Re: [sleuthkit-users] Encryption flag issue
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2019-03-21 14:47:36
|
Interesting. The MIME type is what is throwing it off. Our algorithm will only flag items that do not have a known type because videos and such can be big and random. We use Apache Tika for file type detection and we recently observed a file that had an incorrect type applied and Tika seemed to have made the decision based on the file extension. I wonder if that happened here too. We'll try to recreate this. In the mean time, can you rename the file to something like ".dat" and see if you get the same results. On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> wrote: > Hi > > 1) It says application/x-msdownload. > > 3) I tried with lower settings, but still no luck. > > Best regards > Soren Berggreen > > > On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> > wrote: > >> Hi Soren, >> >> 1) If you navigate to the file in Autopsy, select it, and go to the File >> Metadata tab, then what MIME type does it say the file is? I'd assume >> application/octet-stream. >> >> 2) The default behavior for the extension mismatch module is to only >> focus on hidden pictures, videos, executables, etc. So, if the encrypted >> volume had a type of application/octet-stream, then it is not surprising >> that it wasn't flagged. The module is flagging known content types (such >> as JPEG) that have been renamed. >> >> 3) The Encryption Detection module does have a setting about entropy >> levels. I believe the default value is 7.5. If you change it to 7.0 and >> re-run ingest then does it find the file? >> >> thanks, >> brian >> >> >> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >> wrote: >> >>> Hi. >>> >>> I've got this issue that I haven't been able to solve: >>> >>> Autopsy 4.10.0 on Windows 10 Pro >>> >>> Problem: >>> A known encrypted file is not flagged when running the Encryption >>> Detection Module. >>> >>> Secondary problem: >>> The encrypted file is saved as a .dll file, but is not flagged when >>> running the Extension Mismatch Detector Module. >>> >>> Pre: >>> An encrypted container was created using Veracrypt. The size of the >>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>> >>> The forensic image on where the container is located, was also tested >>> using X-Ways and EnCase, and both tools flag the container as encrypted. >>> >>> Best regards >>> Soren Berggreen >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> |