Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Forensics and Encryption

Last updated May 23, 2003.

When a person uses a computer, they create files. These files usually hold information about various subjects relating to the activities the person is involved with. Pictures from a digital camera, emails to friends, and financial documents are all normal things that one would expect to find on a computer. A criminal computer user is no different. They will also store files, though usually of a different nature. Instead of family finances, you might find a record of drug sales or bet placements. Instead of nice family picture, you might find illegal porn. Instead of a nice recipe for chocolate cake, you might find a recipe for crystal meth.

Obviously, these types of files are not the kind of thing a criminal wants to leave lying around in the open. While it is possible to use built in password protection offered by general productivity applications used to create the documents (i.e. password protected word document), we demonstrated clearly that type of protection is marginal, at best. So, the next option for a criminal is to use a strong form of encryption that will lock their sensitive information up in an undecipherable file. This section will investigate some of the more popular forms of encryption, how they work, and what tools are available to break the encryption.

Encryption Overview

There are two main types of encryption: symmetric and asymmetric. Each type has its own strengths and weaknesses. We could write several pages, if not an entire book, about the type of encryptions and their uses, but for the scope of this section we only are going to provide a brief overview of the two types and how they work.


Symmetric encryption requires the use of a single shared password to both decrypt and encrypt data. One of the most famous types of symmetric encryption is the toy decoder ring. While this is a simple extreme, the decoder ring illustrates how easy this type of encryption is to use. However, since there is one key, the encryption process can be cracked. Basically, if a forensics expert can determine the key, or obtain a powerful enough computer, the password can be discovered. While the previous statement is true, it is necessary to understand that time becomes the limiting factor. Some passwords/encryption methods can take a few seconds to crack, but others can take eons. As the LOTR might put it, 'One key to rule the file, one key to find, only one key to open the cipher that binds them.' Sorry, I couldn't resist with LOTR 3 about to come out!


Asymmetric encryption requires the use of two keys: a public key and a corresponding private key. When a message needs to be encrypted, the public key of the recipient is used to encrypt the data. Once this occurs, the only key that will decipher the message is the private key, which only the recipient holds. This method, though a bit more complicated, is much more secure than symmetric encryption, but can still fall prey to attack. As with symmetric, the private key can be learned or discovered via a brute force attack. However, as the keys are often very long, asymmetric encryption is considered stronger. Unfortunately, it is often more difficult to use and configure.

Encryption Strength

There are several factors that define the strength of a cipher. The two most important are the type of encryption used (also known as the algorithm), and the length of the key used during the encryption process. For example, one simple form of encryption is a simple letter swap, which shows up in most every newspaper in the US as a game called Jumble. In this case the algorithm is a very simple process; just replace one letter with another and repeat. On the other hand, stronger algorithms, such as AES can take 1000's of years to crack, even with the fastest computer in existence.

Computers are never wrong, baring a hardware glitch due to broken equipment. Therefore, in a perfect world, strong encryption would not be breakable. However, once you introduce humanity into the equation, you also introduce errors. Weak pass phrases, improper implementation of a cipher algorithm, and other man made weaknesses can turn even the strongest encryption into nothing more than a nuisance. One example is the implementation of RC4 in WEP, which was suppose to encrypt wireless traffic. Not only was the 64-bit encryption weakened by sending part of the password as plaintext with each packet of traffic encrypted, but the implementation of RC4 was improperly coded as to allow the exposure of the password after collecting 2-4 million (or less in some cases) of encrypted traffic.

The second main weakness of encryption is that there is usually a single digital key needed to decipher the traffic. This is the Achilles heel of encryption because if that password can be obtained via a key logger, brute force guess, or as a result of some cached memory that stores the password in plaintext on the drive for even a millisecond, the file can be decrypted.

So, how does this apply to a forensics expert? Well, if the target data is encrypted using a strong algorithm, it still may be possible to gain access to that data. Instead of focusing on a frontal approach, which may work for password protected documents or zip files, an examiner should start by collecting a list of possible words or phrases used by the suspect. In addition, and if legally and physically possible, a monitoring device can be installed on or around the computer to capture the decryption process. This could include cameras, key logger, or remote forensics tool.

The rest of this section will be devoted to understanding the algorithms used in encryption programs. In addition, we will take a look at short list of some of the more popular encryption programs you, as a forensics investigator, may expect to see employed by criminals. Finally, we will outline the tools or techniques available to crack open encrypted files.