My Road to Digital Forensics Excellence

Entropy Testing

Posted by Paul Bobby on February 10, 2010

There is an Entropy function available to Enscript programmers, and for use within Encase. This function returns a value between 0.0 and 8.0 (although not sure if those theoretical limits can be reached).

Some initial testing:

1. Truecrypt container: 7.9999999566885638

2. Unencrypted RAR file: 7.99603844812298

3. Sample office documents range from 2.2308970467726277 through  7.6206790243552032

4. Text document with 100 letter As: 0.28229218908241482

5. McAfee BUP files (ROT13): 2.9158825454109309

Okay this is all well and good, but why bother if the values are so spread? Well the reason I tested the entropy() function is because I was testing a theory related to this years DC3 cyber challenge.

One problem had two keylog.dat files, and the problem required developing a methodology to decrypt/unobfuscate them. One method I chose was to encrypt sample text files with various algorithms, calculate the entropy, and then compare the entropy value to that of the keylog files. Great theory right? I used the program Cryptool to perform the testing – and what I found is that modern encryption algorithms are very good, and produce high entropy files. Ugh.

The second problem dealt with developing a methodology to identify audio steganography. Again, I hoped that if I had the original file and the suspect file, the entropy would differ (much like a MD5 hash will differ). For example, the sample Wave file, jungle.wav has an entropy of 4.4638505523879672, and the suspect jungle.wav file provided by DC3 has an entropy of  4.4638505523879672.

Well bugger.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: