Skip to main content

forensic_catalog/
encryption.rs

1/// Registry paths that indicate presence of VeraCrypt encryption tool.
2///
3/// Sources:
4/// - Elcomsoft — "Breaking VeraCrypt: Obtaining and Extracting On-The-Fly
5///   Encryption Keys" (Jun 2021), covers OTFE key extraction from RAM and
6///   hibernation files:
7///   <https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/>
8/// - Elcomsoft — "Live System Analysis: Discovering Encrypted Disk Volumes"
9///   (Jul 2020), covers VeraCrypt OTFE keys in hibernation/page files:
10///   <https://blog.elcomsoft.com/2020/07/live-system-analysis-discovering-encrypted-disk-volumes/>
11/// - Belkasoft — VeraCrypt forensic artifacts in the Windows registry:
12///   <https://belkasoft.com/veracrypt-forensics>
13/// - SANS white paper — "Mission Implausible: Defeating Plausible Deniability
14///   with Digital Forensics" (VeraCrypt nested volumes and deniable OS):
15///   <https://www.sans.org/white-papers/39500>
16pub const VERACRYPT_PATHS: &[&str] = &[
17    r"SOFTWARE\VeraCrypt",
18    r"SOFTWARE\Wow6432Node\VeraCrypt",
19    r"SYSTEM\CurrentControlSet\Services\veracrypt",
20    r"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VeraCrypt",
21];
22
23/// BitLocker-related registry evidence.
24///
25/// Sources:
26/// - Microsoft — BitLocker Group Policy settings registry reference
27///   (HKLM\SOFTWARE\Policies\Microsoft\FVE):
28///   <https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings>
29/// - Harlan Carvey — "Drive Encryption" (Apr 2007), WMI-based BitLocker detection
30///   and live acquisition as the recommended response to active encryption:
31///   <http://windowsir.blogspot.com/2007/04/drive-encryption.html>
32/// - Geoff Chappell — deep technical reference for every FVE registry value:
33///   <https://www.geoffchappell.com/studies/windows/win32/fveapi/policy/index.htm>
34pub const BITLOCKER_PATHS: &[&str] = &[
35    r"SOFTWARE\Policies\Microsoft\FVE",
36    r"SYSTEM\CurrentControlSet\Control\BitLockerStatus",
37    r"SYSTEM\CurrentControlSet\Services\BDESVC",
38    r"SYSTEM\CurrentControlSet\Services\fvevol",
39];
40
41/// EFS (Encrypting File System) policy paths.
42///
43/// Sources:
44/// - SANS white paper — "A Forensic Analysis of the Encrypting File System" (Feb 2021),
45///   covers EFS registry keys, DDF/DRF fields, ransomware abuse of EFS:
46///   <https://www.sans.org/white-papers/40160>
47/// - Microsoft — Windows EFS developer reference:
48///   <https://learn.microsoft.com/en-us/windows/win32/fileio/file-encryption>
49pub const EFS_PATHS: &[&str] = &[
50    r"SOFTWARE\Policies\Microsoft\Windows\System",
51    r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",
52    r"SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS",
53];
54
55/// 7-Zip MRU and settings paths.
56///
57/// Sources:
58/// - Harlan Carvey, *Windows Registry Forensics* (2nd ed., Syngress/Elsevier, 2016)
59///   ISBN 978-0-12-803291-6 — archiver MRU chapter:
60///   <https://shop.elsevier.com/books/windows-registry-forensics/carvey/978-0-12-803291-6>
61pub const SEVENZIP_PATHS: &[&str] = &[
62    r"SOFTWARE\7-Zip",
63    r"SOFTWARE\Wow6432Node\7-Zip",
64    r"Software\7-Zip",
65];
66
67/// WinRAR MRU paths (archive access evidence).
