Role of Computer Forensics in Encrypted File Recovery

A Backup Article Contributed by Sumedh Shanbhag

Role of Computer Forensics in Cryptology.

Cryptology has a decisive role to play in the successful rendition of computer forensics. Cryptography, more precisely steganography, is use of techniques and methods to cover the actual message to be conveyed. The opposite of this is cryptanalysis, which consists of breaking or solving such codes. Cryptology encompasses both these methods and is thus an entire science altogether.

This article discusses files recovery of such encrypted files. A file is encrypted to protect its content. Encryption consists of converting data into codes which are difficult to read or understand by a lay person. Such data may then require passwords or others such "keys" to unlock their meanings. Decryption of encrypted files is one of the procedures used by computer forensic analysts.

Computer Forensics Rules for Encrypted File Recovery.

Computer forensic analysts must follow certain rules during deciphering encrypted files. These rules are as follows:

1) The methods used must be fool proof.

2) The key should be easily comprehended and should be changeable.

3) The encrypted evidence and/or the decrypted solution should be electronically transferable.

4) The apparatus used for deciphering the encrypted code must be portable and operable.

5) Methods used should not be too complicated.

Methods Used in Computer Forensics Decryption

Computer forensic analysts use a number of different methods during decryption. However, he may not stick to a certain method all the time. In some cases, one method may solve the case, while in some cases a combination of two or more methods may be required to solve crack the code. The skill of the computer forensic analyst lies in detecting which methods to use.The methods used are as follows:

1) Caeser Cipher: Substituting the letter of an alphabet for a letter which is three letters away.

e.g. A=D, B=E, c=F and so on. Thus the word "KHOOR" may be deciphered as "HELLO".

2) Mono-alphabetic Substitution Cipher: This method uses "frequency analysis". It consists of arranging the most frequently used alphabet in ascending order. Then the number corresponding to the alphabet is used as the code. For instance, 1=E, 2=T, 3=A and so on. Thus the numbers "8, 1, 11, 11, 4" stand for the letters "H, E, L, L, O".

There are also other methods used like poly-alphabetic cipher, traffic analysis and onetime pad cipher.

Computer forensic analysts, through experience, can detect a particular pattern running through the encrypted codes. In such cases, even a small distortion can reveal a lot.

Cryptography consists of creation of "keys" by the cryptographers, which are used to unlock the secret code. Thus two different cryptographers may use a common key which becomes a "public key". However, if one of the cryptographers uses the common key as a base to develop a distinct key for himself, this new key then becomes a "private key" for him.

The skill of the computer forensic analyst lies in cracking the public key which can then serve as a yardstick to crack the private key, which in turn enable the analysis process to commence. However it may be said, in conclusion, that the analyst may have to crack a number of public keys to arrive at a private key if the cryptographer has referred to a number of public keys and used them as a base.