TY - GEN
T1 - Forensic Entropy Analysis of Microsoft Windows Storage Volumes
AU - Weston, Peter
AU - Wolthusen, Stephen D.
N1 - A revised and expanded version of this paper was published in 2014 in the SAIEE Africa Research Journal
PY - 2013
Y1 - 2013
N2 - The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.
AB - The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.
U2 - 10.1109/ISSA.2013.6641056
DO - 10.1109/ISSA.2013.6641056
M3 - Conference contribution
SP - 1
EP - 8
BT - Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013)
PB - IEEE Computer Society Press
ER -