68///
69/// Sources:
70/// - Harlan Carvey, *Windows Registry Forensics* (2nd ed., Syngress/Elsevier, 2016)
71///   ISBN 978-0-12-803291-6 — archiver MRU chapter:
72///   <https://shop.elsevier.com/books/windows-registry-forensics/carvey/978-0-12-803291-6>
73pub const WINRAR_PATHS: &[&str] = &[
74    r"SOFTWARE\WinRAR",
75    r"SOFTWARE\WinRAR SFX",
76    r"Software\WinRAR",
77];
78
79/// Tor Browser / Tor Project registry paths.
80///
81/// Sources:
82/// - SANS white paper #37642 — "Tor Browser Artifacts in Windows 10" (Feb 2017),
83///   primary DFIR reference for Tor Browser Windows registry artifacts:
84///   <https://www.sans.org/white-papers/37642>
85/// - MDPI 2024 (open access) — "Analyzing Tor Browser Artifacts for Enhanced Web
86///   Forensics" (documents PowerShell checking for SOFTWARE\Tor Project):
87///   <https://www.mdpi.com/2078-2489/15/8/495>
88/// - Tor Project — Windows installation documentation:
89///   <https://tb-manual.torproject.org/installation/>
90pub const TOR_PATHS: &[&str] = &[r"SOFTWARE\Tor Project", r"SOFTWARE\Wow6432Node\Tor Project"];
91
92/// Returns an iterator over all encryption tool indicator paths.
93///
94/// Prefer this over any duplicated flat slice for bulk scanning —
95/// zero allocation, no data duplication.
96pub fn all_encryption_paths() -> impl Iterator<Item = &'static str> {
97    VERACRYPT_PATHS
98        .iter()
99        .chain(BITLOCKER_PATHS.iter())
100        .chain(EFS_PATHS.iter())
101        .chain(SEVENZIP_PATHS.iter())
102        .chain(WINRAR_PATHS.iter())
103        .chain(TOR_PATHS.iter())
104        .copied()
105}
106
107/// Returns true if the given registry path matches a known encryption tool indicator
108/// (case-insensitive contains match).
109pub fn is_encryption_tool_path(path: &str) -> bool {
110    let lower = path.to_ascii_lowercase();
111    all_encryption_paths().any(|entry| lower.contains(&entry.to_ascii_lowercase()))
112}
113
114#[cfg(test)]
115mod tests {
116    use super::*;
117
118    #[test]
119    fn veracrypt_paths_contains_hklm_key() {
120        assert!(VERACRYPT_PATHS.contains(&r"SOFTWARE\VeraCrypt"));
121    }
122
123    #[test]
124    fn bitlocker_paths_contains_fve_policy() {
125        assert!(BITLOCKER_PATHS.contains(&r"SOFTWARE\Policies\Microsoft\FVE"));
126    }
127
128    #[test]
129    fn sevenzip_paths_contains_hklm_key() {
130        assert!(SEVENZIP_PATHS.contains(&r"SOFTWARE\7-Zip"));
131    }
132
133    #[test]
134    fn all_encryption_paths_includes_tor() {
135        assert!(all_encryption_paths().any(|p| p == r"SOFTWARE\Tor Project"));
136    }
137
138    #[test]
139    fn all_encryption_paths_covers_all_tools() {
140        let all: Vec<_> = all_encryption_paths().collect();
141        for path in [
142            VERACRYPT_PATHS[0],
143            BITLOCKER_PATHS[0],
144            EFS_PATHS[0],
145            SEVENZIP_PATHS[0],
146            WINRAR_PATHS[0],
147            TOR_PATHS[0],
148        ] {
149            assert!(
150                all.contains(&path),
151                "Missing path in all_encryption_paths: {path}"
152            );
153        }
154    }
155
156    #[test]
157    fn is_encryption_tool_path_veracrypt_matches() {
158        assert!(is_encryption_tool_path(r"SOFTWARE\VeraCrypt\MRUList"));
159    }
160
161    #[test]
162    fn is_encryption_tool_path_case_insensitive() {
163        assert!(is_encryption_tool_path(r"software\veracrypt"));
164    }
165
166    #[test]
167    fn is_encryption_tool_path_unrelated_returns_false() {
168        assert!(!is_encryption_tool_path(r"SOFTWARE\Microsoft\Office"));
169    }
170}