from carrying out their mandatory investigation and prevent criminal activities such as human trafficking, child pornography, terrorism among others. The need for encryption is very necessary to secure our data or personal information from threat actors as the internet has become our way of life. We use the internet for everything such as shopping, banking, health, etc. and there should be privacy for our transactions online. Privacy rights are also enshrined in various international and even national laws. They are fundamental to our democratic world. Also, there is a need for organizations to meet regulatory compliance such as HIPAA, HITECH, GLBA and failure to comply with these standards can lead to heavy penalties or even closure of the organization. These regulations expect organizations to use encryption to protect their data to prevent an authorized disclosure of such information from hackers and criminal organizations financed by countries. Therefore, using weak encryption or providing a backdoor for law enforcement agencies defeats the purpose of security and hence exposing user data to harm. Law enforcement argues that using strong encryption prevents them from carrying out their law investigations, especially where suspect data is encrypted and central to the investigation. They have always advocated for a process that would allow them access to encrypted data while finding means to securely protect the data collected from users. Creating a system that provides for backdoor for law enforcement and while provides for securing data Page 8 of 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
without hackers having access is something that is perhaps yet to be seen. Striking the balance for encryption with privacy rights is something that calls for strong policy considerations. This policy would need a strong collaborative effort from various stakeholders not excluding businesses, individuals, law enforcement and government agencies to weigh the pros and the cons of this. At the end, the best decision wins. Balancing the need for encryption with privacy rights is a concern for all and not something that needs to be left for few people. It needs the effort of individuals, organizations, governments agencies and law enforcement, technical know-
how and policy brains to strike the balance. Accessing encrypted data during investigations will depend on your position geographically. There are proper ways of accessing encrypted data and we should bear in mind that inappropriate
access to encrypted data under investigation by law enforcement may be the basis of a motion to dismiss the case in all or in part (Lowe., 2023). To have access to encrypted data by law enforcement or government agencies the foremost process is to obtain a search warrant from a court of competent jurisdiction. The law enforcement must prove a probable cause to the judge or magistrate as to why he or she must give the warrant for the search or seizure of the encrypted data. According to NCSC a warrant referred to a specify type of authorization: a writ issued by a competent officer, usually a judge or magistrate, which permits an otherwise illegal act that would violate individual rights and affords the person executing the writ protection from damages if the act is performed. These searches must be reasonable that is why in the United States Fourth Amendment Protections, the constitution protects individuals against unreasonable searches and seizure by the government. For any law enforcement personnel to embark on a search, they must have a search warrant that authorizes them to do so. Law enforcement must comply with compliance with data protection laws such the GDPR and the CCPA to have access Page 9 of 15
to encrypted data. There is also a cross boundary accessing of data. For example, accessing encrypted data stored or transmitted across international borders. This can raise issues of jurisprudence. In such cases, law enforcement needs to comply with international laws such as the mutual legal assistance treaties or some sort of agreements between the countries before accessing such encrypted data is permitted. In essence, accessing encrypted data raises complex legal issues in relation to jurisprudence, constitution, treaties etc. Therefore, law enforcement and
government agencies need to path carefully in ensuring that the right thing is done to avoid the evidence being rejected totally or partially. Encryption technologies are not stopping now. It would continue to improve and to be able to secure our data we would continue to employ the use of these technologies. Besides that, hackers
are also finding new ways of breaking these technologies which already exist and therefore, there
is a need to keep researching into encryption technologies and to make it better. Some of these emerging technologies are mind blowing. Examples include quantum cryptography, multi-party computation, honey encryption and biometric encryption. What interests me most is quantum and biometric encryption. Quantum cryptography is an encryption mechanism that uses principles of quantum physics to encrypt and transmit data in a secure manner. Typically, encryption systems work with secret keys that are mostly randomly generated string of numbers used to encrypt/decrypt data (Krishnan, 2023). In this technology, photons are used to transmit data from one end to another. Careful measurement of quantum properties of photons is used on both ends to help determine the key and if it is secure. In case of hacker interference, the state of the photons will change, and the communication devices will detect any change and prevent unauthorized access. Aside quantum encryption as an emerging technology, there is biometric encryption which is has already gain momentum and being employed frequently, especially with Page 10 of 15
mobile phones and personal computers. This is a technology that securely binds a digital key to a
biometric or generates a digital key from biometric so that no biometric image or template is stored. It must be computationally difficult to retrieve either the key or the biometric from the stored BE template, which is also called “helper data.” The key will be recreated only if the genuine biometric sample is presented on verification. The output of the BE authentication is either a key (correct or incorrect) or a failure message. Cavoukian
, A., Stoianov, A. 2011).
