Forensic Artifacts Left by Virtual Disk Encryption Tools - IEEE Xplore

Forensic Artifacts Left By Virtual Disk Encryption Tools Sungsu Lim

Jungheum Park

Center for Information Security Technologies (CIST) Korea University Seoul, Korea [email protected]

Center for Information Security Technologies (CIST) Korea University Seoul, Korea [email protected]

Kyung-soo Lim

Changhoon Lee

Center for Information Security Technologies (CIST) Korea University Seoul, Korea [email protected]

Hanshin University Osan, Korea [email protected]

Sangjin Lee Center for Information Security Technologies (CIST) Korea University Seoul, Korea [email protected] Abstract—A virtual disk encryption tool is a privacy protection tool that uses an encryption method by generating virtual disk images. It cannot mount an encrypted virtual disk without any authentication, such as key, passphrase, and etc. Thus, it can be used as an anti- forensic tool that makes difficult to process a digital forensic investigation because the content of the virtual disk cannot be identified without mounting the disk. This study investigates the installation, runtime, and deletion behaviors of virtual disk encryption tools in a Windows XP SP3 environment through experiments. Also, this study organizes the traces related to the tools and the elements that are able to verify the mount of the virtual disk. Keywords-component; Digital Encryption; Forensic artifacts;

I.

Forensics;

Virtual

Disk

INTRODUCTION

Encryption is a method of turning meaningful information into an obscured format by means of an algorithm[3]. It is very difficult to practically investigate plain texts from encrypted texts without using a decryption key in the algorithm used at the present time. Thus, the encryption is the most power method for preventing accesses to data by unauthenticated users, and the use of the encryption has been increased in some cases, which conceal criminal facts in recent years. In particular, by introducing some disk encryption tools, such as PGP (Pretty Good Privacy), TrueCrypt, and BitLocker, that easily perform the encryption of disks, it increases the

treatment of encrypted investigation[2].

disks

in

a

digital

forensic

Recently the tools with FDE (Full Disk Encryption) and VDE (Virtual Disk Encryption) methods have been largely used to encrypt disks. These two methods release the mounted disk as a system is shutdown and are remained as an encrypted state. Because there is a limitation in the obtaining of the decryption key in an encrypted disk using Brute Force Attack or Dictionary Attack, it is difficult to use it in a digital forensic investigation[5]. Practically although some child pornographies are stored in a virtual disk generated by using the ‘Z’ Drive with the PGP in the Sebastien Boucher's Laptop in USA, digital forensic investigators who performed analyses by applying the shutdown of the Laptop without recognizing it could not open the encrypted disk[1]. Also, in an investigation for a criminal who hacks a bank in Korea, the criminal executed the shutdown of his desktop, which encrypted the data using the TrueCrypt, and that made difficult to progress the investigation. Therefore, in a digital forensic investigation, it is necessary to collect lots of evidences as many as possible in a live state that represents an decrypted state in data, as the trace of the use of a FED or VDE tool is indicated by verifying the use of an anti-forensic tool without applying the shutdown of a system in the case in which the system is in a live state in the early reaction[4]. This study summarizes the tool-related information

978-1-4244-7570-4/10/$26.00 ©2010 IEEE

that is generated in a system when an encryption tool presented by the VDE method is used and proposes the trace in which it is possible to verify that a virtual disk is used in the system. RELATED WORKS

II.

Encryption tools are classified according to the subject of the encryption, such as file encryption, FDE (Full Disk Encryption), partition encryption, and VDE (Virtual Disk Encryption). This study investigated four tools that are used to perform the encryption for virtual disk image files. A. Virtual Disk Encryption The virtual disk encryption is a type of on-the-fly-data encryption that is able to mount a virtual disk to the system for a user who passes the encryption key authentication only by generating virtual disk images through applying various encryption algorithms[12]. The mounted virtual disk is regarded as the same as an actual physical disk and can easily store and read files. If a user does not use an encryption tool or shutdowns the system, the image will be stored by reencrypting it. In the transmission of virtual disk images to other users, it brings an effect that transfers the entire encrypted disk.

