What is cryptography in forensics?

Cryptography refers to the practice of securing information through encryption techniques. It plays a crucial role in digital forensics investigations involving encrypted data and devices. Cryptography allows individuals and organizations to keep data confidential and prevents unauthorized access. However, this can pose significant challenges for forensic examiners who need to access and analyze digital evidence during investigations.

In the context of forensics, cryptography is used to both secure and access data. On one hand, suspects and criminals may encrypt devices and files to hide incriminating evidence. Investigators must use cryptography methods like password cracking to decrypt data. On the other hand, digital forensic tools use cryptography to securely store case information and validate evidence integrity. Understanding both sides is critical for successful investigations.

Cryptography provides the underlying security for much of the data involved in digital forensics. Expertise in encryption and decryption methods is essential for forensic specialists to extract evidence from encrypted sources and draw definitive conclusions based on digital evidence. Cryptography is a central component of many investigative procedures used in forensics today.

Encryption Methods

Cryptography uses various encryption methods to secure data. The two main categories are symmetric encryption and asymmetric encryption.

Symmetric encryption, also known as private-key encryption, uses the same cryptographic key to encrypt and decrypt data. Both the sender and receiver must have access to the secret key. Common symmetric algorithms include AES (Advanced Encryption Standard), DES (Data Encryption Standard), RC4, RC5, RC6, and Blowfish (https://www.getapp.com/resources/common-encryption-methods/).

Asymmetric encryption uses two different but mathematically linked cryptographic keys – a public key and a private key. The public key encrypts data while the private key decrypts it. RSA (Rivest–Shamir–Adleman) is the most widely used asymmetric algorithm. Others include ECC (Elliptic Curve Cryptography) and Diffie-Hellman key exchange.

Symmetric encryption is faster but requires securely sharing the secret key. Asymmetric encryption solves the key exchange problem but operates slowly. Many applications use a hybrid approach, leveraging the strengths of each method.

Cryptographic Hashes

A cryptographic hash function is a mathematical algorithm that takes an input and converts it into a fixed size alphanumeric string called a hash value. Cryptographic hashes are an essential tool in digital forensics for ensuring the integrity of digital evidence.

Some key uses of cryptographic hashes in digital forensics include:1

  • Verifying that a copy of a file is identical to the original file. By comparing hash values, an investigator can quickly determine if a file has been altered.
  • Linking files from different sources. If two files have the same hash value, it indicates they are likely identical copies.
  • Creating digital fingerprints of files and storage media.
  • Spotting hidden changes between file versions.

Two of the most common cryptographic hash functions are MD5 and SHA-1.2

MD5 was introduced in 1991 and produces a 128-bit hash value. It is very fast to compute. However, MD5 has been proven to be insecure and prone to collisions, so it should not be relied upon.3

SHA-1 was introduced in 1995 by the NSA and produces a 160-bit hash value. It is somewhat slower than MD5 but offers better security. However, SHA-1 is also starting to show vulnerability to attacks. Newer algorithms like SHA-256 are recommended for evidence integrity in forensic investigations.

Password Cracking

In digital forensics, investigators often need to gain access to encrypted devices or password-protected accounts to acquire evidence. Password cracking techniques allow investigators to bypass these security measures. There are several reasons why password cracking is important in investigations:

Passwords protect access to critical data on devices and accounts that may contain evidence. Without cracking passwords, investigators may miss key information stored behind encryption barriers. Password cracking provides a legal means to gain access when users refuse to surrender passwords voluntarily during investigations.

Many cybercrimes involve unauthorized access that is gained through compromised passwords. Analyzing password cracking patterns can reveal the techniques hackers used to breach security. Investigators can identify weaknesses and improve security protocols.

There are various password cracking techniques used in digital forensics:

Dictionary attacks: These involve trying commonly used passwords and words in an automated fashion to gain access. Investigators use large dictionaries and wordlists to launch this brute force technique. This method can crack simple and weak passwords.

Hybrid attacks: This approach combines elements of dictionary attacks with masking and permutations of characters. For example, dictionary words with appended special characters or numbers.

Brute force attacks: This method tries all possible character combinations until the password is found. It is effective for short or weak passwords but becomes slower as password length increases. Rainbow tables which precompute hash passwords can optimize brute force efficiency.

Social engineering: Investigators gather personal information about subjects to make educated guesses about password choices. Shorter, weaker passwords closely tied to personal details are easier to deduce.

More advanced techniques like salting and key strengthening make passwords increasingly difficult to crack. Understanding password vulnerabilities and psychology can help investigators select the most effective password cracking methods.


Steganography refers to the practice of concealing information within different types of media files or data streams. The purpose of steganography is to hide the very existence of the secret information being transmitted. In the field of digital forensics, investigators often have to detect hidden data stored inside common file types like images, audio, video, and documents.

