AD Image Encryption. Format Version 1.2



Similar documents
High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

Project: Simulated Encrypted File System (SEFS)

Secure Network Communications FIPS Non Proprietary Security Policy

SkyRecon Cryptographic Module (SCM)

Chapter 6 Electronic Mail Security

Dashlane Security Whitepaper

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Password-based encryption in ZIP files

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

Network Security Essentials Chapter 7

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Symmetric and Public-key Crypto Due April , 11:59PM

Package PKI. July 28, 2015

Cryptography and Network Security Chapter 15

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

AS DNB banka. DNB Link specification (B2B functional description)

PowerChute TM Network Shutdown Security Features & Deployment

Using TrueCrypt to protect data

2007 Microsoft Office System Document Encryption

Alternate Representations of the Public Key Cryptography Standards (PKCS) Using S-Expressions, S-PKCS

Detailed Specifications

Secure Storage. Lost Laptops

MAC/OSX - How to Encrypt Data using TrueCrypt. v

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Netop Remote Control Security Server

Ciphermail S/MIME Setup Guide

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Managed Portable Security Devices

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Bit Chat: A Peer-to-Peer Instant Messenger

Djigzo S/MIME setup guide

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

PGP from: Cryptography and Network Security

SAS Data Set Encryption Options

SBClient SSL. Ehab AbuShmais

WS_FTP Professional 12. Security Guide

Keeper Password Manager & Digital Vault

Chapter 17. Transport-Level Security

SecureDoc Disk Encryption Cryptographic Engine

The Misuse of RC4 in Microsoft Word and Excel

Security Policy Revision Date: 23 April 2009

SolarWinds Technical Reference

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Analysis of FileVault 2: Apple's full disk encryption. Omar Choudary Felix Grobert Joachim Metz

How To Encrypt Data With Encryption

ADFS Integration Guidelines

Cisco TelePresence VCS Certificate Creation and Use

Cryptography and Network Security

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Python Cryptography & Security. José Manuel

SENSE Security overview 2014

Forensic Decryption of FAT BitLocker Volumes

Resco Mobile CRM Security

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Apple Cryptographic Service Provider Functional Specification

Communication Systems SSL

Using Entrust certificates with Microsoft Office and Windows

IT Networks & Security CERT Luncheon Series: Cryptography

Analysis of the WinZip encryption method

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

What users should know about Full Disk Encryption based on LUKS

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Elements of Security

PGP - Pretty Good Privacy

If you are the recipient of an encrypted message, the following instructions will help you to decrypt your message. The California State University

Analyzing the Security Schemes of Various Cloud Storage Services

Snow Agent System Pilot Deployment version

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

McAfee Firewall Enterprise 8.2.1

, ) I Transport Layer Security

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS)

Chapter 7 Transport-Level Security

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Cisco Expressway Certificate Creation and Use

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Electronic Mail Security

Alliance Key Manager Solution Brief

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Package PKI. February 20, 2013

Determining VHD s in Windows 7 Dustin Hurlbut

Qualtrics Single Sign-On Specification

WebSphere DataPower Release FIPS and NIST SP a support.

CA Nimsoft Service Desk

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Authentication Applications

Transcription:

AD Image Encryption Format Version 1.2 17 May 2010

Table of Contents Introduction... 3 Overview... 3 Image Formats... 4 Keys... 4 Credentials... 4 Certificates... 4 Image Key encryption... 5 Appendix A Credentials Screenshot... 6 Appendix B - ADEncrypt Header File Format... 7 2/7

