live forensic analysis: searching for altered and unaltered encrypted volume
TRANSCRIPT
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
1/27
qwfrtyulkpmsehjgod`zxivncaqwfrty
kpmsehjgod`zxivncaqwfrtyulkpmsehj
d`zxivncaqwfrtyulkpmsehjgod`zxivn
caqwfrtyulkpmsehjgod`zxivncaqwfyulkpmsehjgod`zxivncaqwfrtyulkpm
ehjgod`zxivncaqwfrtyulkpmsehjgod`z
vncaqwfrtyulkpmsehjgod`zxivncaq
wfrtyulkpmsehjgod`zxivncaqwfrtyu
pmsehjgod`zxivncaqwfrtyulkpmsehjg
d`zxivncaqwfrtyulkpmsehjgod`zxivn
aqwfrtyulkpmsehjgod`zxivncaqwfrulkpmsehjgod`zxivncaqwfrtyulkpmse
jgod`zxivncaqwfrtyulkpmsehjgod`zx
vncaqwfrtyulkpmsehjgod`zxivncart
ulkpmsehjgod`zxivncaqwfrtyulkpmsejgod`zxivncaqwfrtyulkpmsehjgod`zx
vncaqwfrtyulkpmsehjgod`zxivncaqw
frtyulkpmsehjgod`zxivncaqwfrtyulk
@lvf Hkrfcsli Mcm`ysls
Yfmriglcj hkr M`tfrfe mce Vcm`tfrfe
Fciryptfe Xk`uaf
=/6/>2=5
Ekcm`e Ilcik
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
2/27
Ugf mla kh tgls pmpfr wms tk fapgmslzf tgmt irlafs mrf kiiurrlcj fvfryemy lc tgf
eljltm` wkr`e mce iynfr irlalcm`s mrf mevmcilcj tgflr tkk`s mce trlids amdlcj lt elhhliu`t
hkr tgf hkrfcsli fxmalcfr tk elsikvfr tgf fvlefcif hl`fs. Rfrpftrmtkrs mrf nfikalcj akrf
dckw`fejfmn`f ny uslcj m vmrlfty kh tkk`s mce tfigclqufs tk mvkle eftfitlkc. Lc hmit tgls
ls nfikalcj m jrkwlcj igm``fcjf. Zltglc tgf `mst efimef tgf kvfrm`` iynfr irlaf sifcf
gms rfvk`utlkclzfe sljclhlimct`y, wltg pfrpftrmtkrs efvf`kplcj akrf akefrc tfigclqufs
mce nrkmefr sdl``s lc tfigck`kjy.
Zltg tkemys tfigck`kjy hkrfcsli fxmalcfrs aust m`wmys nf kc tkp kh tgflr jmaf.
Zltg tgmt nflcj smle, eljltm` hkrfcslis fxmalcfr aust dckw tgf `lalts kh tgflr tkk`s mce
tgflr impmnl`ltlfs. Euf tk tgf hmit tgmt ckt m`` tgf tkk`s lc tgflr mrsfcm` wku`e jlvf tgfa
tgf rfsu`ts tgmt tgfy mrf sffdlcj. M eljltm` hkrfcsli fxmalcfr aust m`wmys tglcd kutslef
tgf nkx. M`` lcvfstljmtlkcs mrf ckt tgf smaf, wgmt wkrdfe hkr yku tgf `mst tlaf aljgt
ckt wkrd hkr yku tgls tlaf. Zgmt yku mrf mnkut tk rfme ls nmsfe kc efakcstrmtlkcs
kc`y. Ny ck afmcs ma L ckt sujjfstlcj wgmt tkk`s tk usf mce wgmt ckt tk usf.
Nfhkrf L stmrt L wku`e `ldf tk afctlkc tgmt lc tgls efakcstrmtlkc L gmvf tfstfe
sfvfrm` hkrfcsli tkk`s, ikaafrilm` mce kpfc skurif. Ugls efakcstrmtlkc ls nmsfe kc
sfvfrm` hkrfcsli tkk`s ckt nflcj mn`f tk ik``fit m`` tgf fvlefcif mce gkw m pfrpftrmtkr
imc glef tgflr fvlefcif. Ugfrf mrf amcy wmys m pfrpftrmtkr imc glef tgf hl`f/s lcslef tgf
systfa l.f., nlcelcj hl`fs tkjftgfr kr oust slap`y `kidlcj lt wltg zlp/rmr. Ugf qufstlkc ls
wgmt yku wku`e ek lh yku fvfr imaf mirkss tgls sltumtlkc. \ku amy gmvf gfmre tgmt
sfvfrm` hkrfcslis prkjrmas mrf ckw i`mlalcj tgmt tgfy imc eftfit kr hlce fciryptfe elsd
vk`uaf mce efirypt tgf pmsswkre kh mc fciryptfe elsd, amlc`y usfe ny fciryptlkcprkjrmas suig ms UrufIrypt, RJR mce Nlt`kidfr.
Nflcj mc lcqulsltlvf alcefe lcelvleum`, L wfct kc`lcf mce sfmrigfe hkr mc kpfc
skurif tkk` tgmt iku`e eftfit mc fciryptfe elsd vk`uaf. L hkuce FEE (Fciryptfe Elsd
Eftfitkr), L ekwc`kmefe lt mce L wmctfe tk sff lh tgls wku`e rfm``y elsikvfr ay gleefc
pmrtltlkc lcslef ay h`msgerlvf. Ugf hlrst tglcj L cktlife FEE ls fmsy mce slap`f tk usf. L
tglcd lt ls m jkke tkk` hkr eftfitlcj fciryptfe elsd vk`uaf mce nfst kh m``, lt ls hrff.
Uk ay fctguslmsa L lcsfrtfe ay h`msgerlvf tk ay efsdtkp wltg m UrufIrypt
fciryptfe pmrtltlkc, ms skkc ms ay efsdtkp rfikjclzfe ay h`msgerlvf L tgfc fxfiutfeFEE tk sff lh lt wku`e eftfit tgf fciryptfe vk`uaf lcslef ay h`msgerlvf. Lc m amttfr kh
sfikces L gmvf tgf rfsu`ts lc hrkct kh af, Yff Hlj. =.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
3/27
Hlj. =
Ms yku imc sff lc Hlj. = ms L stmrtfe tgf FEE.fxf lt rfvfm`fe tgmt tgfrf ls mc
fciryptfe vk`uaf lc ay h`msgerlvf. Ny `kkdlcj mt tgf lamjf yku imc sff wgfrf FEE
elsikvfrfe tgf fciryptfe vk`uaf, lt ls `kimtfe mt Rgyslim`erlvf6 pmrtltlkc = wltg mc
KFA LE? nA
L mce mt tgf nkttka lt smys Fciryptfe vk`uafs mce/kr prkifssfs wfrfeftfitfe ny FEE. Rrftty jkke tkk` lh yku msd af, tgf tkk` efhlcltf`y amef lt fmslfr hkr m
eljltm` hkrfcsli fxmalcfr tk elsikvfr fciryptfe vk`uafs, usfe ny fciryptlkc prkjrmas
wgfc eklcj m `lvf mcm`ysls.
Hurtgfrakrf, wgmt lh wf mrf efm`lcj wltg skafkcf wgk rfm``y dckws tgfy mrf
eklcj tk mvkle eftfitlkc; Zgmt lh L tf`` yku tgmt L imc amdf UrufIrypt fciryptfe
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
4/27
vk`uaf uceftfitfe hrka FEE; Imc lt nf ekcf; Ls lt pkssln`f; Mnsk`utf`y! \ku gmvf tk
ucefrstmce gkw FEE wkrds mce gkw lt `kkds hkr tgf sljcmturf. Mcykcf wgk
ucefrstmces rfvfrsf fcjlcffrlcj lc eljltm` hkrfcslis dckws lt ls ckt tgmt elhhliu`t tk
miglfvf. Lh m pfrpftrmtkr wku`e `ldf tk glef tgf fciryptfe vk`uaf, tgfy imc slap`y ikpy
tgf wgk`f fciryptfe sfitkr vk`uaf mce glef lt mcywgfrf wgfrf lt wku`e nf gmre tk
hlce. Zgfc tgf pfrpftrmtkr ls rfmey tk akuct lt, tgfy imc fmsl`y jk nmid wgfrf tgfy gle
lt mce rfstkrf lt nmid tk mcy gmreerlvf kr h`msgerlvf. Nfhkrf L fxp`mlc gkw lt imc lt nf
rfstkrfe `ft us `kkd mt hlj. >, tgls ls m smap`f kh m akelhlfe gfmefr amdlcj lt uceftfitfe
tk FEE, RMYYZM^F HK^FCYLI DLU mce F@IKAYKHU HK^FCYLI ELYD
EFI^\RUK^.
