Re: [sleuthkit-users] Identifying Encrypted Files

[Wyman M. <wm...@co...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've been struggling with this for a while.  NTFS encrypted files bear that 
attribute, as do encrypted files on certain other filesystems.

Virtually everything else is an internal tag.

Certain encrypted volume tools like Truecrypt studiously avoid any 
indication of their purpose, so you'd be left looking at a large block of 
data.

I've written a few things to perform tests of randomness of arbitrary 
files, on the assumption that anything strongly encrypted is going to be 
extremely random -- even more so than compressed data.  It's slow going and 
not generally useful, though.

- --On Tuesday, December 19, 2006 12:54 PM -0500 Craig Slusher 
<cs...@gm...> wrote:

> Hello, I am a new user of the Sleuthkit and am very pleased so far
> with the results. I am curious though, are there ways to identify if a
> file is encrypted or password protected? I don't necessarily need to
> do anything other than identify that it has been encrypted. Any help
> would be greaty appreciated. Thank you!
>
> --
> Craig Slusher
> cs...@gm...
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your opinions on IT & business topics through brief surveys - and earn
> cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBRYgqXsRE6QfTb3V0EQKtDwCdGxhAvHx5qzN7c3WspC7uaDe+bCYAoN3h
X0TU8rGb7QDX9tSKcXyH0Rs9
=7IkV
-----END PGP SIGNATURE-----