Re: [PEN-TEST] Tool to find out if file is encrypted

[Brian Russo <brusso () PHYS HAWAII EDU>]

On Tue, Dec 05, 2000 at 06:48:35PM -0800, Crist Clark wrote:
> Brian Russo wrote:
> > On Tue, Dec 05, 2000 at 08:13:12AM +0100, Pawe? Krawczyk wrote:
> > > On Mon, Dec 04, 2000 at 09:38:05PM -0500, crazytrain.com wrote:
> > >
> > > > Someone posted recently about a tool to find if a file is encrypted?  I use
> > > > IsEncrypted
> > > > for just this job.  It's by AccessData.
> > >
> > > The kind of tools can in general work in two ways - either recognizing
> > > known encrypted file formats (OpenPGP, S/MIME etc.) or estimating
> > > the file's randomness. For the latter you have an utility in
> > > The Coroner's Toolkit by Dan Farmer and Wietse Venema. See
> > > http://www.porcupine.org/forensics/
> >
> > Another thing you can try is to compress the file, and see how it does.
> >
> > e.g.
> >
> >    4 -rw-r-----    1 brian    brian         465 Dec  5 15:28 foo
> >    4 -rw-r-----    1 brian    brian         847 Dec  5 15:30 foo.gpg
> >    4 -rw-r-----    1 brian    brian         878 Dec  5 15:30 foo.gpg.gz
> >
> > As you can see, the gpg'd (2048 ELG) file doesn't really compress at all,
> > actually gets a bit bigger due to some overhead, because this lossless
> > compression can't function well when the input is pretty random.
>
> Or it is a sign the data was already compressed. IIRC, gpg is going
> to compress by default before doing its encryption. Did you make sure
> to disable compression ('-z 0' I believe) when you did this test? What
> difference, if any, does it make? I'm curious.

You're right, thanks for pointing that out, I honestly didn't consider
that, but it doesn't make any difference..

syntax: gpg -z 0 -e foo
-rw-r-----    1 brian    brian         465 Dec  5 15:28 foo
-rw-r-----    1 brian    brian        1050 Dec  5 20:22 foo.gpg
-rw-r-----    1 brian    brian        1081 Dec  5 20:22 foo.gpg.gz

the filesizes are bigger.. because.. the plaintext wasn't compressed prior to
encryption, but as you see the result is the same.. "random" data just
*doesn't* compress.. as far as lossless compression goes

Of course someone could make ciphertext that was compressible.. anyway, I was
just pointing out that compressing something _may_ be useful as a tool of
determining if something is encrypted.

> > Granted, this doesn't tell you a lot about the input, but it's somewhat
> > unusual to have data that isn't encrypted, and has very high entropy
> >  - unless of course, it actually is just meaningless randomish garbage.
>
> This is obviously not true. Compressed data is neither "meaningless,
> randomish garbage" nor is it encrypted, but it does have a high entropy
> per byte (or some measure of data size).

Sorry for confusion on this one, since I had already noted compression above,
I didn't explicitly note it here, I thought it was sort of implied, but I
should have been explicit.

--
+-------------------------------------------------------------
| Brian Russo   <brusso () phys hawaii edu>   GPG ID: 54D81666
| 404E 87E8 DD0C 275B 742B  09AD 2243 839C 54D8 1666
| http://www.phys.hawaii.edu/~brusso/gpg_brian.asc