Hlj. >
Mhtfr akelhylcj tgf UrufIrypt gfmefr wltg gfx feltkr mce rucclcj tgf FEE, wfimc sff tgmt FEE ls ucmn`f tk eftfit tgf fciryptfe vk`uaf lc hlj. >. Uk akvf kc, tgf
cfxt tkk` L wl`` usf ls m Rmsswmrf Hkrfcsli Dlt, tk sff lh tgls tkk` imc eftfits tgf
UrufIrypt vk`uaf lc ay h`msgerlvf (L?), Yff hlj. 9.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
5/27
Hlj. 9
Uk nfjlc L sft tgf Rmsswmrf Hkrfcsli Dlt, igfidlcj tgf simc hkr fciryptfe
ikctmlcfrs mce elsd lamjfs lci`uelcj tgf (L?) wgfrf UrufIrypt elsd rfslefs. L tgfc glt
tgf sfmrig nuttkc mce lc oust m amttfr kh alcutfs, lt jmvf af tgf rfsu`ts. Yff hlj. 5
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
6/27
Hlj.5
Mjmlc ck glt, tgf Rmsswmrf Hkrfcsli Dlt ele ckt eftfitfe tgf UrufIrypt
fciryptfe vk`uaf lc kur h`msgerlvf pmrtltlkc. Ugkujg, tgf Rmsswmrf gms ktgfr kptlkcs.
\ku imc usf afakry mttmid mcm`ysls ny euaplcj tgf ^MA afakry mce irfmtlcj mc
lamjf kh tgf h`msgerlvf uslcj HUD lamjfr. Nfhkrf wf ek m`` tgmt, wf cffe tk kpfc kurUrufIrypt vk`uaf mce pkssln`y imigf kur pmsswkres lc kur ^MA afakry, ucigfidfe
tgf cfvfr smvf glstkry. Cktf? lc tgls efakcstrmtlkc wf wl`` nf uslcj ucm`tfrfe
UrufIrypt vk`uaf, sff hlj. 6
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
7/27
Hlj. 6
Ckw tgmt wf ef`lnfrmtf`y imigf tgf pmsswkre, `fmvlcj trmifs lc kur ^MA
afakry mce `fmvlcj tgf nkttka nkx uc-igfidfe lc Cfvfr smvf glstkry. Cfxt L
akuctfe tgf UrufIrypt fciryptfe vk`uaf, sff hlj. 8.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
8/27
Hlj. 8
Mhtfr fctfrlcj tgf pmsswkre mce sf`fitfe tgf ikrrfit pmrtltlkc, wf ckw imc miifss
tgf _-erlvf vk`uaf. Yff hlj. :
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
9/27
Hlj. :
Ms yku imc sff wf ckw gmvf miifss tk tgf UrufIrypt vk`uaf, L fxpfitfe tgf
pmsswkre tk stmy lc tgf ^MA. L wl`` ckw i`ksfs tgf UrufIrypt vk`uaf mce stmrt wltg
afakry euap mce lamjf tgf h`msg erlvf uslcj HUD Lamjfr. L gkpf wf imc impturf tgf
pmsswkre hrka tgfrf. Hlrst, L wl`` ruc EuapLt tk euap wgmt ls lc tgf afakry, sff hlj 7.
Hlj. 7
Hlcm``y, L gmvf m`` tgf hl`fs L cffe. Ugf rmw lamjf ^MA afakry uslcj EuapLt,tgf `kjlim` lamjf hl`f kh tgf h`msgerlvf, tgf pmjfhl`f.sys mce afaeuap.afa uslcj HUD
lamjfr sff hlj.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
10/27
Hlj.
Lc hlj. => wf wl`` usf tgf hlrst kptlkc Efirypt kr akuct elsd nyprkvlelcj
afakry lamjf kr fciryptlkc dfys. Cfxt, tlid tgf UrufIrypt (fciryptfe elsd), i`lid
cfxt tgfc i`lid Yf`fit tmn mce igkksf tgf erlvf wgfrf tgf UrufIrypt vk`uaf rfslefs.
