Wylie, Texas
lee@forensic4cast.com

Forensic Focus Interview

I was recently asked by Jamie Morris of Forensic Focus to participate in an interview for his website. You can read the interview here. If I said anything that you agree/disagree with feel free to post comments here and I’ll reply in due course.

4 Responses

  1. Frank says:

    Great interview, nearly as good as the 4cast podcast.

    I just got confused regarding Truecrypt when you say “Now we find that entropy testing can tell us if the data is encrypted”.

    I am not a hands in expert and only an IT computer student, but to the best of my knowledge, if someone hands you in a CD containing an encrypted Truecrypt file with no identifying extension (.tc) it would be impossible to prove beyond reasonable doubt that they have an encrypted file on the CD, even more difficult to prove that Truecrypt in particular was used to encrypt that file. Truecrypt makes similar claims on their page as well.

    I know random data can be detected and software such as TCHunt attempts to find out encrypted Truecrypt files, but this is no perfect science and probably not admissible in Court because of all the false positives it gives.

    I would be interested in knowing more about methods for finding out encrypted files through entropy testing, maybe you could talk about it on the next podcast?

    And since you are in the UK, I guess you are aware of the RIPA Act where someone can be send to prison for refusing to divulge their password to the police.

    Being able to prove that the file is encrypted in the first place it is essential for this to happen, and I do not see how that can be done right now, other than seizing the computer, looking at registry keys, etc…

    If an external device is fully encrypted with Truecrypt and the owner claims he wiped it with some sofware which name he can not remember (hence no wiping pattern), the case would be next to impossible, but you are welcome to correct me if this is wrong.

  2. lee says:

    Frank,
    Great questions.
    Yes, Truecrypt do make that claim, its a claim that they have made since the software was originally released and it has stood up to the tests time after time. However there is an increasing number of utilities that can state that data is encrypted. The statistics of this vary depending on how the data was encrypted. Truecrypt encryption can be detected with high probability. However this does not mean that forensic investigators can walk in and decrypt the data. It might be worth talking to Simon Key at Guidance to ask him about the Truecrypt encryption detection script.
    I will attempt to find out more information about the topic and discuss it in a future episode.
    Under RIPA a person is only coerced to divulge their password if it is a matter of national security. It would then be up to the investigator to back up their conclusions about the Truecrypt volumes. This may change in future versions of the software but at the moment it seems as if it is possible.

  3. Frank says:

    Regarding the RIPA Act, these are now old news, but here it goes anyway.

    Campaigners hit by decryption law:
    http://news.bbc.co.uk/2/hi/technology/7102180.stm

    I am not sure that could be call a matter of national security although for some it may be, my guess is that even if the law was initially passed with national security in mind, it will not be long before rules are bent according to need.

    Rules are always open to interpretation depending on who is at the other end of the stick.

    • lee says:

      In regards to this story, these animal right activists were adjudged to have been involved in terrorism. This is not necessarily the work of groups like the IRA and Al-Qaeda, but under the traditional definition of terrorism, i.e. to cause terror. Under these circumstances RIPA can be enacted. Yes, this depends on your interpretation of terrorism and national security, and yes, laws can be exploited but that’s why people have legal representation, so that they can fight these issues.
      The article also suggets that pedophiles are under the under the same obligation however I don’t believe that this is accurate. I could be wrong and I would be glad to be proven so as it would make my life easier.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.