Digital forensic generally refers to techniques for inspecting a computer system in order to recover data, text, images, video, audio, and other content stored on the system. It is most commonly performed in the context of a civil or criminal proceeding to obtain or preserve evidence, but has also been used in corporate environments to enforce company policies concerning the use of computers by employees and the like. These digital forensic techniques rely on highly specialized software and hardware tools that can quickly search through hard drives, network storage areas, USB keychain drives or so-called “thumb drives,” CDs, DVDs, solid state drives, memory cards, and other storage media to which an employee may have access.
Operation of digital forensic investigation tools is well known to those having ordinary skill in the art and will thus be mentioned only briefly here. Generally speaking, the tool has two main operational phases, though each phase is susceptible of one or more constituent stages. First, the tool extracts the data stored on the storage medium. This phase is arguably the easier of the two phases in that it requires the tool to simply read the raw bits (i.e., 1's and 0's) on the storage medium. The second and considerably more difficult phase involves analyzing and assigning meaning to the bits so that they may be searched for information. This phase requires the tool to organize or group the bits into logical patterns from which information may be interpreted. For this phase, the tool or its user must typically have or be able to obtain certain items of information about the storage medium, such as media type, file system, data structure, and the like.
Despite their technical sophistication, current digital forensic investigation tools fare little better than common administrative tools against a file or storage medium that is encrypted. Due to the strength of modern encryption algorithms, present digital forensic investigation tools have no practical way to search or examine the content of an encrypted file or storage medium. Compounding the problem, a growing concern about unauthorized access to their data has resulted in more companies requiring files and storage media be encrypted. This encryption has encompassed not only highly sensitive or mission critical data, but also routine day-to-day operational data. Thus, the inability of current digital forensic investigation tools to examine or search encrypted content may present a significant problem for investigative personnel going forward.
Accordingly, what is needed is a more effective digital forensic investigation tool. More specifically, what is needed is a way for digital forensic investigation tools to be able to search and examine content that has been encrypted.