Difference between pages "First Responder's Evidence Disk" and "TrueCrypt"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added a download link to FRED)
 
m (added Category)
 
Line 1: Line 1:
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
+
{{Infobox_Software |
 +
  name = Truecrypt |
 +
  maintainer = TrueCrypt Foundation |
 +
  os = {{Linux}}, {{Windows}}, OS X |
 +
  genre = {{Encryption}} |
 +
  license = TrueCrypt Collective License |
 +
  website = [http://www.truecrypt.org/ truecrypt.org] |
 +
}}
  
== Usage ==
+
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and [[Linux]] and [[Mac OS X|OS X]] as well as [[Whole Disk Encryption]] on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms ([[AES|AES-256]], [[Serpent]] and [[Twofish]]).  As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).
  
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
+
== Forensic Acquisition ==
  
== History ==
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
  
FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.  
+
== Attacks ==
 +
The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
  
A version of the FRED script was later incorporated into the [[Helix]] disk.  
+
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
  
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
+
== Hidden volumes ==
  
Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]]. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure. The publicly available version has remote functionality, and PKI encryption capabilities removed.
+
Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.
  
== Trivia ==
+
When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.
  
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
+
Previous versions of encrypted volumes may be found in the filesystem journal. It is important to track any changes within the free space of the outer volume to detect presence of a hidden volume.
  
== See Also ==
+
== Hidden Operating Systems ==
  
* [[IRCR]]
+
Hidden operating system is a system that is installed in a hidden TrueCrypt volume.
* [[COFEE]]
+
  
== External Links ==
+
It is possible to detect network-enabled hidden operating systems by matching downloaded content (from network dump) with data on possible decoy system.
  
; [[FRED]]
+
Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN).
: http://www.box.net/shared/xu0hag8sya
+
: Hopefully this link stays pretty persistent since it is my box account [[User:Vesh|Vesh]]vesh.
+
  
 +
== External Links ==
  
 +
* [http://www.truecrypt.org/ Official website]
 +
* [http://www.truecrypt.org/docs/?s=version-history Version history]
  
[[Category:Incident response tools]]
+
[[Category:Encryption]]

Revision as of 14:44, 9 July 2008

Truecrypt
Maintainer: TrueCrypt Foundation
OS: Linux,Windows, OS X
Genre: Encryption
License: TrueCrypt Collective License
Website: truecrypt.org

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux and OS X as well as Whole Disk Encryption on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish). As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

Hidden volumes

Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.

Previous versions of encrypted volumes may be found in the filesystem journal. It is important to track any changes within the free space of the outer volume to detect presence of a hidden volume.

Hidden Operating Systems

Hidden operating system is a system that is installed in a hidden TrueCrypt volume.

It is possible to detect network-enabled hidden operating systems by matching downloaded content (from network dump) with data on possible decoy system.

Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN).

External Links