Given the dual forces at work of easy-to-obtain encryption software and ever-increasing amounts of data associated with investigations, it is very likely that IT departments and third party investigators will encounter encrypted data in some manner.
Consequently during the course of an investigation or through the eDisclosure (or eDiscovery) process in either litigation or regulatory matters, it is important to be familiar with encryption techniques and how to get around such issues.
Encryption can range from enterprise-level software suites that deploy full-drive encryption on all computers attached to their network, down to specific, file-level encryption meant to prevent any access to sensitive information contained within the file.
This concept of ‘whole device' encryption is certainly not exclusive to laptop or desktop computers, as modern smartphones and tablets usually offer the user the ability fully-encrypt the data present in the devices, as well as any storage or memory cards (i.e. MicroSD memory cards) attached to the device.
While there are some commercial digital forensic tools that support decryption of certain encryption software suites (when provided with the appropriate credentials), the traditional digital forensic standard of creating an image of an entire hard drive from a desktop or laptop computer needs to be re-evaluated should full-drive encryption be in place.
Instead, forensic experts may need to work with their clients to determine exactly what is needed from the drive, and then conduct a more focused forensic data collection from a ‘live' system, which means that the data can be accessed in an unencrypted state.
IT departments or third party investigators should also be on the lookout for other, more esoteric forms of encryption.
In one of our recent engagements, we encountered an organisation that had developed their own proprietary encryption technology; its design was such that it operated in a completely unnoticeable manner to the organisation's employees, as most users were not even aware that their data was encrypted.
Data was decrypted in real-time as it was accessed on the computers, but only if the computer was connected to the corporate network. Once disconnected from the corporate network, access to the data contained on the computer would not be possible.
The identification and understanding of these encryption technologies as early as possible in the investigative process is vital to save both time and money as the investigation unfolds. From a legal standpoint, it's also essential to check if you have the legal authority to attempt to open encrypted data. Usually the answer is yes, but within the European Union, Asia-Pacific region, and its many jurisdictions and governments that entitle custodians to varying levels of data privacy, it is always worth checking with local counsel and the human resources department of the client.
Where a client or legal statute requires that data must stay within a jurisdiction, care must be taken to ensure distribution of a document is not causing a breach of data privacy requirements.
Unfortunately, because of the myriad encryption technologies available in the marketplace today, there is no simple answer to what to do when you've found encrypted data. However, there are some common methods of dealing with encrypted data that can be employed in most investigations:
Brute force attacks: Brute force attacks are one of the most common techniques used in an attempt to access encrypted data. As its name implies, the attack relies on throwing millions, if not billions, of possible passwords at the encrypted data with the hope that one of the passwords will work.
Typically, a language-specific or industry-specific dictionary is used (many of these can be found on the internet), and each word in the dictionary is tried successively. If all words in the original dictionary are unsuccessful in accessing the encrypted data, then often other permutations are tried such as a ‘reverse' dictionary, where the words are spelled backwards; or a full dictionary, where all words from a language may be tried. The number of dictionary permutations and permutations of permutations can allow for multiple trillions of possible passwords to be tried in a brute force attack.
Golden dictionaries: Something of an offshoot from brute force attacks – a ‘golden' dictionary is a record of all previously-recovered passwords identified in past investigations. Often this is tried first in decryption efforts because studies have shown that certain passwords have been used by large numbers of users.
Most decryption software suites will keep a record of these previously-recovered passwords and create a custom golden dictionary based on past investigations. This type of attack can yield good results when dealing with encrypted data from multiple devices belonging to the same person, as most people do not create a different password for each device they use.
Observational dictionaries: People will often use passwords that are personal in nature, such as a spouse or a child's name, anniversary date, etc. The rampant rise of social media has now placed people's once personal details in an easily-accessible, searchable format in Twitter feeds, Facebook pages and LinkedIn profiles.
A cursory examination of an individual's social media profile may allow an investigator to create his own custom dictionary of names, places and events that hold some importance to a person, and as such, may be used as passwords for encrypted data.
The ultimate success of your outcome lies in the practical and technical prowess of your technical team, who should be able to utilise appropriate software and procedures designed to properly retrieve and decode the electronic data.
After that has been accomplished, the formerly-encrypted data can then be processed and analysed along with the remainder of the data for the matter.