Introduction AccessData delivers forensic tools that allow the creation and analysis of disk images and AD1 (custom content) images for use in criminal and internal investigations. One of the concerns during the investigation process is protecting sensitive information that is collected inside these images. Security protocols must be set up so that only authorized users can access the data. Many techniques can be used to control access to sensitive information. One technique is to store sensitive data on a secured remote drive and use protocols like Active Directory to restrict access to certain individuals. Another technique is to encrypt image files so they can only be accessed by those who have the necessary credentials (passwords, etc.). They may be encrypted directly using tools such as WinZip, or they may be encrypted transparently using techniques such as EFS (Windows filesystem-level encryption) or by creating a TrueCrypt volume to store them on. Unfortunately, these techniques can be error-prone, costly, or hard to work with. For example, network shares can be difficult to set up and maintain, and the data gets transmitted and stored in unencrypted form. Direct encryption has a similar problem in that the file must exist on disk in unencrypted form first, and for analysis most forensic tools require the file to be decrypted, so it is stored on disk in unencrypted form before it can be analyzed. Using transparent encryption like EFS solves this problem, but EFS files cannot easily be set up for allowing multiuser access, nor can they be transmitted in encrypted form. Virtual disks such as TrueCrypt are a great solution for many people, but setting them up can be difficult, especially when enabling multi-user access over a network. The network authentication must be handled separately and uses different credentials than the virtual disk. To address these concerns AccessData has implemented an easy-to-use, built-in solution for encryption called AD Encryption. Encrypted images can be created and analyzed directly using AccessData forensic tools. At the current time, AccessData ships two applications with the capability of creating and viewing AD encrypted images: Imager and FTK-3. This document provides a description of the AD encryption algorithm and file format. Overview AD Encryption is whole image encryption. Not only the raw data (e.g., sector data) is encrypted, but also any metadata inside the image. Each segment (file) of the image is encrypted with a randomly-generated image key using strong encryption (AES-256). The image key is protected by desired credentials, a password or a cert public key. The encrypted image key is prepended to the front of the first image segment. 3/7

Image Formats AD Encryption is currently enabled for E01, S01, and raw/dd disk images, and for AD1 images. More image formats may be supported in the future, as the design is not tied to any specific format. Keys The following key algorithms are supported by AD encryption: AES-128 AES-192 AES-256 (default) The following hash algorithms are supported by AD encryption: SHA-256 SHA-512 (default) The user interface in FTK and Imager currently do not allow the user to specify the key and hash algorithms, so the defaults of AES-256 and SHA-512 are always used. Credentials AD encryption supports either a password or cert to protect the image key. Password: A password is any word or phrase and can contain spaces and any Unicode characters. The password is converted to UTF-8 for hashing. Certificate (public/private keys): A certificate is a standard X.509 cert inside a container like PKCS#12 or PEM. Many tools can be used to create certificates (e.g., Certmgr.exe). A certificate often contains both a public key and a private key, but they can also be stored separately. The public key from a cert is used for encryption, and the private key is used for decryption. Certificates The following X.509 certificate formats are supported by AD encryption: PKCS#12 / PFX (*.p12, *.pfx) PEM (*.pem) Stand-alone public key only (*.cer, *.crt, *.der) Only certificates containing RSA keys are supported. Encrypted certs are supported. 4/7

Image Key encryption The image key is encrypted using a password or a cert. A random salt is generated and then encrypted with the cert public key if provided. A key is then generated using the standard PBKDF2 algorithm (PKCS#5 compliant) from the passwords (if using a password) and the salt. This key is used to encrypt the image key and to compute an HMAC of the encrypted key for verification. 5/7

Appendix A Credentials Screenshot Here is a screenshot illustrating the dialog used to enter credentials for AD encryption. The same dialog is used for encryption and decryption. 6/7

Appendix B - ADEncrypt Header File Format The ADEncrypt header contains the encrypted image key and is prepended to the first image segment. The ADEncrypt header can be decrypted when the correct credentials are provided. Offset Length Name Description 00h 8 Signature "ADCRYPT\0" 08h 4 Version 1 0Ch 4 Total size Header size + salt length + encrypted key length + HMAC length + padding 10h 2 Pass count # of password; -1 if unknown (default) 12h 2 Raw key count # of raw keys; -1 if unknown (default) 14h 2 Cert count # of certs; -1 if unknown (default) 16h 2 Reserved Reserved; must be 0 18h 4 Key algorithm 1 = AES-128, 2 = AES-192, 3 = AES-256 1Ch 4 Hash algorithm 1 = SHA-256, 2 = SHA-512 20h 4 Iteration count # of iterations for hashing (default is 4000) 24h 4 Salt length Length of salt 28h 4 Encrypted key length Length of encrypted key 2Ch 4 HMAC length Length of HMAC The salt, encrypted key, and HMAC immediately follow the header. Then there is padding with zeroes up to the next 512-byte boundary. 7/7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information