Evidence Encryption in the Post-TrueCrypt Era

Ken Mizota


In the news last week, the anonymous developers of TrueCrypt very publicly announced the discontinuation of TrueCrypt development, and declared TrueCrypt "not secure." The vagaries and abruptness of the announcement have caused a disturbance in the interweb at large. A search on "TrueCrypt" yields no less than 27,000 hits categorized as "News."

TrueCrypt has been a double-edged sword for digital investigators. On one edge, TrueCrypt's wide availability means it has been used to hide data from the eyes of investigators. Full disk, container, and hidden container encryption have created "game over" situations for investigators for years. Attendees of Guidance Software's Training courses learn about common uses of TrueCrypt and practical techniques to deal with them, including use of EnCase with tools like Passware.

On the other edge, TrueCrypt provided encryption capabilities for transport of evidence.  If you've ever had the pleasure of escorting evidence from on-scene to a secure location, you might be pleased to know strong encryption effectively prevents prying eyes from gaining access to sensitive data. Strong encryption enables to transit via traditional means (i.e. courier, postal service) with an reduced risk of data loss. Even if the 1TB evidence drive were intercepted, the evidence is practically useless while encrypted.

We can speculate on the impact of the discontinuation of TrueCrypt, and how it may dampen its use in the near-term. However, that exercise is akin to asking "What color is the universe?" There's likely an opinion out there, but if you need to prove it, you'd be hard pressed to do so.  What is more useful is sharing some info about the void that TrueCrypt may leave, and what tools are available if you depended on it to encrypt your evidence at rest/in transit. So let's get on to that…

Post-TrueCrypt Options

One way to ensure data is protected from time it is collected, to the time it reaches its intended destination, is to collect that evidence in an encrypted format, so that it is never stored in cleartext.

TrueCrypt was able to accomplish this in a cost-effective manner since one could simply create an encrypted container, mount the container as a volume, and collect to that container. In this way, TrueCrypt was conceptually similar to other full volume, or container based encryption products, made by companies like McAfee or WinMagic, and sold for a fee.

Selecting new cryptography software to encrypt full-volume, is certainly a valid strategy, and one that is likely compatible with existing collection procedures. Of course, one of the reasons for TrueCrypt's adoption was its actual cost: zero. Products with similar encryption technology usually have a cost associated with them.

Making use of self-encrypting drives (SED) is also an attractive, highly secure option. Guidance Software and WinMagic recently co-presented at CEIC 2014 on the topic of "The Forensics of Self-Encrypting Drives," and, no doubt, SEDs are here to stay. But, even SEDs require distribution and management of new hardware, with capital and operational costs associated with management.

So, let's reiterate the original desire:

"...collect that evidence in an encrypted format, so that it is never stored in cleartext."

I think a simple solution rises to the surface: Use an evidence file format that supports strong encryption.  The EnCase Evidence File Format Version 2 can help. 

A few years back, Guidance Software published a whitepaper entitled EnCase Evidence File Format Version 2 (available for download, registration required). The EnCase Evidence File Format version 2 specifies the format of files referred to as Ex01. The Ex01 format is available for anyone to understand and incorporate into their own libraries to read and write Ex01. A great example of this is the libewf project. Notably, libewf does not provide the ability to encrypt evidence, but EnCase can.

EnCase uses public-key cryptography, with strong AES 256-bit encryption to protect both Ex01 (physical) and Lx01 (logical) evidence files. To assure the legitimacy of the encryption, EnCase undergoes rigorous testing by independent reviewers. At the time of this post, the EnCase Cryptographic Engine is "In Process" for FIPS 140-2 certification, and is expected to complete in 2014.

Investigators may generate public and private keys within any edition of EnCase, including EnCase Forensic Imager. Encrypted acquisition may occur on a physical full disk or a subset via logical evidence file; locally or over the wire. The data stored at rest is assured to be encrypted with certified cryptography.  EnCase Forensic Imager has the benefit of also being available at no cost.

EnCase encrypted acquisition may not suit everyone's needs; it doesn't help you conceal your real data behind decoy data. But, we do think it can help fill a gap left by TrueCrypt for evidence encryption.

What Encryption Alternatives are You Looking Into? Let us know in the comments, or reach out to us on Twitter @EnCase.