Penetration Testing mailing list archives
Re: [PEN-TEST] Tool to find out if file is encrypted
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 5 Dec 2000 18:48:35 -0800
Brian Russo wrote:
On Tue, Dec 05, 2000 at 08:13:12AM +0100, Pawe? Krawczyk wrote:On Mon, Dec 04, 2000 at 09:38:05PM -0500, crazytrain.com wrote:Someone posted recently about a tool to find if a file is encrypted? I use IsEncrypted for just this job. It's by AccessData.The kind of tools can in general work in two ways - either recognizing known encrypted file formats (OpenPGP, S/MIME etc.) or estimating the file's randomness. For the latter you have an utility in The Coroner's Toolkit by Dan Farmer and Wietse Venema. See http://www.porcupine.org/forensics/Another thing you can try is to compress the file, and see how it does. e.g. 4 -rw-r----- 1 brian brian 465 Dec 5 15:28 foo 4 -rw-r----- 1 brian brian 847 Dec 5 15:30 foo.gpg 4 -rw-r----- 1 brian brian 878 Dec 5 15:30 foo.gpg.gz As you can see, the gpg'd (2048 ELG) file doesn't really compress at all, actually gets a bit bigger due to some overhead, because this lossless compression can't function well when the input is pretty random.
Or it is a sign the data was already compressed. IIRC, gpg is going
to compress by default before doing its encryption. Did you make sure
to disable compression ('-z 0' I believe) when you did this test? What
difference, if any, does it make? I'm curious.
Granted, this doesn't tell you a lot about the input, but it's somewhat unusual to have data that isn't encrypted, and has very high entropy - unless of course, it actually is just meaningless randomish garbage.
This is obviously not true. Compressed data is neither "meaningless, randomish garbage" nor is it encrypted, but it does have a high entropy per byte (or some measure of data size). -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- [PEN-TEST] Tool to find out if file is encrypted crazytrain.com (Dec 05)
- Re: [PEN-TEST] Tool to find out if file is encrypted Paweł Krawczyk (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Crist Clark (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Paweł Krawczyk (Dec 06)