OTFE Volume File Finder

By Sarah Dean (sdean12@mailcity.com)
http://www.fortunecity.com/skyscraper/true/882/
Last updated: 24th January 2000

  ------------------------------------------------------------------------

Description

This program was written in response to the surprisingly large number of
people that appeared to be renaming their On-The-Fly Encrypted (OTFE)
volume files to have a ".DLL" (or any other) file extension, and placing
them somewhere under the Windows directory, or elsewhere. This is a trivial
method some people use to to attempt fool potential attackers into
believing that files renamed as such are system files, and do not hold
encrypted data.

IMHO, this reliance on "security by obscurity" does have some use when the
data being encrypted is only to be secured against someone who is not
computer literate. Otherwise, this is not a sensible idea.

The objective of this program is to demonstrate how easy it can be to scan
a computer for OTFE volume files, in much the same way that a virus scanner
can be used to scan for viruses.

Your attention is drawn to the fact that this software was written in about
10 minutes (half of which was spent writing this "readme" file!), and that
any serious attacker would inevitably spend a great deal more time and
effort than this to identify "suspicious"/"interesting" files on a target
system.

  ------------------------------------------------------------------------

Download

The latest version of this software is v1.00.00, which can be downloaded
from:
http://www.fortunecity.com/skyscraper/true/882/zipped2/OTFEVolFileFinder100.zip

  ------------------------------------------------------------------------

Use

  1. Start "OTFEVolFileFinder.exe" and click the "Search..." button.
  2. Locate the directory which you would like to scan for encrypted
     volumes, and click "OK"
  3. Answer Yes/No depending on whether you would like to search all
     subdirectories of the selected directory
  4. The search will then be carried out; progress is displayed at the
     bottom of the window.

  ------------------------------------------------------------------------

Definitions

Skipped files are any files that were not checked (normally due to the
program being unable to open them for reading, for whatever reason)

"Suspicous" files are any files that fulfil one of the following criteria:

   * any .DLL files not starting with 0x4D 0x5A
   * any .EXE files not starting with 0x4D 0x5A
   * any .AVI files not starting with "RIFF"
   * any .WAV files not starting with "RIFF"
   * any .ZIP files not starting with "PK"
   * any .RAR files not starting with "Rar"

obviously this list could be extended, but this short list serves for
demonstration purposes.

Any other file over 30MB (volume files are typically pretty big) is
idenitifed as having a suspicious filesize.

  ------------------------------------------------------------------------

Limitations

This version of the finder will not detect volume files belonging to any
OTFE system that is not currently installed. This is purely because the
OTFE components I have written were designed such that they would only
function if the corresponding OTFE system is installed. In practice this
limitation could easily be removed, I just couldn't be bothered to do this
myself... (This program is only intended to demonstrate the principle)

False positives. The method of identifying volume files is fairly simple,
and relies on detecting the "signature" placed within volume files by the
encryption/decryption software. As such it is quite possible that a few
"false positives" will slip in (especially when you consider the criteria
for determining "suspicious" files, see above). It would not be
particularly difficult to modify this program such that the list of files
it currently generates would have further analysis performed to determine
(among other things) the amount of entropy the file has, which would
dramatically reduce the number of false positives.

Partitions are not checked to see if they hold encrypted data, although it
would not be too difficult to write a piece of software that could do this.

Volume files scanned for are: BestCrypt, E4M and PGPDisk. Any ScramDisk
volume files, or volume files created by other similar systems, will
probably be detected as "suspicious".

  ------------------------------------------------------------------------

Compiling the Source

In order to compile your own copy of this utility, you will need to have
the "SDeanComponents" Delphi packages installed.

These can be obtained from: http://www.fortunecity.com/skyscraper/true/882/

  ------------------------------------------------------------------------

Appendix A: Other Software of Interest

The only other software that I am aware of, that can detect OTFE volume
files is "IsEncrypted" from AccessData. Apparently it can search your HDDs
for encrypted data, although when I tested it, the only OTFE volume files
that it could detect were PGPDisk volumes.

IsEncrypted can be downloaded direct from isencryp.exe

  ------------------------------------------------------------------------

Appendix B: Version History

   * v1.00.00 (16th January 2000) - Initial release (Compiled with
     SDeanComponents v1.0.0)

  ------------------------------------------------------------------------

Email me at: sdean12@mailcity.com

Return to the main page
