Practical Approaches to

Recovering Encryption

Presented By: Arif Zina

 Brute forcing is very time consuming

 Brute forcing is very resource intensive
 Practical approaches in recovering
Encryption is therefore required
Time to Brute force different key strength of AES
symmetric cipher with US $1 Million X86 hardware

Key Strength Possible Keys Time to Break

40 bits 1,099,511,627,776 < 1 Minute
56 bits 72,057,594,037,927,936 30 minutes
64 bits 18,446,744,073,709,551,61
6
4 days

80 bits 1.21 x 10^24 800 years

128 bits 3.4 x 10 ^ 38 2.2 x 10^17 years
192 bits 6.28 x 10 ^57 10^36 years
256 bits 1.16 x 10 ^77 10^56 years
 Approaches to recovering Encrypted Files
1. Overcoming Weak Encryption

Computer intruders often use simple encryption to obfuscate network

traffic and portions of rootkits they install on compromised systems to
conceal their presence

 Simple form of encryption used is XOR each byte against 255 (0xFF)
 Viewing file with using hexadecimal viewer reveals all characters in
file to be above decimal value 127.
 Absence of ASCII characters suggest some form of character
substitution
 Guessing that XOR was used, encryption is reversed to reveal the
contents of the rootkit.
 Early versions of Microsoft word and excel use XOR to encrypt
password. Easily recovered using Access data’s password recovery
Toolkit
2. Finding unencrypted copies of data

 At some point before data is encrypted, it exists in

unencrypted form. Using windows EFS:
 A temporary copy of plaintext might be stored in Paging file (pagefile.sys) prior to
encryption.

 Spool files contain copies of unencryrpted files in system32\spool\printers if the

folder is not encrypted.

 Searching the disk, an examiner can find file fragments

 PGP is extremely difficult to decrypt as it employs both symmetric and
asymmetric encryption….However….

 When PGP is used to encrypt Microsoft word doc. Although the original docs are
wiped out, fragments can be found scattered in disk in deleted MS word temp
files, some of which can be found by searching for Microsoft word header

 Although recovery of entire file might not be possible, enough incriminating

evidence can be recovered
3. Searching RAM for unencrypted data
 Content of the application window such as outlok’s email
when encrypted using PGP, a copy of plain text is held in
memory by the application.

 Encrypting or decrypting text on Windows 2000 using PGP,

a copy of plaintext is held in memory by PGP tray for an
indefinite period.

 The memory of this process can be dumped to a file using a

program like pmpdump.
D:\>pslist pgptray

Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time
PGPtray 1332 8 7 150 1264 0:00:00.060 0:00:00.270 2:20:33.466
D:\>pmdump 1332 pgptray.mem
D:\>less pgptray.mem
…╫
^@^@^@^@^@^@^@^@└^@^V^@^@^@^P^@└╧^V^@`Ç^V^@P Signature Status: good
*** Signer: Eoghan Casey <eco@corpus-delicti.com>
*** Signed: 7/20/2002 8:36:42 PM
*** Verified: 7/20/2002 8:41:17 PM
*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
Return-Path: <harold1jones@go.com>
Received: from webmailmta.go.com ([204.202.140.199])
by lsh110.siteprotect.com (8.9.3/8.9.3) with ESMTP id SAA04960
for <eco@corpus-delicti.com>; Thu, 11 Jul 2002 18:57:48 -0500
Received: from gomailjtp03 ([10.212.0.163])
by mta07.seamail.go.com (Sun Internet Mail Server
sims.4.0.2001.07.26.11.50.p9) with ESMTP id
<0GZ3002K5Z8ZO3@mta07.seamail.go.com> for
eco@corpus-delicti.com; Thu,
11 Jul 2002 16:43:48 -0700 (PDT)
Date: Thu, 11 Jul 2002 16:45:32 -0700 (PDT)
From: Harold Jones <harold1jones@go.com>
Subject: Test
To: eco@corpus-delicti.com
Message-ID: <6477825.1026431132801.JavaMail.harold1jones@gomailjtp03>
MIME-version: 1.0
4. Obtaining Encryption Passphrase
 Another practical approach to gaining access to encrypted data is to
obtain the passphrase:

 Searching the area for slips of paper

 Obtain passwords that the suspect uses to protect other

personal data

 Interviewing the suspect

 Accidental memory dumps may disclose information relating to

encryption. For instance:
Dr Watson application in win 2000 creates a memory dump when
PGP crashes that can contain encrypted, plain text and passphrases
( e.g C:\Documents and Settings\All Users\Documents\Dr
Watson\User.dmp)
…
kernel32.dll
RASAPI32
C:\WINNT\tracing
C:\Documents and Settings\Administrator\My Documents\PGP\pubring.pkr
C:\Documents and Settings\Administrator\My Documents\PGP\secring.skr
&!
IN PGP MESSAGE-----
Version: PGP 7.1
qANQR1DBwU4DSL6Q3OHRwOYQB/9pKnnhZGQRFwykWzBO1EWkzW336QOkUaHj
0aVj
P1MgxDWQWi3kZpOfGnDg6kbQriWBiIgD/z8p5xGN+WcksytlLJv8OxvTGMepx7u8
h5aVRXZd8YPM+h5ROpbnNw+SiT/w9oCy/ChWeiCHV1swQSzwBHx2Ye+yxO70Moxc
...
frAG3nM7kOnChQp4jxhv2J0p7fL1vteI9EGbcimC9QCVBwC1U++mQIqbTyIw5gWK
Io11yl8P+wKjcHsLfi2hTE+NIRb+VORWhVoCDHgNKV1nSFNTK0LEnvz84OFyRc1z
-----END PGP MESSAGE-----
<pgppassphrase!>
…
 Using the Forensic Toolkit (FTK) from Access data to
generate a list of keywords found on the disk and import
to Password Recovert\y Toolkit (PRTK)

 If the user purposefully or unintentionally stored pass

phrase on disk, it will be available in the keyword list

 A PGP passphrase identified by PRTK

 PRTK can also configured to use various dictionaries
and customized suspect profile
 PRTK then generates possible pass phrases using
entries in dictionary, suspect profile, and various
combination of these strings.

PRTK attempting to guess pass phrase of PGP private

key
 As a last resort, the suspects machine can be monitored using software or
hardware to obtain pass phrase:

 Monitoring software and key logging are invasive and can raise privacy issue
Software:
Spectro Pro
Sub Seven
Back Orifice enable key logging
Remote file access

Hardware:
Have internal memory and record key stroke:

KeyGhost
Key Katcher
 Thank you

ANY QUESTIONS….?