SECURING PAPER AND PHYSICAL DOCUMENTS
Chapter 8 ANTI-FORENSICS
T
hose who seek to block computer forensics efforts fall into four cat-egories. First, there are individuals and organizations with legiti-mate security concerns. They are interested in protecting personal, governmental, or proprietary documents or information. Such individ-uals and organizations seek confidentiality as a socially acceptable goal.Second, criminals obviously do not want their electronic records and information pertaining to their activities to undergo computer forensic examination. They have a socially and legally unacceptable goal of keeping their criminal activities hidden and undetected.
Third, political dissidents against an authoritarian regime seek to protect their activities from scrutiny by those in power. The rebellious elements in society are viewed with disdain by those in power. In authoritarian or totalitarian societies, the rebellious members receive the label of criminals, which results in imprisonment or harsher punishments. True, the moniker of freedom fighter or dissident is a relative one, but in repressive societies keeping secrets is a justified survival mechanism in many cases. And fourth, intelligence agents, whether corporate or governmental, seek to keep their sensitive information from counterintelligence agents that employ computer forensics as tool for detection of their activities. The ethical consequences of the intelligence business would be a long dis-cussion, but without taking a stand for or against this activity, one has to concede that protecting information’s confidentiality is its utmost concern.
ENCRYPTION
The primary defense against forensics is encryption. Robust encryp-tion prevents someone from seeing your sensitive informaencryp-tion. What
103
constitutes robust encryption? Using an encryption algorithm that has undergone public testing and analysis is best. The algorithm should be public, because after public scrutiny, users can trust the encryption to be strong and resistant to attack. The other side of encryption is using a strong key. Long keys are hard to break because the keyspace is so large that brute forcing the key would require years if not decades. A 128-bit key would be a bare minimum, but a 256-bit affords even greater pro-tection. A tested algorithm and strong keys are the two pillars of good encryption.
What should one encrypt? It sounds like a simple question, but there are options to consider. First, user acceptance is always crucial to ob-taining good cryptographic security. If encryption procedures are too cumbersome, users will avoid them. So, encryption needs to be as trans-parent to the user as possible. Second, choosing which documents and files to encrypt can be challenging one for a user to decide. A sound doc-ument classification policy needs to be in place to make encryption de-cisions straightforward and clear to all users. Third, should you encrypt files or drives? The safest solution is to encrypt the entire drive. In other words, every time the user saves information to the hard drive, the in-formation becomes encrypted. The process for this type of encryption usually is fairly transparent to the user. There are not any steps for the user to do. Encryption is automatic. In addition, having all the data on the drive encrypted prevents slack space and metadata analysis of the drive. That level of protection can be a real bonus because “data about your data” exists on other places on your hard drive. Full encryption blocks that window of opportunity for the forensics document examiner.
Unfortunately for users, pitfalls remain even with full encryption of the disk. In order to access the disk, the user must still employ a key, password, or passphrase. Security for these data structures is vital for preserving security. Storage must be robust and be resistant to both in-formation-based and physical attacks. Keys and passwords need stor-ing on a database that is itself protected by a robust password. The database is also physically secured, whether it is on a USB drive or on a server. Lock up those assets when they are not in use, or in the case of a server, have it in a locked room. Leaving notes about the work area containing the passwords is foolhardy to say the least. Careful handling of cryptographic tools ensures security for sensitive documents.
The final issue in cryptographic security is the red flag it sends up for certain users. Someone with a legitimate business use for cryptography
does not have to worry about creating any red flags. However, those indi-viduals engaging in questionable activities, some of which may be illegal, are definitely drawing attention to themselves by using encryption. If their information assets come under scrutiny, then they will have to answer the questions regarding their use of cryptographic tools. The discovering of encryption technology use by suspicious individuals is a strong sign that they are covering up activities. Again, once the tools become identified, cracking the encryption often rests upon having as much intelligence on the individuals as possible. Such intelligence may lead to breaking pass-words; as people are creatures of habit and convenience, their passwords may arise from their personal knowledge and backgrounds.
Since robust encryption creates serious barriers to computer foren-sics, a short recap of the safeguards is in order:
1. Choose an encryption tool that has undergone robust public test-ing and commentary. You want the algorithm to be a public one, not proprietary. The product you purchase should state the name of the algorithm used, so you can research it on the Internet.
2. Use strong passwords and keys according to the encryption soft-ware manufacturer’s recommendations. Consider the life of the sensitive information you are protecting. The longer the sensi-tive document’s information will be of value to an adversary, the stronger the keys and passwords need to be.
3. Especially on mobile digital devices, use hard drive encryption.
Encrypt the entire drive. This principle also holds for USB drives, memory cards, and flash drives if they contain sensitive information. The same policy should apply to CDs and DVDs holding similar information.
4. Make sure the encryption tool is user-friendly and easy to op-erate. The ideal arrangement is complete transparency to the user. Information and files automatically become encrypted as the user saves the data.
5. Have a security policy for cryptographic key management and for passwords used by cryptographic tools. Make sure the policy covers the complete life cycle of these data structures from cre-ation to secure storage and distribution to destruction.
6. Put into place auditing controls and supervision of the crypto-graphic tools and their implementation to ensure conformance to policies.
7. Create physical security policies to protect servers, desktop computers, and mobile digital equipment from theft and com-promise. (See Chapter 4 for recommended safeguards regard-ing mobile equipment.)