Zglig lc tgls imsf kurs ls lc L?P erlvf. Lc sf`fit skurif kh dfys, L usf tgf
afaeuap.afa, mce tgfc i`lid cfxt mce lt sgku`e stmrt sfmriglcj tgf afakry hl`f mce
tgf h`msgerlvf.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
13/27
Hlj. =9
Mhtfr `fss tgmc mc gkur, F`ikaskht Hkrfcsli Elsd Efiryptkr hml`fe tk hlce tgf
pmsswkres fvfc tgkujg wf prkvlefe lt wltg m afakry euap mce tgf UrufIrypt
vk`uaf. Yk hmr wf gmvf ck glts, wf mrf ucmn`f tk rftrlfvf tgf pmsswkre lc ^MA
afakry mce tgf tkk`s wf usfe hml`fe tk rfikvfr trmifs kh mcy pmsswkre. Zf ele ckt usf
mcy dfys nfimusf wf kc`y wmct tk usf tgf pmsswkre hkr tgf efakcstrmtlkc purpksf
kc`y. Ugf rfm` qufstlkcs mrf, wgy ele wf hml`fe tk rfikvfr tgf pmsswkre mce tgf
fciryptfe elsd vk`uaf eurlcj `lvf miqulsltlkc; Zgy ele wf ckt rfikvfr mcy i`fmr tfxt
pmsswkre lc rmw afakry euap; Zgfrf imc wf rfikvfr tgf UrufIrypt vk`uaf lh tgfrf
ls ck pmrtltlkc sgkwlcj lc tgf H`msgerlvf kr Gmreerlvf;
Ikchrkctfe wltg tgls dlce kh ermwnmids eurlcj `lvf miqulsltlkc, amdfs lt kc`y
elhhliu`t hkr tgf fxmalcfr, `fmelcj tk gm`tlcj tgf mcm`ysls mce akst lapkrtmct`y
ofkpmrelzlcj tgf lcvfstljmtlkcs. Gkwfvfr, tgls ls ckt m efme fce hkr us4 wf oust gmvf tk
nf m `ltt`f irfmtlvf. Hlrst wf cffe tk dckw wgy kur tkk`s mrf ckt eftfitlcj mcytglcj.Ugkujg, wf dckw tgmt tgfrf ls m gleefc fciryptfe elsd vk`uaf lc tgf systfa. Yfikce,
wgy ls lt wf mrf ckt sfflcj mcy pmsswkre imigf lc kur `lvf afakry miqulsltlkc; Zgmt
mrf wf efm`lcj wltg; Ekfs tgf systfa usf sfiurlty tkk`s tgmt efhfmt kur tkk`s; Ls tgfrf
mcytglcj ikchljurfe lc tgf systfa tgmt glcefrs us tk miqulrf tgf fvlefcif; Lh tgfrf ls ck
sljc kh fciryptfe gleefc vk`uaf wgfrf ls lt; Iku`e tgf pfrpftrmtkr gmvf mc fciryptfe
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
14/27
vk`uaf nmidup gleefc skafwgfrf lc tgf systfa; Ugfsf mrf tgf tglcjs tgmt wf cffe tk
msd kursf`vfs.
Ckw tgmt wf gmvf m`` tgf qufstlkcs lc kur gmce, wf imc stmrt `kkdlcj hkr m`` tgf
mcswfrs mce hlce kut wgy wf mrf ckt jfttlcj mcy rfsu`ts. Hlrst, wf cffe tk `kkd mt tgf
pmjfhl`f.sys mce glnfrhl`.sys, tk sff lh kur susplilkcs mrf truf. @ft's smy wf ruc tgf
rfjfelt mce sfmrig tgf
GD@APY\YUFAPIurrfctIkctrk`YftPIkctrk`PHl`fYystfaPCthsFciryptRmjlcjHl`f ( = )
mce elsikvfr lt wms fcmn`fe, mce tgfc wf dckw tgf pmjfhl`f.sys ls fciryptfe mce ck
sljc kh glnfrhl`.sys lc tgf systfa afmcs lts turcfe khh kr ef`ftfe.