authenticated user can mount a virtual disk image and that can be used as an actual disk. Diffie-Hellman/DSS and RSA algorithms are used as the Private Key and Public Key, and AES, CAST, TripleDES, IDEA, and Twofish are used as encryption algorithms. Also, a hash algorithm supports SHA-2256, SHA-2-384, SHA-2-512, RIPEMD-160, SHA-1, and MD5[11]. TrueCrypt is a tool that uses an encrypted file as a virtual drive using a password[15]. Data can be safely protected using encryption algorithms, such as AES, Serpent, and Twofish, and hash algorithms, such as HMAC-SHA-512, HMAC-RIPEMD160, and HMAC-Whirlpool. Also, in addition to the encryption of virtual disks, it supports a storage encryption function that encrypts USBs and hard disks and a partition encryption function that performs an authentication work by booting a system using a CD[8]. Rohos Disk Encryption can create an encrypted virtual disk using a password and mount it to a system through a password authentication process. There are no limitations in the capacity and number of virtual disks. it uses AES and Blowfish as encryption algorithms and can apply a USB flash drive instead of the password, it can mount the virtual disk in a different system without using a specific tool[13]. SafeHouse uses AES, Blowfish, Twofish, DES, and TripleDES as encryption algorithm. Also, it encrypts the data section in a virtual disk using a user’s password and the hash value generated by the tool itself. In addition, it can amount a desired disk using the password[14]. III.

For investigating the artifacts that are generally created for each process during the Installation, Runtime, and Deletion of using tools and particular creation elements by the tool itself, a specific test environment was configured using Virtual Machine

Figure 1. On-The-Fly data encryption

TABLE II.

B. Virtual Disk Encryption Tools TABLE I.

Artifacts

VIRTUAL DISK ENCRYPTION TOOLS Op mode File, Disk, Email

TESTING METHODOLOGY

Commercial Availability

Name

Manufacturer

Ver.

PGP Desktop Professional

PGP Corporation

10.0

TrueCrypt

TrueCrypt Foundation

6.3A

Disk

Freeware

Rohos Disk Encryption

Telsain

1.15

Disk

Commercial

SafeHouse Professional

PC Dynamaics

3.01

Disk

Commercial

Commercial

The PGP uses a password verification process with the pair of the Private Key and Public Key. Therefore, it is not possible to implement a decryption work as the password or the pair of the Private Key and Public Key is indicated only. The Identify applicable sponsor/s here. If no sponsors, delete this text box. (sponsors)

ARTIFACTS & MONITORING POINTS Monitoring Point

Iinstallation path

Installation / Deletion

Registry keys

Installation / Deletion

Prefetch Files

Installation / Runtime / Deletion

VDF Signature

Runtime

The terms investigated to verify the trace in the use of tools are files, folders, registries, Signatures of a virtual disk, and Prefetch files for each process during the use of tools. The investigation was performed using several tools, such as EnCase 6.13 (Guidance software), Process Monitor (Windows Sysinternals), Windows File Analyzer (Mitec), and Regshot. The test and analysis are to be implemented through a monitoring process for the items listed in Table 2 that occurred during the installation, runtime, and deletion works of the VDE tool. The installation process applies the Default Option without any modifications. The runtime process generates a virtual disk using each VDE (Virtual Disk Encryption) tool for

