Re: [sleuthkit-users] Encryption flag issue
Brought to you by:
carrier
From: Søren B. <shb...@gm...> - 2019-03-21 11:15:50
|
Hi 1) It says application/x-msdownload. 3) I tried with lower settings, but still no luck. Best regards Soren Berggreen On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> wrote: > Hi Soren, > > 1) If you navigate to the file in Autopsy, select it, and go to the File > Metadata tab, then what MIME type does it say the file is? I'd assume > application/octet-stream. > > 2) The default behavior for the extension mismatch module is to only focus > on hidden pictures, videos, executables, etc. So, if the encrypted volume > had a type of application/octet-stream, then it is not surprising that it > wasn't flagged. The module is flagging known content types (such as JPEG) > that have been renamed. > > 3) The Encryption Detection module does have a setting about entropy > levels. I believe the default value is 7.5. If you change it to 7.0 and > re-run ingest then does it find the file? > > thanks, > brian > > > On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> > wrote: > >> Hi. >> >> I've got this issue that I haven't been able to solve: >> >> Autopsy 4.10.0 on Windows 10 Pro >> >> Problem: >> A known encrypted file is not flagged when running the Encryption >> Detection Module. >> >> Secondary problem: >> The encrypted file is saved as a .dll file, but is not flagged when >> running the Extension Mismatch Detector Module. >> >> Pre: >> An encrypted container was created using Veracrypt. The size of the >> container was set to 100MB. Hash sha512, encryption serpent, filesystem >> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >> folder "C:\Program Files\Oracle\VirtualBox\x86". >> >> The forensic image on where the container is located, was also tested >> using X-Ways and EnCase, and both tools flag the container as encrypted. >> >> Best regards >> Soren Berggreen >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > |