Re: [sleuthkit-users] Encryption flag issue
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2019-03-21 03:04:39
|
Hi Soren, 1) If you navigate to the file in Autopsy, select it, and go to the File Metadata tab, then what MIME type does it say the file is? I'd assume application/octet-stream. 2) The default behavior for the extension mismatch module is to only focus on hidden pictures, videos, executables, etc. So, if the encrypted volume had a type of application/octet-stream, then it is not surprising that it wasn't flagged. The module is flagging known content types (such as JPEG) that have been renamed. 3) The Encryption Detection module does have a setting about entropy levels. I believe the default value is 7.5. If you change it to 7.0 and re-run ingest then does it find the file? thanks, brian On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> wrote: > Hi. > > I've got this issue that I haven't been able to solve: > > Autopsy 4.10.0 on Windows 10 Pro > > Problem: > A known encrypted file is not flagged when running the Encryption > Detection Module. > > Secondary problem: > The encrypted file is saved as a .dll file, but is not flagged when > running the Extension Mismatch Detector Module. > > Pre: > An encrypted container was created using Veracrypt. The size of the > container was set to 100MB. Hash sha512, encryption serpent, filesystem > NTFS. The container was named "VBoxClient-64bit.dll" and was placed in > folder "C:\Program Files\Oracle\VirtualBox\x86". > > The forensic image on where the container is located, was also tested > using X-Ways and EnCase, and both tools flag the container as encrypted. > > Best regards > Soren Berggreen > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |