With the "Super Man" powers you have given me during your Forensic classes, I've been walking around here at work giving a good impression of what I learned.
Recently I've been asked (not tasked) for my opinion with ensuring a .xlsx file w/confidential info stays secure on mobile devices (Windows & Apple Laptops).
The scenario:
1) Researcher states, 'file will be encrypted' so all is good.
I regurgitate, 'Well as soon as the file is opened, a non encrypted version exists on the machine. So full disk encryption is best, BitLocker (Windows 7) / File Vault (Apple)
I go on:
"Auto Save will save an un-encrypted version of the file in the auto save location which by default occurs every 10 minutes; un-encrypted copies of the file are created when the encrypted file is opened during use, etc. Whole disk encryption is strongly suggested."
I decided to actually test what I've been regurgitating...good idea right!?
This is what I've found, you may find this interesting as well -- but you probably already know this. =)
=================================================================
Depending on *how* the file is encrypted, the temporary files, Auto Save files *could* remain encrypted, despite not using full disk encryption.
At work, I've implemented "Domain Based EFS" on all our workstations for the department, so this method was chosen to test against first.
1) Create a .docx with EFS.
a) Read & comprehended the following: http://support.microsoft.com/kb/211632
Which "...explains when, where, and how Microsoft Word for Windows creates temporary files."
2) Using above link I now know to go to:
a) Auto Save location
b) User's Temporary Files Location
c) Transacted Document location (the ~DFrandom###s.tmp files)
In each folder, the spawned temporary files all **Remain** encrypted! (ignoring the ~$filename.docx, which contains user log in information)
-----------------------------------
Side Track:
Before actually testing the above, I wanted to confirm that .ASD (Auto Save Documents), remain available even after they are deleted. Of course I already know this, this is what has been drilled into me many times throughout class.
However, I found the following:
http://forensicaliente.blogspot.com/2010/07/forensic-implications-of-ms-word-asd.html
This person claims to have tested the same scenario I was testing (not regarding encrypted files), the availability of ASD files after Word successfully shuts down.
In his case, he was using Encase and indicates the ASD file is no longer available after Word successfully closes out the file.
In *My Test* using FTK Imager, the ASD files totally remained available, despite being 'deleted' !! Thanks you are the Man! =D
Confirmed: ASD files are still available after successful Word shutdown/save.
---------------------------------
Okay back to whats going on with Encrypted files. iirc, you mentioned throughout class multiples times that 'once accessed an un-encrypted version exists in locations such as: Auto Save, Temporary Files, etc.
So how could my test counter what I learned!?
Even the recovered 'deleted' ASD file remains encrypted!
-------------------------------------------
I pondered...maybe you were talking about another encryption method?
Having just completed CIS 279 Module 19 Lab 4 -- TrueCrypt, i began to test this. Prior to beginning i formulated the hypothesis that using TrueCrypt your statement -- An un-encrypted version will exist in AutoSave, etc. would come true, since unlike EFS (which is built into Windows), TrueCrypt is not 'One with the OS'
1) I created the TrueCrypt Volume
2) Created a .docx file in this encrypted volume
Sure enough using TrueCrypt, un-encrypted copies of the .docx appeared in the AutoSave and Temporary Files locations!
#############################################
Summary:
Using EFS which is built into Windows is a much better solution for encryption than 3rd party tools. EFS which is built into Windows, continues to encrypt relevant data that spawn from the original file.
Using 3rd party tools for encryption, it is possible the temporary files spawned are not encrypted -- such as it is when using TrueCrypt.
#############################################
Well, now that I have tested all the above...i have to go back and report to everyone:
'Actually it depends on how the file is encrypted, which determines if the temporary files remain encrypted during use.'
-----------------------------------------
Nonetheless, thanks again for giving me the tools to be knowledgeable/know 'where and what to look for' in these situations when conversing with others!
No comments:
Post a Comment