Abstract
The use of file or volume encryption as a counter-forensic technique depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is highly desirable for forensic investigations. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics using knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several
versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly we verified the hypothesis that the ageing through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained and tests devised allow the rapid identification of several volume-level operations and also
detect anomalous slack space entropy indicative of the use of encryption techniques.
versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly we verified the hypothesis that the ageing through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained and tests devised allow the rapid identification of several volume-level operations and also
detect anomalous slack space entropy indicative of the use of encryption techniques.
| Original language | English |
|---|---|
| Pages (from-to) | 21 |
| Number of pages | 28 |
| Journal | SAIEE Africa Research Journal |
| Volume | 105 |
| Issue number | 2 |
| Publication status | Published - 2014 |