信息网络安全

信息网络安全 ›› 2014, Vol. 14 ›› Issue (9): 220-222.doi: 10.3969/j.issn.1671-1122.2014.09.052

• 入选论文 • 上一篇    下一篇

TrueCrypt加密容器快速检测技术

沈长达, 尤俊生, 钱镜洁   

  1. 厦门市美亚柏科信息股份有限公司,福建厦门 361008
  • 收稿日期:2014-08-06 出版日期:2014-09-01
  • 作者简介:沈长达(1989-),男,福建,工程师,本科,主要研究方向:文件系统解析及数据恢复;尤俊生(1957-),男,福建,工程师,硕士,主要研究方向:电子数据取证;钱镜洁(1984-),女,江苏,工程师,硕士,主要研究方向:数据存储和恢复。

TrueCrypt Container Fast Detection Technology

SHEN Chang-da, YOU Jun-sheng, QIAN Jing-jie   

  1. Xiamen Meiya Pico Information Co.,Ltd, Xiamen Fujian 361008, China
  • Received:2014-08-06 Online:2014-09-01

RichHTML

4

PDF (PC)

186

摘要: TrueCrypt作为目前较为流行的免费开源加密软件之一,在不同平台上得到了广泛的应用。取证过程中经常要对磁盘中的加密文件检测以便进行进一步的解密分析,但由于TrueCrypt加密容器在解密之前不具备任何的签名、结构等特征,因此TrueCrypt加密容器的检测成为了取证过程中的一个难点。目前,还没有精确的TrueCrypt加密容器的检测方法,现有的检测技术主要是通过签名排除结合文件大小信息进行检测。文章在现有检测技术的基础上结合了卡方检验以及信息熵的理论方法,提出了一种TrueCrypt加密容器快速检测技术。该技术不仅能够快速的检测加密容器,而且和现有的检测方法相比检测精确度更高。

关键词: 文件签名, 扇区大小, 卡方检验, 显著水平, 信息熵

Abstract: TrueCrypt as one of the popular free open source encryption software has been widely applied on different platforms. Forensics process often to detected encrypted file for further decrypt and analysis, but TrueCrypt container has no signature and structure, so it is a difficult to detect TrueCrypt container. In view of the TrueCrypt container file, there is no accurate detection method, the available technology is signature rule out combined file size limit to detect TrueCrypt container. In this paper, on the basis of the existing detection technology, combined with chi-square test and information entropy theory, we came up with a fast TrueCrypt container detection technology. This method not only can quickly detect TrueCrypt container, but higher precision compared with the existing detection methods.

Key words: file signature, sector size, chi-square, significance level, information entropy