File Format Specific and Statistical Encryption Tests

WinHex & X-Ways

File Format Specific and Statistical Encryption Tests

 

Part of volume snapshot refinement.

 

A forensic license allows to optionally perform file format specific and statistical encryption tests. With an entropy test, each existing file larger than 255 bytes is checked whether it is fully encrypted. If the test is positive (the entropy exceeds a certain threshold), the file is flagged with "e?" in the attribute column, to indicate that it might deserve special attention. Typical example: Encrypted container files, which can be mounted by encryption programs like TrueCrypt, PGP Desktop, BestCrypt, or DriveCrypt as drive letters. The entropy test is not applied to ZIP, RAR, TAR, GZ, BZ, 7Z, ARJ, CAB, JPG, PNG, GIF, TIF, MPG, and SWF files, which are well-known to be compressed internally and therefore almost indistinguishable from random or encrypted data. This test is not needed to detect that files are encrypted at the NTFS file system level or inside archives. Secondly, documents with the extensions/types .doc (MS Word 4...2003), .xls (MS Excel 2...2003), .ppt, .pps (MS PowerPoint 97-2003), .mpp (MS Project 98-2003), .pst (MS Outlook), .docx (MS Word 2007...2010), .xlsx (MS Excel 2007...2010), .pptx, .ppsx (MS PowerPointer 2007-2010), .odt (OpenOffice2 Writer), .ods (OpenOffice2 Calc) and .pdf (Adobe Acrobat) are checked for file format specific encryption, MS Office documents also for digital rights management (DRM) protection. If positive, these files are flagged with "e!" in the attribute column. This check requires that the separate viewer component is active.

Additionally, the encryption test can detect eCryptfs-encrypted files (files stored by the Enterprise Cryptographic File System for Linux), with a test that is based on eCryptfs implementations for Ubuntu 8.10, 9.04, 9.10 and 10.04. Such files will by marked with "E" in the Attributes column, just like EFS-encrypted files in NTFS.