By Sarah Dean (sdean12@mailcity.com)
http://www.fortunecity.com/skyscraper/true/882/
Last updated: 24th January 2000
This program was written in response to the surprisingly large number of people that appeared to be renaming their On-The-Fly Encrypted (OTFE) volume files to have a ".DLL" (or any other) file extension, and placing them somewhere under the Windows directory, or elsewhere. This is a trivial method some people use to to attempt fool potential attackers into believing that files renamed as such are system files, and do not hold encrypted data.
IMHO, this reliance on "security by obscurity" does have some use when the data being encrypted is only to be secured against someone who is not computer literate. Otherwise, this is not a sensible idea.
The objective of this program is to demonstrate how easy it can be to scan a computer for OTFE volume files, in much the same way that a virus scanner can be used to scan for viruses.
Your attention is drawn to the fact that this software was written in about 10 minutes (half of which was spent writing this "readme" file!), and that any serious attacker would inevitably spend a great deal more time and effort than this to identify "suspicious"/"interesting" files on a target system.
Skipped files are any files that were not checked (normally due to the program being unable to open them for reading, for whatever reason)
"Suspicous" files are any files that fulfil one of the following criteria:
obviously this list could be extended, but this short list serves for demonstration purposes.
Any other file over 30MB (volume files are typically pretty big) is idenitifed as having a suspicious filesize.
This version of the finder will not detect volume files belonging to any OTFE system that is not currently installed. This is purely because the OTFE components I have written were designed such that they would only function if the corresponding OTFE system is installed. In practice this limitation could easily be removed, I just couldn't be bothered to do this myself... (This program is only intended to demonstrate the principle)
False positives. The method of identifying volume files is fairly simple, and relies on detecting the "signature" placed within volume files by the encryption/decryption software. As such it is quite possible that a few "false positives" will slip in (especially when you consider the criteria for determining "suspicious" files, see above). It would not be particularly difficult to modify this program such that the list of files it currently generates would have further analysis performed to determine (among other things) the amount of entropy the file has, which would dramatically reduce the number of false positives.
Partitions are not checked to see if they hold encrypted data, although it would not be too difficult to write a piece of software that could do this.
Volume files scanned for are: BestCrypt, E4M and PGPDisk. Any ScramDisk volume files, or volume files created by other similar systems, will probably be detected as "suspicious".
In order to compile your own copy of this utility, you will need to have the "SDeanComponents" Delphi packages installed.
These can be obtained from: http://www.fortunecity.com/skyscraper/true/882/
The only other software that I am aware of, that can detect OTFE volume files is "IsEncrypted" from AccessData. Apparently it can search your HDDs for encrypted data, although when I tested it, the only OTFE volume files that it could detect were PGPDisk volumes.
IsEncrypted can be downloaded direct from isencryp.exe
Email me at: sdean12@mailcity.com
Return to the main page