There is a need to look at the forensic methodologies aligned with how to investigate and use tools of the job as well as the current trends in computer crimes. For years, we have relied on static analysis where data stored on drives are analyzed for evidential purposes. With the current trends of computer crime, there is a need for live analysis. Modern threats such as volatile memory-resident malware and fileless attacks require such techniques for live forensics and memory analysis to extract evidence from RAM and other volatile storage devices or locations. Further, Machine learning and artificial intelligence are being integrated into digital forensic tools and methodologies to automate certain processes. This would help in processing large amounts of data, detect patterns, and predict potential threats with accuracy and speed. The AI component will further enhance keyword finds. This would speed up investigations as AI and ML are being integrated into some of these tools. As more and more data are being moved to the cloud because of cloud computing technology, there is a need for cloud-based forensics. This has
dynamically changed the landscape of forensic investigations. Cloud forensics is the process of analyzing and collecting evidence from cloud-based systems and infrastructure for the purpose of
a legal investigation or security incident. This opposes new challenges such as obtaining evidence from multiple locations and dealing with complex data ownership issues. Lastly, with the increased concerns with privacy and data protection regulations such as HIPAA, GDPR and Page 11 of 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CCPA, digital forensics methodologies are changing to include privacy-preserving technologies. This includes methods for anonymity of sensitive information during analysis and ensuring compliance with legal requirements as well as ethical standards. The key findings for this paper are that encryption is necessary for the protection of sensitive data, hence organizations are doing everything possible to enforce these policies to be compliant with regulations such as HIPAA, GDPR, CCPA, etc. Users of computers, mobile phones and other storage devices are becoming increasingly aware of the need to protect their data as these devices house a lot more sensitive information in this modern world, hence employing encryption technology. There are cases where manufacturers of some of these devices are encrypting the devices by default. For example, with the core edition of Windows 8.1, Windows RT and Windows 10, Microsoft began automatically encrypting the system boot volume without user’s consent (Carrol, 2019).
As encryption is necessary for protection of sensitive data by organizations and individuals, it is seen as a threat for forensic processes. Cybercriminals have been exploiting encryption for their advantage, to restrict digital forensics investigators from access to potential evidence. Access to encryption technologies, inexpensive cost and easy implementation makes it easy for cybercriminals to conceal evidence and prevent access to these evidence as it was seen in the case of Daniel Dantas, whose strong encryption password has foiled attempts by the Brazilian Police and the FBI to access the encrypted evidence on the hard drive (Balogun & Zhu, 2023). Sometimes, investigators can get around these encryption technologies through methods such as search and seizures, performing live analysis when a suspect is caught using the system, but this requires a careful planning process.
To be able to encounter encryption, there’s a need for policy makers to formulate policies that enforce the suspect to provide encryption key to investigators when needed. These policies can Page 12 of 15
therefore force the manufacturers to provide the encryption keys to security and government agencies. There is a need for policy makers to provide scholarships to forensic investigators to further their education in the name of national security. This would give investigators the chance to upgrade their skills in obtaining certification. The need for new or enhanced digital forensic tools which address the need of current computer crime. Developers of these tools need to catch up with the speed at which encryption technology is rapidly escalating as well as cybercrimes. Finally, manufacturers need to create backdoor for some of these encryption technologies to make data accessible to investigators when required.
Page 13 of 15
References
Cavoukian, A., Stoianov, A. (2011). Biometric Encryption. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-
5906-5_880
Reddy, N. (2019). Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations
(1st ed., pp. 106-107). Apress L. P. https://doi.org//10.1007/978-1-4842-4460-9
https://www.digitaleurope.org/resources/encryption-finding-the-balance-between-privacy-security-and-
lawful-data-access/
Wright, G., & Gillis, A. S. .. (n.d.). Side-channel attack
. Retrieved February 15, 2021, from www.techtarget.com/searchsecurity/definition/side-channel-attack
Mohamed, A. (2018, January 25). Password cracking using Cain & Abel
. Retrieved February 12, 2024, from https://resources.infosecinstitute.com/topics/hacking/password-cracking-using-cain-abel/
Carrol, O. (2019). Challenges in Modern Digital Investigative Analysis. Department of Justice Journal of Federal Law and Practice
, (Jan 2017). https://www.crime-scene-investigator.net/challenges-in-modern-
digital-investigative-analysis.html
Balogun, A. M., & Zhu, S. Y. (2023). Privacy Impacts of Data Encryption on the Efficiency of Digital Forensics Technology. International Journal of Advanced Computer Science and Applications,
, 4
, 36-40. https://arxiv.org/ftp/arxiv/papers/1312/1312.3183.pdf
Casey, Eoghan & Stellatos, Gerasimos. (2008). The impact of full disk encryption on digital forensics. ACM SIGOPS Operating Systems Review. 42. 93-98. 10.1145/1368506.1368519.
Garry (2023, September 28). What Are Some Major Cases Solved Using Digital Forensics?
Retrieved February 14, 2024, from https://darwinsdata.com/what-are-some-major-cases-solved-using-digital-
forensics/
Mohanakrishnan, R. (2022, July 18). What Is Digital Forensics? Meaning, Importance, and Types
. Retrieved February 1, 2024, from https://www.spiceworks.com/it-security/cyber-risk-management/articles/what-is-digital-forensics/
Lowe., M. (2023, January 25). ENCRYPTION AND LAW ENFORCEMENT INVESTIGATIONS: POLICE
ACCESS TO ENCRYPTED DATA
. Retrieved February 20, 2024, from www.dallasjustice.com/encryption-and-law-enforcement-investigations-police-access-to-encrypted-data/
#:~:text=Unlawful%20access%20of%20encrypted%20data,Criminal%20Defense%20Considerations
%20in%202021
Krishnan, K. (2023, December 9). Latest Advances in Encryption Technology
. Retrieved February 21, 2023, from https://concentric.ai/advances-in-encryption-technology/#:~:text=Quantum%20cryptography
%20is%20an%20encryption,used%20to%20encrypt%2Fdecrypt%20data.
Redding, J. P. (2023, September 20). The Future of Digital Forensic Software Advancements and Innovations
. Retrieved February 25, 2024, from https://www.adfsolutions.com/news/the-future-of-digital-
forensic-software-advancements-and-innovations-to-look-out-for#:~:text=Artificial%20Intelligence
%20and%20Machine%20Learning,with%20greater%20accuracy%20and%20speed.
Page 14 of 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help