Detecting Hidden Encrypted Volumes

Abstract : Hidden encrypted volumes can cause problems in digital investigations since they provide criminal suspects with a range of opportunities for deceptive anti-forensics and a countermeasure to legislation written to force suspects to reveal decryption keys. This paper describes how hidden encrypted volumes can be detected, and their size estimated. The paper shows how multiple copies of an encrypted container can be obtained from a single disk image of Windows Vista and Windows 7 systems using the Volume Shadow Copy feature, and how the changes between shadow copies can be visualised to detect hidden volumes. The visualisation assists in the presentation of this information to a court, and exposes patterns of change which allows the size and file system of the hidden volume to be determined.
Type de document :
Communication dans un congrès
Bart Decker; Ingrid Schaumüller-Bichl. 11th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security (CMS), May 2010, Linz, Austria. Springer, Lecture Notes in Computer Science, LNCS-6109, pp.233-244, 2010, Communications and Multimedia Security. 〈10.1007/978-3-642-13241-4_21〉
Liste complète des métadonnées

Littérature citée [10 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01056376
Contributeur : Hal Ifip <>
Soumis le : lundi 18 août 2014 - 18:09:54
Dernière modification le : vendredi 11 août 2017 - 15:29:43
Document(s) archivé(s) le : jeudi 27 novembre 2014 - 05:32:50

Fichier

cms2010_submission_32.pdf
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Christopher Hargreaves, Howard Chivers. Detecting Hidden Encrypted Volumes. Bart Decker; Ingrid Schaumüller-Bichl. 11th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security (CMS), May 2010, Linz, Austria. Springer, Lecture Notes in Computer Science, LNCS-6109, pp.233-244, 2010, Communications and Multimedia Security. 〈10.1007/978-3-642-13241-4_21〉. 〈hal-01056376〉

Partager

Métriques

Consultations de la notice

399

Téléchargements de fichiers

1071