Forensic Entropy Analysis of Microsoft Windows Storage Volumes. / Weston, Peter; Wolthusen, Stephen D.

Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013). IEEE Computer Society Press, 2013. p. 1-8.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Forensic Entropy Analysis of Microsoft Windows Storage Volumes. / Weston, Peter; Wolthusen, Stephen D.

Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013). IEEE Computer Society Press, 2013. p. 1-8.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Weston, P & Wolthusen, SD 2013, Forensic Entropy Analysis of Microsoft Windows Storage Volumes. in Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013). IEEE Computer Society Press, pp. 1-8. https://doi.org/10.1109/ISSA.2013.6641056

APA

Weston, P., & Wolthusen, S. D. (2013). Forensic Entropy Analysis of Microsoft Windows Storage Volumes. In Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013) (pp. 1-8). IEEE Computer Society Press. https://doi.org/10.1109/ISSA.2013.6641056

Vancouver

Weston P, Wolthusen SD. Forensic Entropy Analysis of Microsoft Windows Storage Volumes. In Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013). IEEE Computer Society Press. 2013. p. 1-8 https://doi.org/10.1109/ISSA.2013.6641056

Author

Weston, Peter ; Wolthusen, Stephen D. / Forensic Entropy Analysis of Microsoft Windows Storage Volumes. Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013). IEEE Computer Society Press, 2013. pp. 1-8

BibTeX

@inproceedings{7f8b4077c9f345b584df0668c9ebd036,
title = "Forensic Entropy Analysis of Microsoft Windows Storage Volumes",
abstract = "The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.",
author = "Peter Weston and Wolthusen, {Stephen D.}",
note = "A revised and expanded version of this paper was published in 2014 in the SAIEE Africa Research Journal",
year = "2013",
doi = "10.1109/ISSA.2013.6641056",
language = "English",
pages = "1--8",
booktitle = "Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013)",
publisher = "IEEE Computer Society Press",

}

RIS

TY - GEN

T1 - Forensic Entropy Analysis of Microsoft Windows Storage Volumes

AU - Weston, Peter

AU - Wolthusen, Stephen D.

N1 - A revised and expanded version of this paper was published in 2014 in the SAIEE Africa Research Journal

PY - 2013

Y1 - 2013

N2 - The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.

AB - The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.

U2 - 10.1109/ISSA.2013.6641056

DO - 10.1109/ISSA.2013.6641056

M3 - Conference contribution

SP - 1

EP - 8

BT - Proceedings of the 2013 Information Security South Africa Conference (ISSA 2013)

PB - IEEE Computer Society Press

ER -