presenting the same size and mounts it to verify the disk in the VM. Then, an ‘evidence.txt’ file that has common contents in the mounted disk is to be generated and stored. The deletion process unmounts the mounted virtual disk and deletes the files, which are used in a virtual disk after deleting it using the Add or Remove Programs in the Windows Control Panel. As the deletion process is completed, the VM is to be rebooted. The analysis is applied for the results of the monitoring for three different points, and the results can be used as clues for finding the deleted virtual disk image files by verifying the signature of the Virtual Disk Image File generated in each tool. In addition, it verifies the Artifacts after completing its deletion using a Key Word Searching method. A. Target System Configuration The test environment was configured using the VMware Workstation 7.0. Also, four VMs with a memory space of 512 Mbytes RAM and an 8Gbytes Hard disk were generated. In addition, monitoring and analysis tools and VDE tools were installed after installing the Windows XP Professional SP3. Then, a VDE tool was installed for each VM for preventing possible interferences. B. Virtual Disk Configuration The virtual disk generated by using the VDE tool was allocated by 1 Gbyte and configured as an NTFS file system. The name of the virtual disk was determined by the format presented in Fig. 2 in order to easily verify them.

presented in Table 3. In general, in the case of the uninstallation of tools, it is necessary to verify its results because the folders are remained in its path. TABLE III. Name PGP Desktop Professional 10.0.0

Artifacts of program folder %PROGRAMFILES%\PGP Corporation\ %USERPROFILE%\My Documents\PGP

A. Default Program Folders In the results of the investigation of the Default Program Folder, which is generated during the installation of tools, it can be verified that it creates the folders that have its own unique names for each tool in the %PROGRAMFILES% as

No Yes Yes

Rohos Disk Encryption 1.15

%PROGRAMFILES%\Rohos\

Yes

%ALLUSEREPROFILE%\Start Menu\Programs\Rohos

Yes

SafeHouse Professional 3.01

%PROGRAMFILES%\SafeHouse\

No

%HOMEDRIVE%\SafeHouse\

No

B. Registry Artifacts The registry is a type of central hierarchical database that stores the required information for operating specific operating systems and application programs in which lots of Registry Keys are written as tools are installed because it manages the configuration information related to application programs[7]. In the case of the PGP Desktop Professional, it was verified that it generates 66 Registry Keys. The Registry Keys generated and written in the installation of tools were indicated as represented in Table 4. Although almost Registry Keys were deleted after deleting the tools, large parts of it were also remained.

Name

VIRTUAL DISK ENCRYPTION TOOL ARTIFACTS

In general, the folders, files, and registries generated during the installation, runtime, and deletion behaviors of tools are to be deleted during the deletion process of the tools. However, the Prefetch files and some registries generated by the Operating System are usually remained after deleting the tools. In particular, because the traces created by the mounting of virtual disks to the system are to be used to proof the existence and use of virtual disks specifically, it can be used as important clues in a digital forensic investigation.

No

%ALLUSEREPROFILE%\Start Menu\Programs\TrueCrypt

The Drive Letters for mounting the disks were allocated as PGP Desktop Professional ‘Z’, TrueCrypt ‘Y’, and Rohos Disk Encryption ‘X’, and the final SafeHouse Professional was allocated as ‘W’. IV.

Deleted

%PROGRAMFILES%\TrueCrypt\

TrueCrypt 6.3.A

TABLE IV. Figure 2. Virtual Disk Image File Name Format

LIST OF PROGRAM FOLDERS

PGP Desktop Professional 10.0.0

LIST OF REGISTRY KEYS

Artifacts of Registry Keys HKU\{SID}\Software\PGP Corporation HKU\{SID}\Software\PGP Corporation\PGP HKU\{SID}\Software\PGP Corporation\Universal HKLM\SOFTWARE\Classes\ {.aexpk\PGP Armored Extracted Public Key, .asc\PGP Armored File, .bexpk\PGP Binary Extracted Public Key, .krb\PGP Key Reconstruction, .pgd\PGPdisk Volume, .pgp, .pgp\PGP Encrypted File, .pkr\PGP Public Keyring, .prvkr\PGP Private Keyring, .pubkr\PGP Public Keyring, .rnd\PGP Random Seed, .shf\PGP Share, .sig\PGP Detached Signature File, .skr\PGP Private Keyring, PGP Armored Extracted Public Key, PGP Armored File, PGP Binary Extracted Public Key, PGP Detached Signature File,

