|
Penetration Testing
mailing list archives
Re: [PEN-TEST] Tool to find out if file is encrypted
From: Brian Russo <brusso () PHYS HAWAII EDU>
Date: Tue, 5 Dec 2000 15:43:19 -1000
On Tue, Dec 05, 2000 at 08:13:12AM +0100, Pawe? Krawczyk wrote:
On Mon, Dec 04, 2000 at 09:38:05PM -0500, crazytrain.com wrote:
Someone posted recently about a tool to find if a file is encrypted? I use
IsEncrypted
for just this job. It's by AccessData.
The kind of tools can in general work in two ways - either recognizing
known encrypted file formats (OpenPGP, S/MIME etc.) or estimating
the file's randomness. For the latter you have an utility in
The Coroner's Toolkit by Dan Farmer and Wietse Venema. See
http://www.porcupine.org/forensics/
Another thing you can try is to compress the file, and see how it does.
e.g.
4 -rw-r----- 1 brian brian 465 Dec 5 15:28 foo
4 -rw-r----- 1 brian brian 847 Dec 5 15:30 foo.gpg
4 -rw-r----- 1 brian brian 878 Dec 5 15:30 foo.gpg.gz
As you can see, the gpg'd (2048 ELG) file doesn't really compress at all,
actually gets a bit bigger due to some overhead, because this lossless
compression can't function well when the input is pretty random.
Granted, this doesn't tell you a lot about the input, but it's somewhat
unusual to have data that isn't encrypted, and has very high entropy
- unless of course, it actually is just meaningless randomish garbage.
In case anyone was wondering, foo was my /etc/nsswitch.conf, which,
being comparatively redundant to its encrypted offspring, compresses to
about 269 bytes.
- brian
--
+-------------------------------------------------------------
| Brian Russo <brusso () phys hawaii edu> GPG ID: 54D81666
| 404E 87E8 DD0C 275B 742B 09AD 2243 839C 54D8 1666
| http://www.phys.hawaii.edu/~brusso/gpg_brian.asc
 By Date 
By Thread
Current thread:
|
Intro