Some common steganography techniques include:

  • Hiding information within the least significant bits of image pixels or audio samples
  • Embedding hidden data inside video files by subtly altering the color values of pixels
  • Using basic encryption to conceal text within documents or text files

Detecting steganography can be challenging for forensic investigators. Some detection methods include:

  • Looking for visual artifacts or patterns caused by manipulating media files to hide data
  • Analyzing the statistical properties of files to detect outliers and anomalies
  • Using dedicated steganalysis tools to systematically search files for embedded information

Overall, steganography represents both a challenge and opportunity in digital forensics. Developing new techniques for detecting hidden communications is an important area of research in the field.


Crypto-shredding refers to securely wiping data through cryptographic methods rather than traditional overwrite techniques. The concept relies on encrypting data with a cryptographic key, and then securely destroying the key to render the encrypted data irrecoverable. Without the key, forensic investigators will not be able to decrypt and read the data, effectively “shredding” it digitally.

Crypto-shredding provides several advantages over traditional data wiping methods like repeatedly overwriting storage with random data. With strong encryption, the original data is mathematically unrecoverable without the key, regardless of overwrite attempts. Crypto-shredding also avoids challenges recovering overwritten remnants, as the encrypted data remains intact. However, proper key destruction is critical. Cryptographic keys must be overwritten or deleted in a manner that prevents forensic recovery through scanning memory chips or data remnants.

Overall, crypto-shredding enhances security and privacy for sensitive data. By encrypting information then destroying keys, organizations can permanently erase data and prevent forensic recovery. Crypto-shredding provides a more reliable and efficient alternative to overwrite-based data wiping.

Obtaining Encryption Keys

There are several techniques investigators can use to obtain encryption keys, with varying levels of legality. Two common techniques include key logging and memory dumps. Key loggers can record keystrokes entered by a suspect, which may reveal passwords or passphrases used to encrypt data. Investigators can also perform a memory dump, taking a snapshot of the RAM on a powered on device which may contain encryption keys in plaintext. However these techniques raise significant legal considerations.

In the United States, laws like key disclosure laws can compel individuals to turn over cryptographic keys to law enforcement. However courts have generally ruled that suspects cannot be legally compelled to turn over passwords or encryption keys, as this would violate the 5th Amendment protecting against self-incrimination. Investigators must use other means to obtain keys. The legal landscape remains complex, as evidenced by discussions on whether suspects can be compelled to provide keys to encrypted devices.

Techniques like key logging or memory dumps, while sometimes effective, can raise Fourth Amendment concerns over unreasonable search and seizure. Investigators should carefully evaluate options to obtain encryption keys based on case specifics, working with prosecutors to ensure techniques are legally defensible. The law continues to evolve in this area. Ultimately investigators must balance evidentiary needs with constitutional protections.

Cryptocurrency Investigations

Tracing Bitcoin and other blockchain transactions is a key part of cryptocurrency investigations. Forensic experts use techniques like address tagging, clustering, and transaction graph analysis to link transactions to identities and real-world activity (Fraud Investigation, 2023). By carefully studying the blockchain ledger, investigators can track the flow of funds and build evidence for criminal cases.

Recovering cryptocurrency wallet data and private keys is also important. Investigators may obtain digital evidence from suspects’ computers and mobile devices that contain wallet files, passwords, recovery phrases, or other information needed to access cryptocurrency funds (India Forensic, 2023). Advanced forensic tools can also help decrypt and reconstruct wallet data from unallocated disk space or damaged devices. Private keys enable investigators to fully analyze wallets and transactions.

Overall, cryptocurrency investigations require specialized forensic knowledge and tools. Tracing transactions on the blockchain and recovering cryptographic keys from digital devices are critical techniques for following the money and building cases against cybercriminals using cryptocurrencies.

Mobile Device Encryption

Mobile devices such as smartphones and tablets commonly use encryption to protect data. Some of the encryption methods include data-at-rest encryption, disk encryption, and end-to-end encryption techniques like TLS/SSL.

Forensic investigators use various techniques to bypass encryption and access locked devices. This may involve exploiting security vulnerabilities, using specialized forensic tools to extract encryption keys, or employing password cracking to gain access.

For example, one study demonstrated a model for bypassing the security features on encrypted Android devices to extract forensic data (https://www.sciencedirect.com/science/article/pii/S2666281721000779). Other techniques include jailbreaking phones to disable security restrictions and deploying mobile device management profiles to collect forensic artifacts.

Accessing encrypted mobile devices presents significant challenges for investigators. However, continual research is focused on developing more invasive techniques and finding ways to decrypt protected information on locked phones and tablets.


In summary, cryptography plays an essential role in digital forensics. As more devices utilize encryption by default, forensic investigators must develop new methods to legally access encrypted data. Cryptographic hashes help verify data integrity and authentication. Password cracking remains crucial to decrypt locked devices. Steganography hides data in plain sight and presents unique challenges. Crypto-shredding permanently destroys data. Obtaining encryption keys through lawful means facilitates access to encrypted data. Cryptocurrency investigations require analyzing complex blockchain transactions. Mobile device encryption provides significant hurdles. Overall, strong cryptography provides major obstacles for forensic investigators to overcome in the future through technical innovation and evolving legal frameworks.