Deleted No No Yes

Yes

TrueCrypt 6.3.A

Rohos Disk

PGP Encrypted File, PGP Key Reconstruction, PGP Private Keyring, PGP Public Keyring, PGP Random Seed, PGP Share, PGPdisk Volume, PGPolplg.PGPConnect, PGPolplg.PGPConnect.1} HKLM\SYSTEM\ControlSet001\Enu m\Root\ {LEGACY_PGPDISK, LEGACY_PGPFS, LEGACY_PGPPWFLT, LEGACY_PGPSDKDRIVER, LEGACY_PGPSERV, LEGACY_PGPWDEFS} HKLM\SYSTEM\ControlSet001\Serv ices\ {Eventlog\Application\PGPserv, Eventlog\System\PGPdisk, PGPdisk, pgpfs, PGPpwflt, PGPsdkDriver, PGPserv, PGPwded, Pgpwdefs, Pgpwdefs\Instances\Pgpwdefs Instance} HKLM\SYSTEM\ControlSet002\Enu m\Root\ {LEGACY_PGPDISK, LEGACY_PGPFS, LEGACY_PGPPWFLT, LEGACY_PGPSDKDRIVER, LEGACY_PGPSERV, LEGACY_PGPWDEFS} HKLM\SYSTEM\ControlSet002\Serv ices\ {Eventlog\Application\PGPserv, Eventlog\System\PGPdisk, PGPdisk, pgpfs, PGPpwflt, PGPsdkDriver, PGPserv, PGPwded, Pgpwdefs, Pgpwdefs\Instances\Pgpwdefs Instance} HKLM\SOFTWARE\PGP Corporation HKLM\SOFTWARE\PGP Corporation\Common HKLM\SOFTWARE\PGP Corporation\PGP HKLM\SOFTWARE\Classes\TrueCr yptVolume HKLM\SOFTWARE\Microsoft\Wind ows\CurrentVersion\Uninstall\TrueCr ypt HKLM\SYSTEM\ControlSet001\Enu m\Root\LEGACY_TRUECRYPT HKLM\SYSTEM\ControlSet001\Serv ices\truecrypt HKLM\SYSTEM\ControlSet002\Enu m\Root\LEGACY_TRUECRYPT HKLM\SYSTEM\ControlSet002\Serv ices\truecrypt HKU\{SID}\Software\Microsoft\Win

Encryption 1.15

No

SafeHouse Professional 3.01 Yes

No

Yes

dows\CurrentVersion\Explorer\Menu Order\Start Menu2\Programs\Rohos HKU\{SID}\Software\Rohos

Yes

HKLM\SOFTWARE\Microsoft\Wind ows\CurrentVersion\Uninstall\Rohos_ Rohos22_is1

Yes

HKLM\SOFTWARE\Rohos

Yes

HKU\{SID}\Software\Microsoft\Win dows\CurrentVersion\Explorer\Menu Order\Start Menu2\Programs\SafeHouse Utilities HKU\{SID}\Software\PC Dynamics\SafeHouse16 HKLM\SOFTWARE\Classes\ {SafeHouse.Brand, SafeHouse.PKCS11Token, SafeHouse.PKCS11Token1, SafeHouse.Smartcard, SafeHouse.Volume, SafeHouseCOM.SafeAdmin, SafeHouseCOM.SafeAdmin.1, SafeHouseCOM.SafeHouseUtility, SafeHouseCOM.SafeHouseUtility.1} HKLM\SOFTWARE\Microsoft\Wind ows\CurrentVersion\Uninstall\SafeHo use16 HKLM\SOFTWARE\PC Dynamics\SafeHouse16

No Yes

Yes

Yes Yes

C. Virtual Disk File Signature Table 5 shows the results of the investigation of the Signatures of the generated Virtual Disk Image Files. The Virtual Disk Image Files generated in other tools except for the TrueCrypt represented Signatures. Therefore, the trace of the Virtual Disk Image Files used in the tools of PGP Desktop Professional, Rohos Disk Encryption, and SafeHouse Professional can be verified through the searching of Signatures in unallocated regions if the deleted region is not overwritten after deleting the files. TABLE V.

