I recently identified an excellent product for identifying encrypted files (and other attributes of said files). Forensic Innovations’ File Identification Technology tool identifies 3,312 File Types. Recently the product announce support for identifying “TrueCrypt”. (See www.TrueCrypt.org, they claim that “no TrueCrypt volume can be identified (volumes cannot be distinguished from random data). Computer Forensics tools might see the files as unknown or unimportant data.
When the File Investigator TOOLS product (http://www.forensicinnovations.com/fitools.html) finds encrypted files, it reports the type of encrypted file and, when possible, what encryption algorithm is used. While some encrypted files can’t be narrowed down to a specific application, just knowing that they are encrypted can be important. In a legal case, knowing that potential evidence is encrypted and intentionally hidden can provide the leverage to entice the encryption key from the owner or show the court intent to conceal evidence. Employers can use this tool to catch employees hiding data on company computers and potentially collecting intellectual property. This technology is also available to our business partners and as a licensed API. For further details, and a discussion on this topic, visit the Innovations Blog, http://www.forensicinnovations.com/blog.
The product has three operating modes, and the SDK (application interface) can be licensed and used in programs that run on Windows, Unix, and Linux. There is a demo version is limited to 100 files. The licensed version will identify 30,000 files. There is also a command line DOS type interface. The product identifies over 100+ fields. (See the table below).
The screen shots below shows the two interfaces.
fiwdir \? Command Line Options
Windows Interface
In addition to identifying the above fields of metadata it appears this tool can also be populated with data from the NIST NSRL database. The National Software Reference Library (NSRL) collects software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS is a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts. Other hashes can be found in the haskeeper database.
.
Fields Identified
| Column/Field Name | Order |
|---|---|
| DOS Filename | 2 |
| Filename | 3 |
| Extension | 4 |
| Location | 5 |
| Size | 6 |
| Created (date) | 7 |
| Modified (date) | 8 |
| Accessed (date) | 9 |
| Attributes | 10 |
| Description (name) | 11 |
| Numbers Metadata Summary | 12 |
| Valid File Extensions | 13 |
| Valid MIME Label(s) | 14 |
| Accuracy | 15 |
| Text Metadata Summary | 16 |
| Platforms | 17 |
| Storage (methods) | 18 |
| Content (types) | 19 |
| Description Index | 20 |
| ASCII Header | 21 |
| Hexadecimal Header | 22 |
| Checksum | 23 |
| Scan Time (seconds) | 24 |
| Extension Valid (y/n) | 25 |
| Format Version | 26 |
| Program Version | 27 |
| Color Bits | 28 |
| Tempo | 29 |
| Instruments (sum) | 30 |
| Sound Bits | 31 |
| Sound Channels | 32 |
| Sound Sampling Rate (Hz) | 33 |
| Volume Level (%) | 34 |
| Time Length | 35 |
| Frames/Images | 36 |
| Resolution (dots) | 37 |
| Resolution (in) | 38 |
| Resolution (mm) | 39 |
| Frames/Second | 40 |
| Disk Size (in) | 41 |
| Disk Sides | 42 |
| Disk Density | 43 |
| Sound Compression | 44 |
| Pages | 45 |
| Sound Tracks (sum) | 46 |
| Sound Samples (sum) | 47 |
| Character Set | 48 |
| Linker Version | 49 |
| Image Compression | 50 |
| Resolution (dpi) | 51 |
| File Protection | 52 |
| Records (sum) | 53 |
| Programs (sum) | 54 |
| Icons (sum) | 55 |
| Repeates | 56 |
| Directories (sum) | 57 |
| Files (sum) | 58 |
| File Version | 59 |
| Product Version | 60 |
| Words (sum) | 61 |
| Characters (sum) | 62 |
| Tracks (sum) | 63 |
| UNIX Permissions | 64 |
| Line Termination | 65 |
| Miscellaneous (text) | 66 |
| Title | 67 |
| Author | 68 |
| Program Name | 69 |
| Software | 70 |
| Name | 71 |
| File Version (text) | 72 |
| Comments | 73 |
| Display Name | 74 |
| Product | 75 |
| Source | 76 |
| Subject | 77 |
| Mac Type ID | 78 |
| Description (in file) | 79 |
| Copyright | 80 |
| Artist | 81 |
| Instrument | 82 |
| Lyric | 83 |
| Text | 84 |
| Keywords | 85 |
| Date Created (in file) | 86 |
| Mac Creator | 87 |
| Compiler | 88 |
| Compressor | 89 |
| Company | 90 |
| Internal Name | 91 |
| File Name (in file) | 92 |
| Product Version | 93 |
| Unknown Object | 94 |
| Album | 95 |
| Year | 96 |
| Genre | 97 |
| Template | 98 |
| Revision Number | 99 |
| Date Edited (in file) | 100 |
| Date Printed | 101 |
| Date Saved | 102 |
| Mime Type (in file) | 103 |
| SHA-1 | 104 |
| MD5 | 105 |
| MD4 | 106 |
| CRC32 | 107 |
| Alternate Data Stream | 108 |
| NTFS Owner | 109 |
| Filename+Ext | 1 |
Related posts:
- E-Discovery Vendors, in Texas, Who Analyze Content of Computer Files Required To Be Licensed Private Investigators In 2007, the Texas Legislature passed HB 2833 (available at...
- NIST Approves XTS-AES for Secure Encryption of Block Devices: TrueCrypt Meets FIPS 140-2 Standard Thus Becoming a HHS Approved Algorithom for Securing PHI NIST approved XTS-AES for the secure encryption of block devices...