With the advent of digital forensics, it has become easier to solve challenging digital crime cases. However, like any other technology, digital forensics comes with its unique set of challenges. One such problem is that of encryption.
So how do digital forensic experts solve these problems? Let’s see what the veterans have to say about this.
Encryption and Digital Forensics
In 2015, Forensic Focus carried out a survey, and over 500 digital forensic experts participated. The survey’s purpose was to understand the challenges facing the digital forensics scene. Experts like Brett A. Becker, Tadhg O’Sullivan, David Lillis, and Mark Scanlon of the University College Dublin were also trying to answer this question.
The results of the Forensic Focus survey suggested that encryption was the biggest challenge facing digital forensics. Other issues included increasing data volume per investigation, triage, lack of training, and the increasing number of digital crime cases.
Interestingly, the participants of the survey weren’t too concerned about device service proliferation (5%) or triage (11%). However, they were concerned about encryption (21%) and cloud forensics (23%).
In digital forensics, encryption is a thorny topic to touch. Part of it has to do with the legal problems between Apple and the FBI over the decryption of an iPhone by a third party. Ever since, such issues have been in the public sphere.
Yuri Gubanov is the CEO of Belkasoft and believes that there is no simple answer to how encryption impacts digital investigations, as the challenge may vary from one device to the next. For example, by using a kernel-mode tool for capturing a memory dump, encryption on a Windows computer can be attacked. While mounting the volume, the memory dump can be analyzed for extracting a binary decryption key.
In Android devices, it depends on who made the particular device and what version of Android is being used. There have been cases where Android devices have been decrypted even without a passcode.
As far as Apple devices are concerned, they use a Secure Enclave in a 54-bit hard drive, and therefore, the implementation is exemplary.
It is worth mentioning that if a small amount of data is encrypted, the real challenge is to locate that piece of data. To tell the difference between encrypted data and compressed files, Belkasoft’s file detection module has a proprietary method.
Gubanov says that encryption schemes exist for the purpose of handling brute-force attacks. Therefore, direct enumeration of passwords and encryption keys is rarely possible. However, he believes that exploits and workarounds are the only way forward.
For example, if someone knows the right Microsoft Account Password, a BitLocker Volume can be unlocked. In the case of smartphones, knowing the weakness in each release is key to overcoming any encryption. Lastly, Apple devices are, by default, configured for backing up information in the cloud. To deal with encryption in Apple devices, backups can be analyzed rather than breaking down the device altogether.
Final Word
At Eclipse Forensics, we offer the finest digital forensic services at affordable prices. Some of our services include data redactions, audio/video forensics, and file extraction. To benefit from our services, visit us online or call (904) 797-1866.