LIST OF VIRTUAL DISK FILE SIGNATURE

Name PGP Desktop Professional 10.0.0

Signature of Virtual Disk File ASCII

PGPdMAINd.

HEX

0x 50 47 50 64 4D 41 49 4E 64 01

Yes Yes

TrueCrypt 6.3.A

Yes Yes

Rohos Disk Encryption 1.15

Yes No Yes No No No

SafeHouse Professional 3.01

ASCII None HEX ASCII

ROHO….

HEX

0x 52 4F 48 4F 90 08 00 00

ASCII

WARNING: This file is a SafeHouse virtual disk volume…header version: 2.00

HEX

0x 57 41 52 4E 49 4E 47 3A 20 54 68 69 73 20 66 69 6C 65 20 69 73 20 61 20 53 61 66 65 48 6F 75 73 65 20 76 69 72 74 75 61 6C 20 64 69 73 6B 20 76 6F 6C 75 6D 65 2E 0D 0A 68 65 61 64 65 72 20 76 65 72 73 69 6F 6E 3A 20 32 2E 30 30

D. Prefetch Artifacts The representative Artifacts generated by an operating system are Prefetch Files. It is generated to improve the speed of application programs by storing the system resource information that is used during the runtime of application programs for preparing the execution of application programs by users to the Prefetch File[9][16]. It is a log file that writes the system booting process and application program execution process and includes various information that can be used in a digital forensic investigation. Table 6 shows the Prefetch Files remained after the installation, runtime, and deletion behaviors of tools. As shown in Table 6, the Prefetch Files were remained after the deletion of the tools investigated in this study. Thus, the installation and execution of the Virtual Disk Encryption were proved by the Prefetch Files. TABLE VI.

subjective system through proving the installation, runtime, and deletion behaviors only. In the case of PGP Desktop Professional and TrueCrypt, the mounting of the virtual disk to the system was verified by checking the unique text string information in the Registry Key ‘HKLM\SYSTEM \MountedDevices\’ as noted in Table 7. The ‘HKLM\SYSTEM\MountedDevices\’ is a location where the drive letter information, such as dynamic disk volume and added basic disk volume, is recorded by the Mountmgr.sys, which is a mount manager driver[10]. Therefore, if the installation, runtime, and deletion behaviors of the tools of PGP Desktop Professional and TrueCrypt are verified in the subjective system, the mounting of the Encrypted Virtual Disk can be proved by checking the ‘HKLM\SYSTEM\MountedDevices\’. TABLE VII. Name

Artifacts of Mounted Virtual Drives

PGP Desktop Professional 10.0.0

LIST OF PREFETCH FILES

Name

Artifacts of Prefetch Files

PGP Desktop Professional 10.0.0

%SYSTEMROOT%\Prefetch\PGPDESK.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\PGPDESKTOPWIN 32-10.0.0.EXE-{HASH}.pf %SYSTEMROOT%\Prefetch\PGPFSD.EXE{HASH}.pf

TrueCrypt 6.3.A

%SYSTEMROOT%\Prefetch\TRUECRYPT SETUP.EXE-{HASH}.pf %SYSTEMROOT%\Prefetch\TRUECRYPT.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\TRUECRYPT FORMAT.EXE-{HASH}.pf

Rohos Disk Encryption 1.15

%SYSTEMROOT%\Prefetch\ROHOS.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\AGENT.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\CENTER.EXE{HASH}.pf

SafeHouse Professional 3.01

%SYSTEMROOT%\Prefetch\SDWCREAT.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\SDWTRAY.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\SDWMAP32.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\SDWMON32.EXE{HASH}.pf %SYSTEMROOT%\Prefetch\PKCS11TOKEN.EX E-{HASH}.pf

E. Artifacts of Mounted Virtual Disk Based on the information as previously investigated, the installation, runtime, and deletion behaviors of the Virtual Disk Encryption tools can be verified. However, it requires an additional tool in the investigation because it is difficult to absolutely determine the use of encrypted disks in the

LIST OF MOUNTED VIRTUAL DRIVES ARTIFACTS

TrueCrypt 6.3.A

V.

Value

\??\Volume{GUID}

Data

PGPdiskVolume{1,2,3,…}

Value

\??\Volume{GUID}

Data

TrueCryptVolume{Z-A}

CONCLUSION AND FUTURE WORKS

According to the widely spread of easy and simple encryption tools like the PGP, there is an increase in the use of these tools in order not to protect Privacy but Anti-Forensic. In particular, because the Virtual Disk Encryption tools apply strong encryption algorithms and are used as a storage space of huge data, it is necessary to verify the use of these tools in a digital forensic investigation. In this study, the traces that can be used to verify the installation, runtime, and deletion of VDE tools and the mounting of Virtual Disks in a Digital Forensic investigation were investigated. Also, the traces of other various FDE and VDE tools in addition to the tools examined in this study will be investigated as future works. Then, an improvement way for the initial response procedure in a digital forensic investigation will also be proposed based on the future works. ACKNOWLEDGMENTS This research was supported by Bio R&D program through the National Research Foundation of Korea funded by the Ministry of Education, Science and Technology (20090084147). REFERENCES [1] [2]

[3]

Casey, E., Stellatos, G. J., “The Impact of Full Disk Encryption on Digital Forensics”, ACM, Newyork, 2008 Casey, E. “Practical Approaches to Recovering Encrypted Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 3, Fall 2002 Sarah Lowman, “The Effect of File and Disk Encryption on Computer Forensics”, http://lowmanio.co.uk/share/, 2010. 01

[4] [5]

[6] [7] [8]

[9]

[10] [11]

[12]

[13]

[14] [15] [16]

“Gary C. Kessler, “Anti-Forensics and the Digital Investigator”, The 5 th Australian Digital Forensics, 2007. 12. Ewa Huebner, Frans Henskens, “The Role of Operating Systems in Computer Forensics”, ACM SIGOPS Operating Systems Review, Volume 42, issue 3, 2008. 04. Ryan Jones, “Safer Live Forensic Acquisition”, University of Kent, 2007 Harlan Carvey, “The Windows Registry as a forensic resource”, Digital Investigation, Volume 2, Issue 3, 2005. 09 Taesuk Kwon, Jewan Bang, Jaemin Choi, Sangjin Lee, “A Study on Encryption and Recovery Method of Key in TrueCrypt”, Conference on Information Security and Cryptology, Korea Institute of Information Security & Cryptology, Volume 18, No 1., 2008. 06. Dongchan Lee, Jungheum Park, Sangjin Lee, “Analysis of Deleted Executable File through Windows Prefetch Cache”, 2009 The Workshop of Digital Forensics, Volume 1, No 1, 2009. 08 Russinovich, Solomon, “Windows Internals”. Microsoft Press, 4th Edition, p638- p639 PGP Corporation, “PGP Desktop for Windows User’s Guide Version 10.0.0”, PGP Corporation, http://pgp.custhelp.com/app/detail/a_id/589, 2009 Christopher Hargreaves, Howard Chivers, “Recovery of Encryption Keys from Memory Using a Linear Scan”, The Third International Conference on Availability, Reliability and Security, p1369 - p1376, 2008. 05 Tesline-Service, “Virtual encrypted disk inside-out”, Rohos Data security and authentication solutions, http://www.rohos.com/support/knowledge-base/virtual-encrypted-diskinside-out/, 2005 PC Dynamics, Inc., “SafeHouse User’s Guide”, http://www.safehousesoftware.com/Manual/SafeHouse.htm, 2009 TureCrypt Foundation, “TrueCrypt User Guide – System Encryption”, http://www.truecrypt.org/docs/ Bunting Steve Anson, Steve, “Mastering Windows Network Forensics and Investigation, Wiley Publishing, Inc., 2007