Yfikce, wf cffe tk dckw wgmt sfiurlty prkjrmas mrf lcstm``fe kc tgf systfa.
@ft's prfsuaf tgmt wf gmvf elsikvfrfe tgmt tgf systfa gms m DfyYirman`fr lcstm``fe.
Zf cffe tk dckw gkw tgf DfyYirman`fr ls prktfitlcj tgf systfa. Ny jklcj tk tgf
DfyYirman`fr wfnsltf wf imc hlce kut tgf hfmturfs kh tgls prkjrma. Miikrelcj tk tgflrwfnsltf DfyYirman`fr nfjlcs fciryptlcj ykur dfystrkdfs lc rfm` tlaf mt tgf dfynkmre
erlvfr `fvf`. Nfimusf DfyYirman`fr ls `kimtfe lc tgf dfrcf`, effp lc tgf kpfrmtlcj
systfa, nypmsslcj DfyYirman`fr's fciryptlkc ls elhhliu`t. Ckw wf dckw wgy kur tkk`s
mrf lcfhhfitlvf tk hlce tgf imigf pmsswkre lc rmw afakry euap kr pmjfhl`f.sys euf tk
DfyYirman`fr ls rfp`milcj tgf i`fmr tfxt wltg rmceka dfys mce CthsFciryptRmjlcjHl`f
ls fcmn`fe, tgmt ls kur ermwnmids.
Lc tgf nfjlcclcj L efakcstrmtfe kc gkw tk nypmss tgf FEE kc eftfitlcj
fciryptfe elsd vk`uaf. Lc skaf imsfs, skaf usfrs wku`e ckt dffp tgf fciryptfe elsdvk`uaf lc tgf gmreerlvf pmrtltlkc kr lc m h`msgerlvf, pmrtliu`mr`y lh tgfy mrf glelcj mc
lapkrtmct emtm tgmt iku`e jft tgfa lc trkun`f. Akst `ldf`y tgf pfrpftrmtkr wku`e try tk
irfmtf m elvfrslkc mce try tk kutsamrt tgf eljltm` hkrfcsli fxmalcfr ny oklclcj tgf
fciryptfe vk`uaf wltg mcktgfr hl`f kr rfcmalcj tgf fxtfcslkc hl`f wltg skaf rmceka
fxtfcslkc. Ylcif wf iku`e ckt hlce wgmt wf wfrf `kkdlcj hkr, wf wl`` usf m elhhfrfct
rkutf tk sfmrig hkr mc fciryptfe elsd vk`uaf mce amynf wf imc `kimtf tgf nmidup
fciryptfe vk`uaf mce pfrgmps ikpy tgf hl`f vk`uaf hkr `mtfr fxmalcmtlkc.
Uk sfmrig m`` tgf hl`fs lc tgf systfa L wl`` usf hl`f sfmrig mssualcj wf ekct dckw
wgfrf tgf hl`f/s mrf. Uk stmrt wf wl`` sfmrig hkr lamjfs mce muelk hl`fs sff hlj. =5.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
15/27
Hlj. =5
Ugf tlaf tk hlclsg tgf sfmriglcj efpfces kc gkw amcy fxtfcslkc hl`fs yku mrf
sfmriglcj hkr mt tgf smaf tlaf mce gkw amcy lamjfs mrf lc tgf systfa. Gkwfvfr, L ektglcd lt sgku`e jlvf yku m jkke spffe, slcif lt tkkd af `fss tlaf tgmc wgmt L fxpfitfe.
Mhtfr m ikup`f kh alcutfs kur sfmrig ls ekcf, wf ckw gmvf m`` tgf lamjfs lc hrkct kh us
mce tgf cfxt tglcj tk ek ls skrt fmig hl`f mce `kkd hkr m ikcspliukus hl`f tgmt aljgt jlvf
us m i`uf.
-
7/22/2019 Live Forensic Analysis: Searching for Altered and Unaltered Encrypted Volume
16/27
Hlj. =6
Mhtfr tgkrkujg`y sfmriglcj tgf lamjfs, L hkuce skaftglcj vfry ucusum` lc kcf kh
tgf lamjf cmafe plf igmrt.opj, wltg AE6 gmsg m5=>=7nf99ffnh=n9n5nn68i5f5ee5m