Managing Encryption in eDiscovery
Once the exclusive domain of big business and government agencies, the last decade has seen encryption technologies move into the public consciousness . . .
Once the exclusive domain of big business and government agencies, the last decade has seen encryption technologies move into the public consciousness: the Snowden leaks revealing “backdoors” built into encryption products, the controversies around messaging apps such as WhatsApp, and Apple’s refusal to assist the FBI to decrypt iPhones are just a few examples.
Encryption is becoming an increasing issue in the eDiscovery world. According to a 2019 study by the Ponemon Institute, 69% of surveyed organisations cited discoverability of data within their business as the biggest challenge posed by encryption technologies.
So, how exactly does encryption work, and how
can we deal with it in eDiscovery?
Password protection vs Encryption
Firstly, it’s important to differentiate between data that is password protected and data that is encrypted. Although often used interchangeably, these terms mean very different things.
Password protecting data means that only users with the password can perform certain actions. A common example of this is putting a password on an Excel file or a PDF that prevents users from opening the file, or performing actions such as editing or printing content.
Encryption uses algorithms to scramble the data and requires a key or password to make it intelligible again. A common example is BitLocker, which is used by Windows to encrypt storage media. Similarly, messaging apps WhatsApp and Signal have built in encryption which prevent intercepted messages from being read.
Six ways to approach encryption in eDiscovery
Search through existing data for passwords or keys
When dealing with individual encrypted files, sometimes searching through other data collected from the custodian can yield password lists in .txt or Word files, or saved in Outlook. Even if it is not immediately clear what the file the password is used for, it can be added to a list of known passwords and used in a “Dictionary attack” against encrypted files (more on that later).
Search the physical location from which the data was collected
This approach relies on the custodian leaving passwords on Post-Its, whiteboards, or in notebooks around their work area. Although this may sound far-fetched, a 2018 security snafu at the Hawaiian Emergency Management Agency proves that looking for passwords stuck on monitors, under keyboards, or in desk drawers is not a lost cause.
Ask for passwords or recovery keys
If full-disk encryption is used in an enterprise setting, the organisation’s IT department may hold recovery keys to unlock this data. Similarly, if you have good relations with data custodians, they may be able to provide you with one or more passwords that can be tried against encrypted files.
Extract decryption keys from computer memory
If Random Access Memory (RAM) is captured from a running system, forensic tools can be used to try to extract keys from the RAM dump. Although not foolproof, it can be a successful way to deal with an encrypted disk or volume.
Use dictionary attacks
A dictionary attack takes a list of known or commonly used passwords, and tries them one-by-one against the encrypted data. This technique relies on the fact that people often re-use their passwords, or use very predictable passwords. Depending on the size of the password list, this technique can be quite time-consuming. Tools such as Nuix Workstation or PassWare can be used to conduct dictionary attacks.
Use brute force attacks
Brute force attacks are a “trial-and-error” approach where every possible combination of characters is used to try and decrypt data. Tools such as PassWare are often used in brute force attacks. Depending on the complexity of the password used and the available computing power, this approach can take hours, days, or even months to succeed.
While there are a number of approaches to help you deal with encryption, it is also important to keep in mind that many of them are time-consuming and resource intensive, and some may not work at all.
Weighing the potential evidentiary value of the data against the resources required decrypt it, is key to managing encryption in eDiscovery.