Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Judge orders defendant to decrypt PGP-protected laptop - CNET News

From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Wed, 25 Mar 2009 08:45:07 +1100
In response to:
" You are taking asumption that this "random data" are evidence."

Actually, this is not the case. Random data is not the natural state of data on a hard drive. Next, an overwrite can be 
determined to a point in time if you continue to use the drive. Entropy calculations on random data can often 
distinguish random data from encryption as the /dev/urandom process has a lower entropy then is found on good 
encryption. 

The standard error from a two sample comparison of the bitwise entropy values will commonly display statistically 
significant variances when comparing encryption and a pseudo random generator on most PCs as long as there is a 
sufficient amount of data. In the case of whole disk encryption, there is generally more than sufficient data.

This provides sufficient evidence for presentation in a court.

Next, bios markers and ATA data etc will be available. Overwriting a drive takes time and will miss the HPA on the 
drive. From this you can demonstrate that a drive was booted, mounted or otherwise used. If the drive was used, you 
have evidence that it was not simple random data.

If you are talking SD and memory cards, there is always data. You cannot access the entire card when you mount it. 
There are sections of the chips that are isolated. 

Stego is distinguishable from random data. Next, few systems use enough randomness to actually make the /dev/urandom 
process as random as you are asserting.

I love it when people who have never studied law start trying to start how it should be...

Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: